Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

GNU/Linux Experiences With AMD's Latest

  • AMD's Raven Ridge Botchy Linux Support Appears Worse With Some Motherboards/BIOS
    With my launch testing of the Raven Ridge desktop APUs with the Ryzen 5 2400G and Ryzen 3 2200G there were some stability issues to report and some hangs within games and mode-setting issues. It appears those issues are exacerbated with some motherboards: the past few days with two different AMD B350 motherboards have been a real pain getting the current AMDGPU driver stack working -- and even Linux 4.17 AMDGPU WIP code -- on either of these Raven Ridge APUs.
  • XDA’s First Full PC Build: An All-AMD Linux Desktop Featuring Ryzen and Polaris
    With GPU prices increasing exponentially over the past few months, it’s been hard to price out a PC. This particular build took us nearly a year to assemble; getting all the parts together was a challenge. (TK, our video producer, delivered the last piece of the puzzle after the Consumer Electronics Show in January.) Our goal was to show what a decent budget can get you in an all-AMD build, and what kind of performance you can expect from it. Thanks to AMD Ryzen and Polaris, we were able to do just that.
  • Ryzen 3 2200G Video Memory Size Testing On Linux
    One of the discussion items in the forums this week was about the video memory allowance for the Vega graphics on Raven Ridge APUs as well as efficiences or inefficiencies around the TTM memory manager as used by the AMDGPU kernel driver. Here are some vRAM size tests with the Ryzen 3 2200G.

Today in Techrights

Web Server Setup Series - Fix CWP Errors & Warnings To Improve Server Security

​Welcome to the second part of the web server setup series. In this part, I'll show you how to fix CWP (CentOS web panel) errors and warnings, create new user accounts, create hosting packages, and create FTP account. So let's start. Read
more

How To Make Good Use Of 'grep' Command

​Linux and UNIX systems come with a shell command known as ‘grep’. This simply looks for a specified text, or pattern, in a file or an entire directory. The most common usage is for quickly searching a file for occurrences of a pattern, which can be in plain text, or in the form of a regular expression. Here, the patterns used will be simple text rather than regular expressions. Read
more