Rootkit Madness PSC newsletter

ROOTKIT MADNESS

An awful lot of attention in the past few weeks has been paid to the infamous SONY rootkit and while it has focused attention on the power of kernel rootkits in general, it has also created a tremendous amount of misinformation and conjecture. We'll conveniently forget that the "SONY rootkit" has been around since summer of 2004 however. In this newsletter, we'd like to provide a bit of perspective and education on the issue and its repercussions, as well as explain to concerned BOClean customers how we have gone about handling this issue for a number of years now, and why it is a concern ONLY to vendors who need to explain why"rootkits" are news to them.

"Rootkits" have existed for numerous computer operating systems since the 1980's, however they were largely used by computer delinquents against major known server operating systems such as Novell, Solaris, Unix, Linux and were largely focused on covering the tracks of people who were performing break-ins to major networks and server systems. It wasn't until July 30, 1998 when a group known as "Cult of the Dead Cow" created a program called "Back Orifice" for which BOClean was ultimately named after being provided as a free utility included with our original NSClean software to protect against backdoors for over a year.

"Back Orifice" was the very first backdoor which had "rootkit" capabilities and marked the start of a difficult trend. Therefore, "Windows rootkits" are hardly new by any means, despite the media's lack of background in the "art" of "hacking." Back Orifice was the first Windows malware which provided the ability to conceal its presence on Windows machines by use of built-in functions in Windows which caused the original Back Orifice to not appear in the Ctrl-Alt-Del "Task manager" screen which had previously displayed all running processes.

Back Orifice concealed itself by running as a "system service" rather than a "process" and by installing itself into that particular registry startup location, was hidden by the Windows98 operating system entirely. And under Windows NT, system services were normally not displayed either although "Back Orifice" had numerous difficulties running stably under NT. And because there was a process, it was a fairly simple matter to locate and display the presence of "Back Orifice" with numerous "process listing" software. It wasn't hidden all THAT well.

With the release of Windows 2000 (Win2K) at the end of 1999, "Cult of the Dead Cow" updated their earlier backdoor as a new "BO2K" which included highly sophisticated "rootkit" capabilities. Rather than hiding behind the normally invisible processes by means of what Microsoft chose to not display, BO2K actually went into kernel memory and "hooked" into kernel functions by replacing the original locations of numerous kernel functions in ALL versions of Windows with its own "replacement functions" and then modifying the locations of the original kernel functions so that the BO2K "rootkit" addresses would be called INSTEAD of the original kernel functions.

By "hooking the kernel," BO2K's code would intercept the original calls to functions that would list filenames, processes and memory locations and point to the BO2K functions first. BO2K would then look at what information was being requested, and if it was a piece of BO2K, it would return a "no one here" whereas if it wasn't part of BO2K it would then call the ORIGINAL Windows function. This allowed BO2K to become "invisible."

There are MANY rootkits out there - VSDATANT.SYS and OTHERS, used by ZoneAlarm is a ROOTKIT. Symantec installs SEVERAL rootkits including SYMNDIS.SYS, Process Guard ITSELF is a ROOTKIT. These and numerous others install rootkits in order to hook system calls for their own purposes. When is a rootkit NOT a rootkit? When it's branded. However, rootkits have a "dark side" ... unless PERFECTLY written, the operating system has no protection for "intruders" and can become unstable, can "blue screen" or cause system instabilities.

And the MORE of them there are, the greater the chance of various rootkits all trying to hook the SAME kernel functions and relocating them can cause all sorts of mysterious problems as each one expects to be "King of the Hill" without realizing that someone else beat them to "root." Fact is, too many security vendors went the rootkit route which is why there are so many conflicts. And because they hide their rootkits, the WRONG program gets blamed when the house of cards falls. Poorly done rootkits (such as SONY's) can wreak havoc on a system. Most backdoors and other trojans have incredibly poorly written rootkits that usually hose the machine by simple "bad design." A decent amount of commercial software also does so. Ever wonder why it's a bad idea to use more than one antivirus and why firewalls and antiviruses are stepping on each other with "all in one suites?"

And that is the PURPOSE of a "rootkit." To HOOK "system calls" for one of many possible reasons. Some rootkits hook calls to determine if a file, process or other function exists. Some use those hooks to temporarily halt the system while they have a sniff at things starting up to give the user the opportunity to determine whether they want something to continue, or not. Some rootkits have a sole purpose of hiding other things which are occurring at the "user level" such as nefarious programs.

These "rootkits" though, by the simple nature of how Windows works tend to be VERY small and contain only core kernel functions which are to be utilized by a higher-level program whether that program is visible to the user or not at the "user level" of the operating system's function.

ALL "rootkits" however require a STARTUP of some kind, or they will be ignored by the operating system and will never run. EVERY rootkit, no matter how clever, will leave telltale signs of its existence. This is how BOClean has been able to detect rootkits since "Back Orifice" and all which have followed. There is always SOME piece, some startup entry in the registry, or other indication that they are present. AND, in the presence of some TRULY clever rootkits, they can be detected not by what is present, but rather by what is MISSING when a memory probing antimalware program like our BOClean goes to perform its normal inspections and finds things that are supposed to be there are missing. In other words, detecting "rootkits" isn't nuclear brain science if you have been around this long enough to know WHAT to look for. And while the rootkit itself may have burrowed deeply into a system and has successfully concealed itself, there ARE signs (if you know what to look for) that will still reveal the "hidden." We've been doing this for years.

And what we learned years ago was that interjecting into the kernel space and displacing Windows' own addresses to shim in "kernel diversions" was the ultimate no-no to our major customers who KNEW it was a bad idea to fool with moving kernel functions around. SONY'S "rootkit" and the exploits of same only serve to prove the validity of the restraints we were placed under years ago by government agencies we designed BOClean to satisfy. BOClean was forced years ago to detect nasties from the USER level using propietary techniques to analyze the presence of such diversions by very unique means, without "hooking the kernel." And recently, as more and more "security companies" struggled to find a means to circumvent "rooting," they utilized the same sloppy methodolgies of Back Orifice's code. Or worse, used code developed by the very people who supplied the authors of backdoors directly.

We provided a simple manual method of detecting the infamous SONY rootkit in an article we posted to CNET ... by simply looking for a folder that didn't show normally, its mere presence or absence could determine the presence of the SONY rootkit without the need to resort to special kernel modifications. As I mentioned above, "what is missing" was the key to this one singular event. This is why BOClean had no difficulty in detecting the SONY rootkit despite the apparent difficulty other vendors seem to be having. EVERY rootkit has a startup, and only a small handful actually obscure it. They depend on a unique angle perhaps to place it, but no matter how hard you try to hide a rootkit, it CAN be found. And from the RING 3 level, not necessarily by hooking the kernel.

For all the hype over "rootkits," they are NOT news, and they are not as elusive as those who failed to notice them nearly a decade ago who now want to excuse their failure to detect them years ago now, after having fallen victim to the sheer number of them out there today. If you HAVE BOClean, we encourage you to install the SONY rootkit. BOClean will stop it when you try to install it. If you shut down BOClean and install it, BOClean WILL find it even after it's gone "deep." "Rootkits" are not, and have never been a mystery to us. To us, they're ancient history and just another piece of ordinary, insignificant malware. Just another entry in BOClean's database.

But rootkits are NOT the malware itself. Rootkits are merely a means to an end, and a small part of it. Their purpose is SOLELY to conceal the actual payloads which run in "Ring 3" or "user space" ... and when a rootkit is installed, file scanning will not find what is "missing." But the rootkits themselves *MUST* leave a telltale trace of their startup, however obscure some of them may be. If Windows can't start a rootkit, it can't hide anything. And in order to start a rootkit, there needs to be a means. Rootkits aren't as big a boogeyman as they've been made out to be, and they're not as difficult to find as might be suspected.

Except to those that never learned of them YEARS ago. If this was as serious a challenge as it's been made out to be, we would have thrown in the towel as other vendors have. To us, this is "fish in a barrel."

Search our trojan list for the keyword "root" here, and see how many there are which are covered, compare to others: BOClean trojan listing

And to protect your system as best as possible, ALWAYS make sure that your Windows security updates truly ARE up to date, and make sure that any security software you use is the latest version and is updated first! THEN go and reinstall everything else.

But the detection of a rootkit isn't the end of the world, what ELSE is detected is what matters. For OUR customers, support@nsclean is here for you should you need us with any questions when BOClean encounters something. That's what you paid us for in the first place!

 

Hi Nancy

yup we are aware Boclean works at ring 3 because of stipulations put on you by the Gov.

Couple questions. Does Boclean cover all rootkits or only those that have sigs? meaning Does Boclean detect all rootkits proactively even without sigs?

Does Boclean cover the next wave wich uses memory stealth?

I do know a new version is almost out.

Yes you are correct, the Sony rootkits has been out a while but why hasn't any other venders other then Mark made a stink about it?
At least he is trying and does ruffle feathers when he does find something.

And yes you are correct everybody is installing a driver now but I still say a great suite by one company is a good way to go.

More people are installing products like VMware, Deefreeze, Shadowuser and MS shared toolkit so if they do become infected, They can reboot and all is well.
In My case, I was able to use PG to block the driver and still play my Neil Diamond CD, which i bought to check out this rootkit.

I also notice never any mention from Holy Father on Boclean as well as Boclean not mentioning Holy Father. Yes I actualy do notice things from time to time.

To me it is like ok we will be quite till someone else ruffles featers.

I also know some of those that provided proof of concept rootkit stuff also add some of their free rootkit detectors to comercial AV ect.

They come in here witha rootkit detection program and offer it as is and no
support , very arrogunt and are in the same time selling it to a well known anti-mailware company.

Don't get me wrong, I do respect You and Kevin very much as I have mentioned in tha past.

controler

 

Nancy

If Sony's rootkit gets enough hype you can expect some competition this season. Rogue/bogus rootkit cleaners should appear on store shelves shortly after Thanksgiving. Could be the biggest windfall at Best Buy since Y2K.

Thanks for the very informative post. I'll share it with my clients.

Doug

 

Madness..., that's the key word here.

These things are 1's and 0's like everything else, not some supernatural cybernetic organism tip-toeing through your system - although you'd probably think that based on some of the commentary out there.

Be cognizant of the issues and take measures to counteract the real threat, and for users unsure of what to do, BOClean is a very solid first step - one that I recommend to users of all levels.

Blue

 

What seems interesting is the quite radical change in the meaning of the term "rootkit". This originated in the UNIX world and described a tool that allowed an attacker to remotely get "root" access on a system (equivalent to Administrator on Windows), most often via a buffer overflow. Stealth capability was quickly added to allow an attacker to escape detection, initially just by amending basic UNIX utilities like ps to hide the rootkit's existence, then by more sophisticated means.

For Windows, a rootkit has only been used to add stealth capabilities since gaining Administrator access in many cases is trivial (exploiting open Windows services, malicious webpages using IE vulnerabilities, trojans delivered via email or filesharing networks, etc). However Nancy does appear to be taking a broader interpretation in her listing of Process Guard, Zonealarm, etc and defining any program that hooks into Windows as a rootkit, regardless of the reason. This muddies the waters considerably and, in my view, dilutes the idea of rootkit = bad which can only lead to confusion. "Rootkit" should be reserved for those programs that use system hooking to hide themselves, since there is no legitimate reason for doing this.

 

Oh yes we can ramble all we want but still did not answer my question as to why nobody after a year except for MArk brought the rootkit public, if "THEY" new about it all along?

I am sure it was fear if they really new , that Sony would trample them to bits.

Don't be a fool into thinking just because rootkits have been around for years, they are not important.

Alot is becomming of all this, in a good way.

proactive is here. Does it matter if proactive uses the kernel? better then reactive and only after new sigs were made.

I think you all are missing the point here.

controler

 

Hi,
Honestly, I don't understand what you're trying to say.
Could you please explain again?
Thanks,
Mrk

 

Greetings ... well, for all of the talk about "ring 3" vs. "ring 0" folks might be amused to know that "ring 0" is readily available through "ring 3" despite Microsoft's claims to the contrary. Simply a matter of properly translating "ProcAddresses" through what Microsoft refers to as "magic number." So the long-standing design of BOClean was never really an issue so long as "Browser/OS integration" occurred way back.

Apologies for the necessary briefness, we are indeed in the final testing of BOClean 4.20 for release hopefully during or after the weekend. However, most of the changes in this version have to do with things done by other vendors which require a kernel driver piece to step clear of ongoing issues between Process Guard and some other antiviruses which have splashed improperly on OUR shoes as well as some really dumb things that ZoneAlarm has done. These together required a major redesign of BOClean's innards. As far as "rootkit detection" goes, NO changes were necessary there.

As far as "rootkits" go, any vendor that claims to "proactively protect against all rootkits" is a liar. "Rootkits" can be installed from a limited account in ring 3 and just as easily, they can be dealt with from this so-called "nosebleed section" as well. One of the points I was trying to make in the newsletter is that "rootkits" as they're called in "Billyworld" are no big magic.

Their purpose is to hook system calls, divert them to their own handling in order to obscure whatever the "rootkit" was designed to hide, and then pass along the call to the operating system. That's all they do. And for all of the "secret ceremony" powers that have been bestowed on them, while they can hide themselves and hide some other things of the author's choosing, they ALWAYS leave behind signs of their existence and some means of starting up which CAN be found. Each of these "rootkits" goes about doing this in different ways, but they can pretty much all be found. Without their "startups" they won't run.

Knowing where their startups are and how they work is one of the methods we use. We can also determine their presence by what is MISSING. For each different version of Windows, the kernel function calls have entry points that are unique to that version of Windows. And when one of those entry points points to user space, pretty easy to spot a "hooked function." So let's just say that they're not quite as magical as they're made out to be even if they're hidden which is why I revelled in putting out but one example on DSLR for "manual detection and removal" and curiously, that hocus-pocus was done entirely in "ring 3" ... heh. "Spot what is missing" ... "There it is!"

But as far as all of these "l33t exercises" go, forgive me if I sit here chuckling. Busy busy week on this end so also please forgive me if I don't have time to come out and play for about another two weeks, holidays here in the states and family, we let our folks have the rest of the week off for same so it's just me covering three shifts with final preps for 4.20 release and a lot of other things ongoing. I have also inserted a broom so I can sweep the floor as I walk by. If there's additional questions, I'll try to get to them next week. But "rootkits" have been around since 1998. Where WAS everybody else? (grin)

 

Hi Kevin,

I thought that, for example, Process Guard could protect proactively against rootkits....

Hi Bruce,

I thought that BOClean needs a signature for something to detect it...


Regards, Jan.

 

Wow, thank you Nancy for this education. Now there is no way in heck that I will ever ran another pc again without BoClean!

Acadia

 

I think I see something funny about most of us. We don't buy CD's LOL
If we did, Yes we would have seen this rootkit a year ago by the security software we use. I don't know if you have seen the article on the Sony digital camra but it too uses the protection scheme to stop users from sharing their pictures. Does anybody know if they use protection with the playstation?
I never did hear.

The point I am trying to make is not so much, which product is better.
the point I am trying to make is who was going to make Sony pay for what they did? In a sence, good has come of the rootkit hoopla we see today.

Correct me if I am wrong but most experst are saying once a rootkit is on your
machine, it can be hard to remove everything and you can not be sure you got everything. Even Microsoft says it can damage your system when removed. This would be the main proactive reason.

From what I am getting from reading posts is this. There are more and nastier
rootkits out there but I don't get the impression they are talking about other
companies, installing rootkits on your system, as Sony did. It is also funny as to why they went after only Windows users and not Apple or Linux. Guess they might not have as many sales but thought stopping the copying would make up the difference LOL

Is Kevin talking here about 4th generation rootkits? BTW I am looking forward to your new products also. I know you didn't want to do the driver but as you said, was forced to.

Unless Sony some how gets away with what they did, I dought we will ever see another company try this again.

controler

 

controler,

You mentioned the Sony digital cameras. Does that software by Sony also install rootkits?
I don't have one, but my son recently bought a Sony digital camera.

Thanks,
Jerry

 

Hello JerryM

Try googling:

Sony's new Cybershot DSCP515 camera


I don't know right off hand what protection they used but you should find some
articles about it after the google. I don't think I will go out and buy one to find out LOL
That would be too much money for testing.

controler

 

Hello,
Controller, I do buy CDs, but fortunately, in Israel, they sell plain audio disks, without anything fancy. DRM is off shelves in middle east, otherwise customers would be shooting rpgs into the stores.
And even if they were, I would not buy them.
And furthermore, for someone who loves the music from 70s and 80s, I don't think anyone would drm Thomas Dolby's She Blinded me with Science, or Steve Miller Band's Abracadabra...
Mrk

 

I assume you are referring to this link?
http://www.bbspot.com/News/2005/11/sony_photo_sharing.html

IT IS SATIRE

 

But it does appear that Sony is putting rootkits in their camera software.

Jerry

 

The spoof that grew :-

http://p2pnet.net/story/6979
&
http://p2pnet.net/story/6914

 

Nonsense!

 

Yes you are right, I went to Sony's site and they have no model

Sony's new Cybershot DSCP515 camera, they only had a DSC-P51 LOL

I also looked for software and drivers and only found a updated USB driver.

So yes this must be a Urban Legend

controler

 

But it couldn't have happened to a more deserving company than Sony. Crocodile tears, anyone?