Rootkit Creators Turn Professional

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

What's the point of this type of hacking?

[ReformedExCon]

What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

Or is there a Matrix-esque cabal of midnight hackers out there dressed in trenchcoats and sunglasses who are busy at work undermining the government? I find that hard to believe.

I find it easy to believe that there are foreign governments very interested in this type of thing, but it is difficult to imagine ordinary citizens having both the desire and the wherewithal to perform serious attacks and avoid prosecution.

Or maybe I am just having the wool pulled over my eyes.

It's organised crime becoming more sophisticated

[Anonymous Coward]

If you've been watching the news the last few weeks ex-IRA members have been busted doing forgeries in North Korea, bomb-making in Iraq, and making IED's in Columbia. This is an example of the market for worldwide organised crime skills becoming huge as organisations outsource skillsets, especially nefarious skillsets. It's interesting to note the rise of these types of non-state actors on the world stage and how they are interplaying with governments and corporations. Organised crime is going to become huge and a much more realistic threat than terrorism will ever be on multiple fronts eg. economic (black markets), societal (drugs), morality (the increasing legitizmation of groups and the intertwining with big gov and big biz).

Fact or fiction?

[FishandChips]

Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.

Re:Misuse of the term

[Rich0]

I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is... :)

For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.

Re:Waiting for Vista

[MichaelSmith]

did you know that rootkits were out for *nix long before windows

Which is the principle difference between *nix and windows. Most of the holes in unices have been found over the years. Windows was only exposed to wide area networks in a serious way over the last ten years. The bugs are still being found.

Re:Misuse of the term

[ajs318]

And this is why I like the idea of binaries being tied hard to the exact processor for which they were compiled, rather than every processor having the same instruction set. It makes it a stackload harder to do stuff like that, when actually enabling the build environment requires physical access to the machine. As long as there exists binary compatibility between your systen and Some Unknown Bad Guy's system, there will be rootkits.

Now that we have seen proof of checksum collisions, I do not doubt that the next big thing in malware circles will be to create modified binaries whose checksums are the same as the originals ..... if they haven't already ..... of course, using checksums is actually a pretty christian way of checking for intrusions, because you don't really know for sure that the checksum creator itself hasn't been interfered with.

Re:Wicked

[Fred_A]

Shouldn't that be an administratorkit anyway ?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Easy prey?

[Redwin]

This problem of who is guilty also comes up with the use of honeypots, ie if someone breaks into a honeypot system and launches an attack from there who is responsible? The attacker or the person supplying the resources?

I agree with your point of view that a blanket "all are responsible" response is not the best course of action, as I've wondered how long it will be before people like the authors of security books get bundled into the category of "they supplied the knowledge to make this attack possible, therefore they are guilty as well".

OTOH it might be considered negligent to have access to a dangerous piece of software available to the public domain at all, (even if it hidden behind some form of security).

Re:How dare they!

[xappax]

Actually, the free version of the Hacker Defender [czweb.org] rootkit mentioned in the article is open source. GPL, I'm not sure about, but it still surprised me. It actually makes a lot of sense, because it allows attackers to customize and recompile the rootkit, probably creating a new binary that malware-detectors are unaware of.

Re:How dare they!

[Captain Splendid]

You know, that's actually not a bad idea. Something similar to this could (hopefully) be used to help overturn (or change) the DMCA.