Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

Sean Michael Kerner on OpenStack

Xubuntu 15.04 Vivid Vervet - Fabulous

I have to say, Xubuntu 15.04 Vivid Vervet shattered my expectations. Obliterated them. Overall, I was expecting a distro that would be about as good as its parent. Instead, I got this fine piece of digital machinery, which purrs and meows and growls like a turbo-charged tiger, if this silly metaphor makes any sense. Or is it an analogy? Now, one tiny software glitch, plus one big regression that affects the entire family. That's the sum of my complains. On the plus side, Xubuntu fully supports the hardware, including the tricky UEFI stuff, it's fast, robust, elegant, rich in software and features, simple and fun to use, and it works well with anything I've thrown at it. By far the best distro of this year. I don't give out 10/10 lightly, but I'm inclined to do that right now, even though the few tiny problems we've had prevent me from doing that. However, the whole package reminds me of Fuduntu, really. Pure and simple and just good. 9.99999/10. Try it, you won't be disappointed. We're done here. Read more

Akanda Pledges to Keep SDN Tech for OpenStack Open-Source

Rosendahl emphasized that Akanda was born as open-source software and will remain open-source. From a commercial perspective what Akanda provides to enterprises is support and professional services. Read more

A New Firefox OS phone

Last Monday, I bought the phone anyway. I must say that I am very pleased by its performance and very cheap price. One can swap the SIM card to use the phone with another carrier here, too. Read more