Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

FoundationDB Source Code Shared

​Learn to use GitHub, ​GitHub Releases Atom 1.26

  • ​Learn to use GitHub with GitHub Learning Lab
    The most popular open-source development site in the world is GitHub. It's used by tens of millions of developers to work on over 80 million projects. It's not just a site where people use Linus Torvalds' Git open-source distributed version control system. It's also an online home for collaboration, a sandbox for testing, a launchpad for deployment, and a platform for learning new skills. The GitHub Training Team has now released an app, GitHub Learning Lab, so you can join the programming party. GitHub Learning Lab is not a tutorial or webcast. It's an app that gives you a hands-on learning experience within GitHub. According to GitHub, "Our friendly bot will take you through a series of practical, fun labs that will give you the skills you need in no time--and share helpful feedback along the way."
  • Atom 1.26
    Atom 1.26 has been released on our stable channel and includes GitHub package improvements, fuzzy-finder support for Teletype and file system watcher improvements.
  • Atom Hackable Text Editor Gets GitHub Package, Filesystem Watcher Improvements
    GitHub announced the release of the Atom 1.26 open-source and cross-platform hackable text editor for Linux, macOS, and Windows platforms with more improvements and bug fixes. In Atom 1.26, the GitHub package received various improvements and new features, among which we can mention the ability of the ’s Git pane to display a read-only list of recent commits for quick reference, and support for storing your GitHub username and password credentials in the Git authentication dialog.

Games Leftovers

Linux and Linux Foundation

  • V3D DRM Driver Steps Towards Mainline Kernel, Renamed From VC5
    The Broadcom VC5 driver stack is being renamed to V3D and developer Eric Anholt is looking at merging it into the mainline Linux kernel. The VC5 DRM/KMS and Mesa code has been for supporting the next-generation Broadcom VideoCore 5 graphics hardware that's only now beginning to appear in some devices, well, it seems one device so far. Though as I pointed out a few months back, there's already "VC6" activity going on too as the apparent successor to VC5 already being in development.
  • Azure Sphere Makes Microsoft an Arm Linux Player for IoT [Ed: Microsoft marketing at LF (only runs on/with Windows and Visual Studio etc.)]
  • Keynotes Announced for Automotive Linux Summit & OS Summit Japan [Ed: "Senior Software Engineer, Microsoft" in there; LF has once again let Microsoft infiltrate Linux events; in the words of Microsoft’s chief evangelist, “I’ve killed at least two Mac conferences. […] by injecting Microsoft content into the conference, the conference got shut down. The guy who ran it said, why am I doing this?”]
    Automotive Linux Summit connects those driving innovation in automotive Linux from the developer community with the vendors and users providing and using the code, in order to propel the future of embedded devices in the automotive arena.