Rootkit Creators Turn Professional 117
pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."
Re:Wicked (Score:3, Informative)
Re:Wicked (Score:3, Informative)
Re:Waiting for Vista (Score:3, Informative)
Re:How dare they! (Score:5, Informative)
Re:Misuse of the term (Score:1, Informative)
root access on a system either by buffer overflow of a running
process/server or some other method. To prevent a process
showing up in ps all you have to do is put your own version of
the ps command in place, hardly rocket science.
Re:Fact or fiction? (Score:3, Informative)
I think what he meant (tho he could have phrased it much better) is that previously virus writers were just sad spotty adolescents with no social skills in their bedroom writing viruses to prove something to themselves or to impress they're equally sad and
spotty online "friends". These days a lot of it is paid for by organised crime who have specific targets and specific agendas.
Re:Misuse of the term (Score:5, Informative)
There is more to a root kit than just a replacement ps, but of course that is a critical element.
No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.
Re:Misuse of the term (Score:4, Informative)
See also Sysinternals's Rootkit Revealer [sysinternals.com]:
Re:Misuse of the term (Score:3, Informative)
www.hxdef.org....nuff said (Score:2, Informative)
http://www.hxdef.org/antidetection.php [hxdef.org]
They even have a license..
Paid versions are not released under GPL licence.
Every customer who buys antidetection service agrees with this licence.
Customer is not allowed to spread the product or its parts in neither binary nor source code form.
Violating of this licence will issue in loss of any support
and also in impossibility of buying new updates and other products and services.
Customer can do whatever he/she wants with his/her product except
all activities that are forbidden in this licence.
Customer can even modify the source code or the binary form of the product.
Customer is fully responsible for the application of boughten product.
Provider of antidetection service reserves the right to refuse any customers order.
If customers order is accepted customer pledges to pay the full sum before he/she gets the product.
Provider pledges to assemble the product and send it to the customer in 5 working days.
If provider is not able to fulfil the order the customer will get all his/her money back.
All payments are provided by e-gold (http://www.e-gold.com/ [e-gold.com] rarely by prior arrangement
payments via Moneybookers (http://www.moneybookers.com/ [moneybookers.com] can be accepted too.
Customer will receive relevant payment information after provider accepts the order.
Re:Easy prey? (Score:5, Informative)
A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...
Is VNC a rootkit?
No. But a tool hiding VNC from the process list might be.
Re:Misuse of the term (Score:2, Informative)
Don't let the name fool you because thats all it is is a name. Exploits and rootkits are 2 entirely different things. You can get all the exploits you want from packetstormsecurity [packetstormsecurity.nl] but I dare you to find a single rootkit there.
You don't have to take my word for it but jfyi, I worked as a security admin at a rather large dedicated hosting company and have seen just about every damn rootkit that actually works.
Re:designed to by-pass detection? (Score:3, Informative)
Re:Misuse of the term (Score:2, Informative)
Isn't that a contradiction?*
You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.
Homepage: Assessments -> RootKits [linuxsecurity.com]
What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!
*Laugh, it was supposed to be a joke
Re:Easy prey? (Score:2, Informative)
Re:Misuse of the term (Score:3, Informative)
You can also easily run it on a running system.
The problem is that on a running system your executable is subject to the whims of the currently-running kernel, glibc, linker, etc. If the rootkit installed a kernel module, or a modified glibc, or something else, then when you scan ps it could just point you to a saved unmodified copy of ps, and then your scan would miss the changes. When you look for running processes via a system call, the kernel patch could deceive you. Even if you are statically linked you are still subject to the kernel for file access. Even if you run as root and directly access the hard drive device, you are going through the kernel device driver. Even if you make low-level hardware calls you are still in userland and a very clever rootkit running in ring 0 could interrupt your program and make it do whatever it wants. Of course, all of these tricks are very difficult to pull off, and most rootkits rely only on a subset of them.
Also, if your hash database is not stored on read-only media it could have been tampered with.
However, the safest way to scan for a rootkit is to boot from known-good media and scan against a known-good database. There is no way to defeat this. In the same way, the safest way to clean a virus is to boot off of a clean disk and purge the virus when it has not been loaded into memory.
Usually the best practice is to run tripwire and do online scans frequently, and offline scans anytime you suspect malicious activity or one some less frequent schedule.
The problem with tripwire is people like me who are constantly upgrading packages. Your tripwire database needs to be updated anytime you install software, making it best suited to infrequently-changing servers...