Windows rootkits in 2005 part one

Nice read with some good info, so watch out for part two ! Written by a couple of well known people, a guy and a girl, who appeared at the Las Vegas bash recently. He is the one of the guys behind RKdotcom.

. . .

In 2005, the bar has been raised in the arena of malicious software. This has never before been more evident than in the recent deployments of Windows rootkit technology within some of the latest viruses, worms, spyware, adware, and more. It has become increasingly important to understand what this threat is and what can be done to detect malicious use.

The first of this three-part series will discuss what a rootkit is and what makes them so dangerous. We'll start by looking at various modes of execution and the ways they talk to the kernel: hooking tables, using layered filter drivers, and dealing directly with Windows kernel objects. The second article will address the latest Windows rootkit approach that uses virtual memory hooking to provide a high degree of stealth. Then the third and final article will discuss various methods of rootkit detection and countermeasures for security professionals.

http://www.securityfocus.com/infocus/1850?ref=rss


StevieO

 

Thanks for that. I hope someone at Sony/BMG reads it as well...

 

So they can figure out how to write better rookits that aren't detected by rootkitrevealer?

 

Was wondering about something and as a total noob on security and as a concerned computer user i wanted to know if my conclusion that i made from this partial quote of the Microsoft article about rootkits is correct...

My conclusion from this is that a rootkit can't be installed by surfing on the net alone only perhaps by opening a downloaded file and direct access to my system?

 

subzerox

I haven't heard yet of any big company using a drive by install when you download a song that you paid for but am sure they now have the technology to do so if they chose. Do do this, they would need a full time staff looking for new
vulnerabilities in your OS,browser and hardware. It is easier just installing the rootkit on a music, movie or game CD and you not thinking such a big company would do such a thing, just happly click yes to install their movie player ect.
I am not sure the figures of how long it takes MS to release a patch once a vulnerability is found. I would think a company installing a rootkit on a windows machine would make MS unhappy And isn't that against MS eula ?

controler

 

Hi subzerox,

Actually any malware/crapware etc including RK's can be covertly installed on someones computer just by surfing, and also clicking on things too !

If they do NOT have their Browser and PC securely locked down, then that's how stuff Can and frequently Does get in.

Even with AV etc some RK's are able to slip through.


StevieO

 

What they are getting at is that a rookit alone is harmless it needs to be installed. Alone, it doesn't magically install onto your computer. This can be done through various ways whether it is you being tricked to running it, or them exploiting a vulnerability.

 

Yup. A rootkit by itself won't infect you, but it may be included in the payload of a worm or spyware that can infect you automatically. There is some spyware out there that are using rootkits to hide themselves.

 

So even surfing the net can be ''hazardous'' to get infected by a rootkit because of an combination with a worm or other sort of spyware?

Damn

 

Hi,

The follow up has arrived.


Windows rootkits in 2005, part two

1. Introduction

In our previous article, we discussed current rootkit development techniques. In this article, we take it a step further and focus upon upcoming, cutting edge trends in rootkit technologies. Then the third and final article in this series will discuss various methods of rootkit detection and countermeasures that can be used by security professionals.
The methods described in this article were presented in our proof of concept rootkit named Shadow Walker at Black Hat 2005. These methods make it possible for an attacker to hide both known and unknown malicious code from a security scanner by controlling its memory reads at the hardware level. Although we focus upon rootkits, the underlying implications are alarming because the technology can be applied to all forms of malicious code, ranging from worms to spyware.

http://www.securityfocus.com/infocus/1851


StevieO

 

Sure, run as a limited user account gives quite a bit of protection , particularly against kernel rootkits and might even stop some user mode rootkits.

After that, a second best alternative is to run something that blocks driver installs, popular in this forum are ProcessGuard, Prevx , and Appdefend (An improved PG? soon to be popular I bet) , antihook,ssm, not sure about online Armor, safensec, but they probably do it, or will do it soon anyway.

Any more I missed?