Rootkit Creators Turn Professional

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

Re:Wicked

[SimilarityEngine]

You were looking for this website [czweb.org] presumably.

Re:Wicked

[dan dan the dna man]

Hmm it seems to be a new release of something called Hacker Defender. Apparently available here [czweb.org] for the curious. Interesting comment in the box about how the commercial version is not released under the GPL :p

Re:Waiting for Vista

[Anonymous Coward]

Umm..did you know that rootkits were out for *nix long before windows? The rootkits for those systems are far more sophisticated.

Re:How dare they!

[KiloByte]

Like, SuckIt [phrack.org]?

Re:Misuse of the term

[Viol8]

That definition is wrong. A rootkit is a kit that helps you get
root access on a system either by buffer overflow of a running
process/server or some other method. To prevent a process
showing up in ps all you have to do is put your own version of
the ps command in place, hardly rocket science.

Re:Fact or fiction?

[Viol8]

"Love the quote from a researcher saying that the alleged sale of rookits means that "

I think what he meant (tho he could have phrased it much better) is that previously virus writers were just sad spotty adolescents with no social skills in their bedroom writing viruses to prove something to themselves or to impress they're equally sad and
spotty online "friends". These days a lot of it is paid for by organised crime who have specific targets and specific agendas.

Re:Misuse of the term

[jaseuk]

Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

There is more to a root kit than just a replacement ps, but of course that is a critical element.

No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.

Re:Misuse of the term

[PhilHibbs]

Wikipedia [wikipedia.org] agrees with the Jargon File:

A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes.

See also Sysinternals's Rootkit Revealer [sysinternals.com]:

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

Re:Misuse of the term

[$RANDOMLUSER]

Um, no. That's exploiting a vulnerability. As jaseuk's reply to you says, a rootkit is something that hides a process from things that examine the process table.

www.hxdef.org....nuff said

[harmonics]

Golden Hacker Defender does exist, can be purchased, and no it is NOT GPL..

http://www.hxdef.org/antidetection.php [hxdef.org]

They even have a license..

Paid versions are not released under GPL licence.
Every customer who buys antidetection service agrees with this licence.
Customer is not allowed to spread the product or its parts in neither binary nor source code form.
Violating of this licence will issue in loss of any support
and also in impossibility of buying new updates and other products and services.
Customer can do whatever he/she wants with his/her product except
all activities that are forbidden in this licence.
Customer can even modify the source code or the binary form of the product.
Customer is fully responsible for the application of boughten product.
Provider of antidetection service reserves the right to refuse any customers order.
If customers order is accepted customer pledges to pay the full sum before he/she gets the product.
Provider pledges to assemble the product and send it to the customer in 5 working days.
If provider is not able to fulfil the order the customer will get all his/her money back.
All payments are provided by e-gold (http://www.e-gold.com/ [e-gold.com] rarely by prior arrangement
payments via Moneybookers (http://www.moneybookers.com/ [moneybookers.com] can be accepted too.
Customer will receive relevant payment information after provider accepts the order.

Re:Easy prey?

[ArsenneLupin]

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...

Is VNC a rootkit?

No. But a tool hiding VNC from the process list might be.

Re:Misuse of the term

[hellraizr]

well it's obvious you've never actually been hit with one other wise you would know what you were talking about. *EXPLOITS* get you root. rootkits allow you to KEEP root. The average rootkit disables forensics programs like lsof, ps, find, locate, w, who, (sometimes) syslogd. They also modify shit like rc.sysinit or inittab.

Don't let the name fool you because thats all it is is a name. Exploits and rootkits are 2 entirely different things. You can get all the exploits you want from packetstormsecurity [packetstormsecurity.nl] but I dare you to find a single rootkit there.

You don't have to take my word for it but jfyi, I worked as a security admin at a rather large dedicated hosting company and have seen just about every damn rootkit that actually works.

Re:designed to by-pass detection?

[m50d]

The point is this one is not only designed to not be found by "normal" methods, but also to avoid detection by specialist anti-rootkit programs.

Re:Misuse of the term

[Redwin]

have seen just about every damn rootkit that actually works

Isn't that a contradiction?*

You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.

Homepage: Assessments -> RootKits [linuxsecurity.com]

What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!

*Laugh, it was supposed to be a joke :-)

Re:Easy prey?

[mOdQuArK!]

Some administration tools hide their presence so that corporate office drones won't notice the system administrator monitoring them (for "security" reasons dontcha know). Are they root kits?

Re:Misuse of the term

[Rich0]

Actually, all of this is exactly what tripwire does. It stores a database of file attributes (hashes, mtimes, etc.).

You can also easily run it on a running system.

The problem is that on a running system your executable is subject to the whims of the currently-running kernel, glibc, linker, etc. If the rootkit installed a kernel module, or a modified glibc, or something else, then when you scan ps it could just point you to a saved unmodified copy of ps, and then your scan would miss the changes. When you look for running processes via a system call, the kernel patch could deceive you. Even if you are statically linked you are still subject to the kernel for file access. Even if you run as root and directly access the hard drive device, you are going through the kernel device driver. Even if you make low-level hardware calls you are still in userland and a very clever rootkit running in ring 0 could interrupt your program and make it do whatever it wants. Of course, all of these tricks are very difficult to pull off, and most rootkits rely only on a subset of them.

Also, if your hash database is not stored on read-only media it could have been tampered with.

However, the safest way to scan for a rootkit is to boot from known-good media and scan against a known-good database. There is no way to defeat this. In the same way, the safest way to clean a virus is to boot off of a clean disk and purge the virus when it has not been loaded into memory.

Usually the best practice is to run tripwire and do online scans frequently, and offline scans anytime you suspect malicious activity or one some less frequent schedule.

The problem with tripwire is people like me who are constantly upgrading packages. Your tripwire database needs to be updated anytime you install software, making it best suited to infrequently-changing servers...