Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

GNOME and KDE

GNOME
  • Updates on GNOME Calculator
    The biggest task I’ve been trying to accomplish is to move all the UI code to GtkBuilder .ui files and rework the codebase to use them as reusable templates.
  • Developer Experience Hackfest 2016
    First of all I would like to thanks the GNOME Foundation for sponsoring once again my trip to Brussels for the GNOME Developer Experience Hackfest. Besides hacking on Glade and attending FOSDEM I had a great time meeting with old friends and making new ones, not to mention the amount and variety of beers consumed
KDE
  • Some Neon Artwork
    This is pretty exciting for anyone who wants a stable core system with a setup of KDE Plasma software on to as recent as possible, setted-up and configured as good as possible, with hopefully less issues like “distro X has a slightly outdated version of kibrary Y which is know that makes app Z crash”.
  • HIG about Simple vs. Advanced Settings
    Recently the question was asked in the KDE forums how we handle advanced settings. While there is neither a best practice nor a common approach in KDE software, we actually discussed a similar concept in respect to the Plasma control modules (KCM). The updated organization of KCMs was implemented by the developers, the community decided about the basic layout, and a couple of proposals were done [1, 2]. So why don't generalize this idea and write a guideline?
  • 3DPrinterChat -Your 3DPrint Community
    Last week I received and invitation to be a columnist on a blog about 3DPrinting, 3DPrinterChat, and I already made 3 blog posts. It’s amazing. I’m learning more about 3dprinting and sharing the knowledge that I have. It’s a wonderfull website to people that want know more about 3dprinting and how to start use a 3dprinter.
  • Outside the Stellarator
    After having spent a great deal of time improving Plasma, I recently focussed on other ares of our workspace, such as KRunner, and various KDE Applications.
  • Heavy activities setup
    I’ve always had more than a few activities lying around - mainly one for each project I’m working on. Be it KDE, Work, Studies, etc. But I was basing my workflow not only on them, but also on virtual desktops. I had four of them, the first one to keep the web browser and the mail client in, two for actual work (that is related to the current activity), and the last one to keep the music player in.

New Ubuntu Phone Patch Is Coming Soon to Fix the Infamous Mir Bug, Says Canonical

Just a few moments ago, Łukasz Zemczak of Canonical sent in his daily report email to inform us about the latest work done by the Ubuntu Touch developers in preparation for the upcoming OTA releases. Read more

Red Hat News

HP Linux Imaging and Printing 3.16.2 Supports Debian 8.3 and Linux Mint 17.3

The developers behind the HP Linux Imaging and Printing project, an open-source initiative to bring the latest HP printer drivers to GNU/Linux distributions, released HPLIP 3.16.2. Read more