Rootkits Sec4 Draft

From CyberSecurity
Revision as of 01:11, 26 November 2005 by Jalsalam (talk | contribs)

Jump to: navigation, search

Section Four: Responses

Section Four: Responses

Research is being conducted along a number of threads to combat rootkits. Common rootkit signatures are being added to security packages (references), but this thread is vulnerable both to polymorphic code and the hiding activities which define rootkits. Other methods involve the cataloging of techniques commonly used by rootktis, such as API hooks. These methods are vulnerable, because it is not guaranteed that you can monitor all the API’s that rootkits might hook, and it is also difficult to distinguish legitimate from malicious hooks. New research is being conducted in generalized rootkit detection methods that look for the effects of rootkits – hidden files or processes. These methods involve comparison between multiple methods of querying files or processes, ideally one “infected view” which contains the “lie” and one clean view which contains the “truth” from which comparisons can be made. The truth can be constructed in a variety of ways – through known good backups, through low-level API’s which are less likely to be infected than high-level API’s, or through the examination of resources from a known good operating system, which could be an external machine or a clean boot CD.

Responding to a rootkit threat has two stages: detection and removal. The prime value in rootkits is that they hide their presence from the user, thus making it difficult to determine if a computer has been confiscated. Beyond that, rootkits are often difficult to remove without destabalising a system, since they often involve alterations made to important system processes. In some cases, users have been recommended to reinstall rather than attempt to clean a system once it is determined that it is rootkit-infected.

Virus Scanners Can traditional virus-scanning software respond to the threat of rootkits? Anti-virus software companies continually update the list of virus and malware signatures that their products recognize. The McAfee website lists both the FU rootkit and Hacker Defender rootkit in their database of threats which their product can handle. The Norton product does not list either of these rootkits, and acknowledge the difficulty in detecting these products once they are installed. Microsoft’s Malicious Software Removal Tool advertises that it can remove the Hacker Defender family. Other companies probably represent a mixed bag of whether or not their products can recognize the signatures of common rootkits.

Although some of the anti-virus companies seem aware of rootkit threats, they are generally not seen as a high priority – rootkits are perhaps logically secondary to the exploits which allow their installation. Additionally, rootkits are more difficult to fight, and so might not be presently an efficient use of anti-virus scanner company resources.

Indeed, it seems likely that code polymorphism means that rootkits are widely available that anti-virus software can not detect. Hacker Defender offers 6 month guarantees that your copy will not be catchable by eight common anti-virus softwares for 150 Euros! Any rootkit purchased has scrambled code in relation to the “public” version, which is part of how it evades detection from these packages.


(hacker defender purchase - http://hxdef.czweb.org/antidetection.php )

Versus hacker defender

    • McAfee – FU rootkit and Hacker Defender
    • Symantec – search did not yield HD or FU
    • Sophos – no HD or FU, but a variety of “rootkits”
  • API hooks or method detection
    • VICE
  • Multiple view comparisons
    • F-secure blacklight, rootkit revealer, strider ghostbuster
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Rootkits_Sec4_Draft&oldid=2920"