dslreports logo
Search similar:


uniqs
8658

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Malicious Bots Hide Using Rootkit Code !

Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, according to researchers at Finnish anti-virus software company F-Secure.

New versions of Rbot, a malicious and ubiquitous remote control program, have features copied and pasted from a well known open-source rootkit called FU. The new features make Rbot invisible to system monitoring tools.

This is just the latest example of malicious programs borrowing strategies used by rootkits to evade detection on systems they infect, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp. - »www.eweek.com/article2/0 ··· 2,00.asp -

-

Some good info available, so also check out the various links.

Thanx to ronjor for this link

GercekSeytan
Absinthe makes the heart grow fonder.
Premium Member
join:2001-10-19

GercekSeytan

Premium Member

Re this post »Blacklight Rootkit Scanner
F-Secure BlackLightTM (Beta Release)

Future Threats Are Coming Closer
Did you know that it is possible to hide spyware or a virus in a way that will fool even the traditional antivirus products?

Some spyware programs are already using so-called rootkits to hide deep in the system. And, virus authors are joining in. Learn more about the threat called rootkit.

The Cure - Innovative New Technology
Now, there is a cure, F-Secure BlackLight Rootkit Elimination Technology. And, it's time to find out, whether your computer is infected by invisible rootkits. Read more about this innovative counter-measure F-Secure BlackLightTM.

Download Beta Trial
Note: We have extended the beta trial period until the 1st of July 2005 in our new beta release. Click here to download the latest beta version »www.europe.f-secure.com/ ··· ry.shtml
»www.europe.f-secure.com/ ··· cklight/

Most recent version is 18 May 05 (1.5.1002)
Just Basics
join:2003-06-08
Painter, VA

Just Basics

Member

" Note: The F-Secure BlackLight Beta only works on Windows 2000, Windows XP and Windows 2003 Server. F-Secure BlackLight does not work on Windows NT, 95, 98 or ME."

Would have liked to give it a try

JamPony9
Premium Member
join:2004-12-08
Austin, TX

2 edits

JamPony9 to SpannerITWks

Premium Member

to SpannerITWks
This points up the importance of avoiding infection in the first place. I don't know what can be done about ignorant or unconcerned users. But anyone clued-in enough to be reading this forum can attain close to 100% prevention, even if running Windows, though it takes some commitment.

The one method that logically is almost certain to detect rootkits is comparing the system's self-reported state with its state as seen from an "external" view. It appears the f-secure product is based on this concept.

This is the also principle of Microsoft's in-development "Ghostbuster" anti-rootkit tool.

»research.microsoft.com/rootkit/

I was sure Bruce Schneier had described the same technique before the Microsoft announcement, but I couldn't find the reference. He discusses Ghostbuster here.

»www.schneier.com/blog/ar ··· ter.html

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Karl Levinson from MS Research wrote me a reply fairly recently, in response to an idea i had for the future securing of PC's against RootKits etc, of which the following is an extract -

MS Strider Ghostbuster is a useful research project, but the media and a few experts wrongly made too much of its current state and demanded it be released immediately to the public. It is not ready for release, as it has a number of vulnerabilities. On the other hand, the main Strider Ghostbuster tool is just a batch file that runs the DIR command and uses something like FC to compare the results, you could do that yourself today. Such a technique does not detect ADS files, which is a big vulnerability. There are also some ways this technique can be evaded, including using the same trick Hacker Defender used against Sysinternals Rootkit Revealer. -

-

Strider GhostBuster Rootkit Detection -

Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism.

There are THREE versions of Strider GhostBusters: - »research.microsoft.com/rootkit/ -

-

I guess they must have refined GB even further, so it's good to see GhosterBuster being used right now as part of MS's efforts to trawl the internet in search of nasties etc. - »research.microsoft.com/sm/ -

-

Beyond Signature-based Approach -

Tools

An ASEP checkpointing and diffing tool that covers the 46 ASEPs known to be hooked by hundreds of spyware and malware programs

Simple steps you can take to detect some of today's ghostware:

Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. - »research.microsoft.com/spyware/

-

Lots of interesting info and links in all the above.

-

ADS on the surface ( no pun intended ) appears more secure than FAT32, and in many ways it is. Except for the fact that all manner of natsies can hide and lurk in there without you knowing about it. Yes you can keep looking if you have the right tools to search with and know what to look for. You can also eliminate the Streams with suitable tools if you wish.

I would NOT install ADS on any PC of mine, others of course can do so if they choose to.

If anybody wants some more info/links on these tools, then just holla.

Spanner

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to SpannerITWks

Premium Member

to SpannerITWks
Just curious: How many Windows rootkits are there in circulation?

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Hi John, Haha well i could just put ( Google ) like some people do. But you wanna try and pin me down to a number dontcha !

Well ones more than enough i would have thought, but how longs a piece of string ? Off the shelf right now over a dozen anyway.

But as i mentioned in an earlier thread, there is a version people can have customised whichever way they like for a price.

So on that basis, who knows the number of them around somewhere just waiting to be distributed. And people are working on later versions of previous ones, and also brand new variants. So i guess we'll be seeing more of them sooner rather than later.

Regards,

Spanner

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

said by SpannerITWks:

But as i mentioned in an earlier thread, there is a version people can have customised whichever way they like for a price.
Those are just a variation on a theme. In essence just one with alterations to small parts of the code like private builds of trojans (Beast, for example)

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

John,

Well - ( there is a version people can have customised whichever way they like for a price. ) - is - ( variation on a theme ) -

But it's still a different version, and really it doesn't make any difference if there was only one Rootkit in the world, like that one that can be customised so much.

How many do think there should be ? Cos like i said, ones more than enough, especially in the catagory of the one i just mentioned again. And those custom versions of it are Undectable as of right now !

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

I think you should pay more attention to the people who detect rootkits and other malware for a living, rather than those that are trying to sell rootkits, or pseudo rootkits to the gullible.

In other words, don't believe all you read.

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9 to SpannerITWks

Premium Member

to SpannerITWks
I wonder (not really wonder, I pretty much know) if we are forgetting here that in order for a rootkit, or other malware using rootkit 'features', to make itself undetectable, it must be allowed to execute.

As far as I am concerned, if malicious code is allowed to execute, the game is over... rootkit or not. If a piece of malware is detectable after it has already been executed, the question has already been begged: Why was it not detected before it was run?
psloss
Premium Member
join:2002-02-24

psloss to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

ADS on the surface ( no pun intended ) appears more secure than FAT32, and in many ways it is. Except for the fact that all manner of natsies can hide and lurk in there without you knowing about it. Yes you can keep looking if you have the right tools to search with and know what to look for. You can also eliminate the Streams with suitable tools if you wish.

I would NOT install ADS on any PC of mine, others of course can do so if they choose to.
I assume by "ADS" (NTFS data streams) you are implying NTFS, right?

One of the disadvantages to FAT32 on an NT system partition is that it provides an easy way to escalate privilege, since it allows one to add/change system startup items and write anywhere.

Philip Sloss
spooler0
Premium Member
join:2004-11-17

spooler0

Premium Member

said by psloss:

I assume by "ADS" (NTFS data streams) you are implying NTFS, right?

One of the disadvantages to FAT32 on an NT system partition is that it provides an easy way to escalate privilege, since it allows one to add/change system startup items and write anywhere.

Philip Sloss
Question for Philip:psloss ,

Would that (privileges elevation) matter on a single-user, home computer running XP-Home?

Other than that issue, and assuming modest file sizes, and under 100gb hard drives, would Fat32 be equally or more advantageous than NTFS?
dave
Premium Member
join:2000-05-04
not in ohio

1 edit

dave

Premium Member

Assuming the home user may be mildly upset when some random piece of malware immediately installs a rootkit in his OS kernel, due to the kernel sitting on a file system without protection, then yes, it's of concern to the home user.

Admittedly, that's much the same thing that can happen if you run as an administrator while clicking on email attachments from personnel unknown. But I'm not convinced that, just because you have one glaring security problem, you should accept another glaring security problem.

The logic that 'malware can hide in a file system feature, therefore I will install the file system that is designed with no security features whatsoever' seems a little weak to me. I'd suggest a better stream of thinking would be 'named data streams have existed and been documented for 12 years now, so any antivirus/antitrojan vendor who is not fully aware of them is obviously incompetent and should be driven from the marketplace'.

---
FAT's obsolete, designed over 20 years ago for a simple operating system without protection running from a floppy disk.

There's no question at all about it.
spooler0
Premium Member
join:2004-11-17

1 edit

spooler0

Premium Member

said by Dave1171:

I'm not convinced that, just because you have one glaring security problem, you should accept another glaring security problem.

The logic that 'malware can hide in a file system feature, therefore I will install the file system that is designed with no security features whatsoever' seems a little weak to me.
---
FAT's obsolete, designed over 20 years ago for a simple operating system without protection running from a floppy disk.

There's no question at all about it.
Thank you, Dave1171 . That answer is very clear.
(bold font added by spooler).
Gavin_TH
join:2003-04-03
Australia

Gavin_TH to John2g

Member

to John2g
said by John2g:

Just curious: How many Windows rootkits are there in circulation?
A LOT. The most prevalent is Hacker Defender, there are many many truly unique samples out there. Add in all the patched and repacked ones, and theres a heap.

The other prevalent ones are the BOTS which everyone is starting to notice. The FU Rootkit driver isn't the only one being used, Hacker Defender also gets put into SDBot projects and is more widespread than most realise - obviously, its a STEALTH trojan. You're not meant to know about it..

The number of people compiling variants of these bots is pretty big. Most of the sites offering bot mods (source) are shut down, but they trade mods on IRC. We've seen it coming long ago, its only going to get worse
Happy Bytes
join:2005-04-15

Happy Bytes

Member

>>The other prevalent ones are the BOTS which everyone is starting to notice.

Worm authors too...
»www.eset.com/pedia/cervy ··· obak.htm

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game

Premium Member

said by Happy Bytes:

>>The other prevalent ones are the BOTS which everyone is starting to notice.

Worm authors too...
»www.eset.com/pedia/cervy ··· obak.htm
Thanks Mike,

Good write up..also has your user: computer name in the screen shot. Ist that a good idea..or is that the address to send a six pack of Zlaty Bazant ?

»listas.vsantivirus.com/l ··· msg/790/

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to SpannerITWks

to SpannerITWks
said by SpannerITWks:

Karl Levinson from MS Research wrote me a reply fairly recently,
Karl wrote that, but you misread the attribution: he's not with MS Research. He's a Microsoft MVP (and a really nice guy).

Steve

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Hi All,

Quote Marilla - ( If a piece of malware is detectable after it has already been executed, the question has already been begged: Why was it not detected before it was run? ) -

Good Question ! Answer, either a persons Security Software and/or computers configuration is lacking in some way/s, or even worse is that it's one of those ( Undetectable ) Apps and therefore Won't be detected. We may or may not know that anything is happening at all that would give us cause for concern, so how would we positively establish that we had been infiltrated under those circumstances.

If those people who choose to use NTFS ADS check those Streams very regualary with those tools i mentioned, then they ( May ) find something or Not depending what it is.

-

Philip Sloss

Yes i appreciate what your saying, but still there's No doubt about Rootkits etc being able to hide stuff in those ADStreams. If something like BOClean and ProcessGuard for eg are installed on even a FAT32 system, assuming compatability, then you would have some pretty good protection against Malware Installs/Execution etc i would have expected. I'm not too sure how they or any other Security App would react to the Undetectables though like the Golden Hacker Defender custom Rootkits, that i've mentioned before and that Gavin from DiamondCS was drawing attention to !

-

Mike happy bytes from Eset gives a good account of a rootkit dropper and how it worms it's way in etc, but at least this ones detectable, providing that your AV/AT etc has the defs for it of course.

-

Steve, Thanx for the attribution update on Karl Levinson. I have No doubt at all that he IS a really nice guy, cos that's how he came over to me, and i found his response very helpful indeed, as did many others.

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g to SpannerITWks

Premium Member

to SpannerITWks
You keep alluding to "undetectable" rootkits.

Post some evidence to substantiate your assertions. Please don't point me to that rootkit sales link you posted before.
John2g

1 edit

John2g to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

I'm not too sure how they or any other Security App would react to the Undetectables though like the Golden Hacker Defender custom Rootkits, that i've mentioned before and that Gavin from DiamondCS was drawing attention to !
Gavin didn't write that Hacker Defender was undetectable. By linking your comments with his you are tying to maintain that he agrees with you.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

2 edits

Name Game to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

Hi All,

Mike happy bytes from Eset gives a good account of a rootkit dropper and how it worms it's way in etc, but at least this ones detectable, providing that your AV/AT etc has the defs for it of course.
Well..it is going to take more than defintions to stop them..and that could be too late.

What you need out there with your AV is something like this.

»www.vsantivirus.com/12-04-05.htm

Win32/Mytob does not deceive Virus-Rada

By VSAntivirus

The beauty of an proactive system like the one of Virus-Radar (www.virusradar.com), is that it can discover new virus, from the first time that they are seen. Using the heuristic outpost of the awarded antivirus NOD32, Virus Radar it is designed for "listening to the messages" that can warn us when a new virus scatters itself (and of course, of that form it helps to prevent them). The recent and progressive capture of the family of Mytob worms, (at the moment almost 40 variants), is a great example of the effectiveness of the heuristic one of NOD32. Some of these variants, that very few systems antivirus detect without being updated, began to propagate in very fast forms, and in the case of the Mytob.D, [ had a significant propagation to see image: »www.vsantivirus.com/12-04-05.htm ] the worms of the Mytob family is a typical case of malwares created by imatators (calls "Copy-cats"), to a large extent based on the source code of the Mydoom, a very predominant virus during the 2004. Hardly something is modified to them and small differences are added to them, but its high frequency of appearance, combined with slight variations of its code, is sufficient to deceive many detectors. Releasing a great amount of versions in fast succession, which only allows that each one propagates by a short space of time, the detection based on companies (data bases), is not effective. When a company antivirus has released a new company/signature, the next variant is already being scattered. That way the fact that already a detection available for a previous variant exists, is not important for the author. This can seem a strange strategy, but it is an increasing tendency in the criminal operation of malicious software, specially used to create true networks of machines zombis that can be used for the Spam shipment.

This type of worm with short life, if it is successful can jeopardize many systems in very fast time, scattering itself at very high speed. The infected machines can be used (although single it is by few hours), for infames intentions, and then the cycle will be repeated with a new variant. A similar technique was recently used, when multiple versions of the family of the Bagle (that did not have any code to propagate by itself) were sent like Spam, in fast succession. Again the effectiveness of the companies of the antivirus was almost null. When the troyanos could be detected, the Spam was executed again, and the next variant was released. This tendency only emphasizes the necessity of truely proactive technologies, such as the Heuristic Outpost of NOD32. The time window to obtain a protection is very small, and the very high vulnerability. And with the increased action of criminals who write and propagate his quickly changing malware, this situation every time takes control worse for those who do not use authentic proactive technologies. Video Soft, creative company of the VSAntivirus site, represents in Uruguay antivirus NOD32
(registered tradename of ESET). More information: »www.nod32.com.uy/

* Related: Current Threats - Last 24 Hour Analysis »www.virusradar.com/stat_ ··· enu.html

The rest is here in Spanish

»listas.vsantivirus.com/l ··· msg/790/

Marilla9
I Am My Own Arbiter
Premium Member
join:2002-12-06
Belpre, OH

Marilla9 to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

Answer, either a persons Security Software and/or computers configuration is lacking in some way/s
It is thinking like this that ensures that no matter how good the White Hats get, and no matter how quickly and well the Anti-malware vendors get, we will always have malware infecting peoples' computers.

Not once do you mention the very most important part of computer security: The user. Anti-Virus software ideally should not be needed at all, except for verification. So many people out there want to talk about products and software and turning off this or that feature on a web browser - when most of the nasty stuff that happens in the real world would be stopped right in it's tracks by intelligent user action.

I have never - not once - had a case where it turned out my Anti-Virus software was 'needed'. My AV software has never detected anything that I did not already know was malware, due to how I came across it. Of course, I keep my AV software going because, who knows? Someday I might get tricked - but it's only a 'backup', and it is not at all the most important part of the whole thing.

The absolute best way to stop malicious software infections of any kind, is to stop people from executing code they should not be executing.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

said by Marilla9:

[It is thinking like this that ensures that no matter how good the White Hats get, and no matter how quickly and well the Anti-malware vendors get, we will always have malware infecting peoples' computers.
If I buy just one more piece of protectionware, my computer will be safe!

Any similarity between the terms 'protectionware' and 'protection racket' is entirely coincidental.
psloss
Premium Member
join:2002-02-24

psloss to SpannerITWks

Premium Member

to SpannerITWks
said by SpannerITWks:

Yes i appreciate what your saying, but still there's No doubt about Rootkits etc being able to hide stuff in those ADStreams.
The streams have been in every public NT release, it's just that almost no one used them. The bad guys are taking advantage of the historical obscurity of that functionality.

But that's no different to me than other "obscurities" that the bad guys have taken advantage of in the past few years -- the AppInit_DLLs Registry value, the "Image File Execution Options" Registry value, the search path logic for the Shell value, and Winlogon notification DLLs are just a few examples.

Alternate data streams are only hidden from detectors that don't look for them. Whereas a thorough rootkit would see what a detector was looking for and lie to it.

Philip Sloss

skyroket8
join:2001-06-11
Colorado, US

3 edits

skyroket8 to SpannerITWks

Member

to SpannerITWks
EDIT: sec, reading thread more thoroughly before posting.... :P

---------

I got one of those Symantec Antivirus alert messages when I tried to download one of the rootkits from www.rootkit.com
quote:
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Hacktool.Rootkit
File: C:\Documents and Settings\##########\Desktop\rootkit\He4HookInv\DevStudio\bin\win2k\i386\Free\He4HookInv.sys
Location: Quarantine
Computer: ##########
User: ##########
Action taken: Quarantine succeeded : Access denied
Date found: Thursday, May 19, 2005 4:46:37 PM
Does this mean my Symantec Antivirus is protecting me against this crap? Maybe I can just cross my fingers and hope that someone else will get a rootkit before me, and report it to Symantec so I'll get an update.

I agree with the software execution issue, though. It doesn't seem a difficult concept to my intermediate-level-computer-guy-skills to prevent code execution - especially with how paranoid everyone is these days.

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

said by skyroket8:

EDIT: sec, reading thread more thoroughly before posting.... :P
Um, that's not really encouraged around here. Why not just shoot your mouth off like the rest of us do?

Rmus
join:2005-03-26

Rmus to SpannerITWks

Member

to SpannerITWks
said by SpannerITWks:

If anybody wants some more info/links on these tools, then just holla.
Hi Spanner,

I can't believe you are dredging up this same old silt and muck that was hashed out over at the "other" forum. All that is left is for (forgot his name) to jump in with the Ring-0 and eeprom motherboard stuff

Two of the posters here that make sense are Dave and Marilla. Further discussion of their posts would do much to raise the level of user awareness and prevention, and lower the level of fear and paranoia. You may remember that a few of us did raise this point in the "other" forum, but most were content to tinker with their toys and suggest another "layer of protection."

Regards,

-rich

SpannerITWks
Premium Member
join:2005-04-22

SpannerITWks

Premium Member

Marilla

I took it for granted we're not talking about careful users in the main ! Of course i agree that it's all the others that are at risk, but it's not just from sloppy surfing etc.

It's how their PC's are set up and the as yet unknown vulnerbilities that exist for their OS and browser too. So yes user education is vital, but they can't do much against Zero day attacks scenario, apart from having some top notch Apps to hopefully rely on !

I also am in a similar position to you. I have only had 2 attempted intrusions, one when i DW an App to try out which had a hidden trojan in it, but i caught it. The other was a couple of days ago when i purposely clicked on a link to DW a nasty, on behalf of someone who started a thread, which my AV caught. I posted about this in the thread lower down.

-

Dave

So how about you losing one or more of your protectionware then, would that make you safer and feel much more secure ? And anyway some good stuff is actually FREE !

-

skyroket

Just wondered why you DW a rootkit, and what you were thinking of trying to do with it ? Yes your AV did appear to jump in on this occasion. The difference is though that the DW App was meant to be used by you, not against you. With this particular RK your AV may have intervened also if it was directed at you, who knows ! If it was an Undectable RK directed against you, that could be a different matter altogether.

-

Rmus

Well it's hardly exactly the same is it ! Anyway there are plenty of people on here who arn't familar with RK's and the devious methods they use to achieve stealth. Some had never heard of them ! What's so wrong with letting them know about them.

It's funny you should mention, Ring-0 and eeprom motherboard stuff, cos that's Exactly what Microsoft does as i posted just a few above which you musta missed ! -

Simple steps you can take to detect some of today's ghostware:

Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc. - »research.microsoft.com/spyware/ -

Nothing wrong with, another "layer of protection", i wouldn't have thought. Maybe you wanna take some away too ! feel free to do so.

If you or anyone else chooses not to contribute and or read this thread or any other, well it's Very simple, just don't. So i don't really know why you did, and i don't suppose you will any more then if you don't want to ! I can't see some of the people being too happy about you describing the thread the way you needlessly did, after the've already participated in it !

My IM's and emails are telling me positive things, so quite a few people are obviously more than happy with things !

So only, Two of the posters here make sense, are there. What about the following Two for eg then -

Gavin Coe - www.diamondcs.com.au - ProcessGuard

Happy Bytes - www.eset.com - NOD32

-

Regards,

Spanner