Rootkits: ‘be very afraid’
p2pnet.net News:- Kernel rootkits could soon be used to create a new generation of canny, mass-distributed spyware and worms.
They’re the latest generation of remote system-monitoring software and are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed, typically without the owner’s knowledge, either by a virus or after a successful hack of the computer’s defenses, says Computerworld.
That’s what Mike Danseglio and Kurt Dillard of Microsoft’s security solutions group told a session at the RSA Security Conference in San Francisco this week.
The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, the story quotes Dillard as saying.
According to Dillard, Hacker Defender, released about a year ago, “even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port,” says the story.
Computerworld says Microsoft has developed a tool called Strider GhostBuster that’s able to detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate a kernel rootkit is running,
“File-hiding is an advanced stealth technique used by many popular system-monitoring software such as RootKits [RK], Trojans, and keyloggers [KL] to make executables or data files (such as recorded keystroke files) invisible,” says a Microsoft paper on Strider GhostBuster.
“Once the monitoring program is started, it intercepts all file queries at a very low level and uses filtering to ensure that a chosen subset of files are never revealed to any file query operations made by any program running on the infected machine. This technique can defeat experienced system administrators who search the file system and Windows Registry for suspicious entries, as well as commonly used malware scanning tools that are based on known-bad file signatures.
“However, file-hiding behavior has a fundamental flaw: any file to be hidden must physically exist and is visible from another clean OS uninfected with the file-hiding software. Unfortunately, this visibility alone does not mean that the hidden file is easily identifiable because there are usually tens to hundreds of thousands of files on a file system. Fortunately, the file-hiding behavior itself provides an almost trivial way of exposing the very file that it tries to hide: if we scan the entire file system from the clean OS, and subtract from the output all those unhidden files that appear in another scan inside the infected OS, the only remaining files are the hidden files!
Something you think we should know? tips[at]p2pnet.net
===================
See:-
security solutions - Microsoft on ‘rootkits’: Be afraid, be very afraid, Computerworld, February 17, 2005
invisible – Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files, Microsoft Research, July 24, 2004
