"Private, undetectable" builds of advanced rootkit no match for ProcessGuard

Discussion in 'ProcessGuard' started by Wayne - DiamondCS, May 6, 2005.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Ladies and gentlemen we've been witnessing a lot of trojan authors creating and selling private/custom builds of their trojans over the last couple of years in particular, but now the author of one of the most advanced rootkits for Windows ("Hacker Defender") is making private, undetected builds of his wares available. This is of particular concern to the public because the rootkit servers he is making are not only undetected by anti-virus software, but also anti-rootkit software. We've made a copy of his page (after removing the hyperlink targets and his email address) and it is available for all to see at http://www.diamondcs.com.au/processguard/hdprivate.htm

    ... However ... :). While these rootkit servers may be undetected by all scanners (including our own TDS), their infection can still be stopped and prevented completely simply by proactively blocking the installation of their kernel-mode component, as demonstrated here. Still to this day only one program has properly demonstrated this with all known methods of kernel driver installation (there are several), against all known Windows rootkits, and enabling this level of protection is as simple as turning on one checkbox - "Block Rootkit/Driver/Service Installation"

    So for ProcessGuard users there's nothing to worry about, enjoy your weekend folks. :)
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Wayne,
    Don't get me wrong here as I do like ProcessGuard but there are several avenues that it could be attacked through by someone that was willing to specifically target the program

    I won't help the malware writers by enumerating them here, but they have already been discussed in the PG forum, and for something to bypass PG it would require someone to install some software from an untrusted (or compromised source)

    I would suggest that there is a little qualification against your statement and that is related to what programs you install on your computer

    ProcessGuard does a brilliant job at stopping malware installing drivers and services when you are not expecting such things to happen and certainly covers the most if not all attack vectors that are being used today.
    However there are weaknesses in the boot process, specifically centered around the "Permit Once (Unable to Ask User)" behaviour during boot
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    gottadoit,
    Indeed there is no such thing as a perfect security solution that stops every known attack, nor am I trying to say that ProcessGuard stops every known attack - such a program would obviously be the holy grail of security applications, but you know and I know that it's not practical and will never exist.

    What I am saying is that when it comes to private undetected rootkits, ProcessGuard is your best (possibly your only) bet - there is very little else available for you to use - just look at the list of defeated software on the Hacker Defender page (possibly why you didn't mention any alternatives to ProcessGuard? :)).

    It's also worth noting that for anything to even attempt to attack ProcessGuard, the user must allow it to execute by telling ProcessGuard that it's ok to run. However, even then it's still just a user-mode process vs. ProcessGuard's kernel-mode driver, and ProcessGuard can protect against anything the user-mode process throws at it. Should a new method ever arise then it's no problem to simply add extra protection to the driver - the driver always has the upper hand, it's running in kernel-mode before the user-mode program is allowed to execute any code.

    We've performed a lot of research in this area - it took well over a year to develop ProcessGuard simply because of the amount of time required in research, and the fact that ProcessGuard has been available publically for well over a year yet still blocks every Windows rootkit is a testament to this research.

    Enjoy your weekend.
     
    Last edited: May 6, 2005
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Wayne,
    As I mentioned in my post I like ProcessGuard, I didn't mention any alternatives to ProcessGuard for 2 reasons. Firstly because it wasn't in the context of the post and secondly because the only other real alternative I am aware of (SSM) isn't anywhere near as good at providing the core functionality

    I was not and am not baiting you, I am expressing an opinion about some flaws in the ability to control ProcessGuard's behaviour finely enough in certain cases
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,048
    I got a chuckle out of their licensce agreement. Like someone buying something like that would be honorable.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Pete here's the real kicker:
     
  7. Pollmaster

    Pollmaster Guest

    That's right! Nothing can beat PG!
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Not quite technically correct ... :). Again PG isn't the holy grail of security, but at the moment it's holding its own against rootkits like nothing else - even dedicated rootkit scanners/detectors are being thwarted.

    If you allow a kernel-mode object such as a rootkit to install (in other words, 1) first you allow ProcessGuard to allow the trojan dropper to run, and then 2) you allow ProcessGuard to allow the dropped rootkit driver to be installed), then you've allowed the rootkit driver down to the same level as ProcessGuard, and at that level it is able to attack ProcessGuard and any other kernel-mode component (including your firewall, etc). This is why it's important to install PG on a clean operating system to ensure that it's able to get that important "first-in" advantage, allowing it to proactively prevent infections (as opposed to reactive scanning after the infection). Give PG that advantage and it will always have the upper hand. Even if a new threat was developed tomorrow that specifically targetted ProcessGuard we'd be able to add protection against it due to that first-in nature of ProcessGuard. (This was demonstrated not long ago when a new driver installation method was discovered by rootkit authors ... ProcessGuard is still the only program that blocks that method of driver installation).

    Enjoy the weekend.
     
  9. S!x

    S!x Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    51
    Location:
    Ohio, USA
    Anything that can be created can be destroyed - including security protection. There is never going to be a perfect security app ... application's are just lines of code - and code can be altered.

    Process Guard is your best bet (IMO) against 99% of what the average user will come up against.

    I think a top hacker with enough time & talent could breach any security - but thankfully top hackers are not interested in 99% of the net - just the 1% that they can steal big money or intellectual property from (ebay, banks, source code, Military espionage ... etc...).
     
    Last edited: May 6, 2005
  10. Pollmaster

    Pollmaster Guest

    Heh, you might as well say, i get brainwashed into uninstalling PG!!!
    The only software I even consider giving the right to install drivers is security software. And I don't run out and install the newest and greatest one the moment i read a link posted on the web.


    I thought the method was used to remove rootkits? And it applied to PG?
     
  11. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The method I'm referring to is an alternative way for a 'standard' trojan (or any other usermode program) to install a driver (its kernel-mode component -the actual rootkit itself). It was a new and virtually unknown technique and no software at the time could intercept it, so we added protection for that method into PG.

    It's a good example that shows even advanced kernel software such as PG is not 100% bulletproof (how can anything be definitively secure on such a complex operating system that isn't even fully documented?), but still can protect you like nothing else out there, and because it's there in kernel-mode first it has that advantage over any rootkit of being able to respond proactively to any new threat, should one ever arise, as demonstrated with that new driver installation method. We've invested an enormous amount of time and money into researching this (with ProcessGuard being one of the results of this research) and we're confident that ProcessGuard offers the user more protection against rootkit infection than any other program out there, and makes a very powerful addition to any layered defence.

    Regards,
    Wayne
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    That URL is returning a 404 now - is it still available or did Hacker Defender launch a Cease and Desist Attack? ;)
     
Thread Status:
Not open for further replies.