Rootkits

I read a news today about F-Secure, that has launched a rootkit tool in beta version called Blacklight.
They will add this tool in every program of company.
I´d like to know if Eset plans to improve NOD32 to detect Rootkit or create a tool like that.

Best Regards,

DonKid.

P.S.

I don´t know if it´s off topic, but you can get F-Secure´s Blacklight here:

http://www.f-secure.com/blacklight/

 

Thanks ronjor.

I know NOD32 detects a lot of this kind of stuff, but I hope Eset improve it, because there´s a lot of antivirus company chainging their softwares.

Thanks Spanner intheWorks.

You have spent several days searching those links.
Excellent job.

I´ll give a look later.

Anyway,

Thanks folks, for your helping and time.

Best Regards,

DonKid.

 

Hopefully it will be more difficult to fool then the SysINternals Rootkitrevealer.

 

I´m using Rootkitrevealer too and testing Blacklight from F-Secure.

Best Regards,

DonKid.

 

How is RKR easy to fool?

 

by having the OS to lie to it

 

*having the OS lie to it.

 

Huh? Care to be more specific? It's OK if you can't; I've assumed that you were spreading FUD anyway.

 

sysinternals states in the RootkitRevealer help file that RkR's high-vs-low-level diff scans for rootkits could be defeated by malware/rootkits that specifically manipulate the high-level (WinAPI calls) scan results to return, to RkR, what the low-level ("raw" Registry & disk) scans are *assumed* to always return... therefore, the hidden rootkit would not hide or attempt to evade the WinAPI scans performed by RkR, matching the raw RkR scans, leaving nothing of the rootkit (hiding-in-plain-sight) for RkR to "diff" out...
or, the rootkit could, instead, hook the WinAPIs that RkR uses to invoke the low-level "raw" reads and contintue to remain completely out-of-sight...

the same RkR help file goes on to say that there is *no* sure-fire *single* way to detect all rootkits... not even dead-state scans against a pre-validated reference are 100% reliable in the detection of rootkits, because the dead-state scanning tool, itself, can be a target for compromise...

still, high/low-level diff scans can be of some value on live systems that cannot be taken down (for dead-state scan against a known-to-be-valid reference) just on the hunch that there might be a rootkit penetration.

MS Research is also working on something similar along these lines, not limited to rootkit detection, but also linked to verifiable integrity of new system deployments... (Google "Microsoft Research" "Strider GhostBuster")

 

This is not entirely true.

Are there ways to circumvent Sysinternals' RootkitRevealer... YES (just like there are ways to circumvent any other rootkit "scanner/detector.")
One way being talked about is to simply not hide from the basic API.
http://blogs.msdn.com/robert_hensing/archive/2005/03/10/392092.aspx

The problem with rootkits is that they are made to be flexible and are loaded with numerous methods used to hide from "detectors" and "scanners." Any "new" method used to detect a rootkit can be countered etc. This can be seen more evidently in the case above.

RootkitRevealer works by comparing data returned from the Windows API and data from a raw scan of FAT/NTFS volume's file system structures.

If there is no difference it is not shown in RootkitRevealer.

People who use HackerDefender now single out the RootkitRevealer process and allow it to view hidden files so it does not show up as a difference when RootkitRevealer runs its raw scan.

A possible workaround to the issue listed above is to rename rootkitrevealer.exe to an uncommon name. Because most people will not configure HackerDefender to allow executable abcxyz.exe to view hidden files.

But just like someone in the link mentioned above, they might then just start using other methods like md5s to determine what processes for the rootkit to look for.

With that in mind...

I think Steve at the BBR forum said it best when describing the benefits of programs like RootkitRevealer

http://www2.dslreports.com/forum/remark,12740716~mode=flat

So it is really not a matter of how easy it is to fool a process in Windows. Because on a rooted computer, anything is possible.

As far as the topic of NOD32 improving rootkit detection... that would be great (in theory). Prevention is key when it comes to rootkits. Unfortunately it is very difficult for any signature based scanner to keep up with rootkits when they are by nature custom tools of evil.

Basically what alerter said

 

That's fantastic, but it describes a general method, and doesn't mean that RKR is "easy" to fool. "Simple" doesn't mean "easy".

 

Maybe you should re-read my post.

I never said or implied that evading RkR is "easy."

The fact that RkR will, by design, never detect those rootkits that "hide in plain sight," would be the only case of "simple" evasion that was mentioned.

The people who write rootkits are not below-average variety miscreants. Whether or not the rootkit writers find RkR easy to evade is a matter of their opinions.

You asked how easily RkR could be evaded. Someone else ("anon") gave you a wise-*ss non-reponse. Without saying anything about "easy," I pointed out to you what sysinternals openly admits -- RkR evasion is do-able.

At the same time, I still believe that RkR is a valuable and useful tool and stated why.

What's the fuss...

 

At the moment this is of academic interest only but you might be interested to read about Ghostbuster.

 

I simply assumed that you and "anon" were one and the same... Oops, and whatever.