Rootkits

Discussion in 'NOD32 version 2 Forum' started by DonKid, Mar 10, 2005.

Thread Status:
Not open for further replies.
  1. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    I read a news today about F-Secure, that has launched a rootkit tool in beta version called Blacklight.
    They will add this tool in every program of company.
    I´d like to know if Eset plans to improve NOD32 to detect Rootkit or create a tool like that.

    Best Regards,

    DonKid.

    P.S.

    I don´t know if it´s off topic, but you can get F-Secure´s Blacklight here:

    http://www.f-secure.com/blacklight/
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  3. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    Thanks ronjor.

    I know NOD32 detects a lot of this kind of stuff, but I hope Eset improve it, because there´s a lot of antivirus company chainging their softwares.

    Thanks Spanner intheWorks.

    You have spent several days searching those links.
    Excellent job.

    I´ll give a look later.

    Anyway,

    Thanks folks, for your helping and time.

    Best Regards,

    DonKid.
     
  4. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Hopefully it will be more difficult to fool then the SysINternals Rootkitrevealer. :)
     
  5. DonKid

    DonKid Registered Member

    Joined:
    Jun 27, 2004
    Posts:
    566
    Location:
    S?o Paulo, Brazil
    I´m using Rootkitrevealer too and testing Blacklight from F-Secure.

    Best Regards,

    DonKid.
     
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    How is RKR easy to fool?
     
  7. anon

    anon Guest


    by having the OS to lie to it;)
     
  8. anon

    anon Guest


    *having the OS lie to it.
     
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Huh? Care to be more specific? It's OK if you can't; I've assumed that you were spreading FUD anyway.
     
  10. alerter

    alerter Guest

    sysinternals states in the RootkitRevealer help file that RkR's high-vs-low-level diff scans for rootkits could be defeated by malware/rootkits that specifically manipulate the high-level (WinAPI calls) scan results to return, to RkR, what the low-level ("raw" Registry & disk) scans are *assumed* to always return... therefore, the hidden rootkit would not hide or attempt to evade the WinAPI scans performed by RkR, matching the raw RkR scans, leaving nothing of the rootkit (hiding-in-plain-sight) for RkR to "diff" out...
    or, the rootkit could, instead, hook the WinAPIs that RkR uses to invoke the low-level "raw" reads and contintue to remain completely out-of-sight...

    the same RkR help file goes on to say that there is *no* sure-fire *single* way to detect all rootkits... not even dead-state scans against a pre-validated reference are 100% reliable in the detection of rootkits, because the dead-state scanning tool, itself, can be a target for compromise...

    still, high/low-level diff scans can be of some value on live systems that cannot be taken down (for dead-state scan against a known-to-be-valid reference) just on the hunch that there might be a rootkit penetration.

    MS Research is also working on something similar along these lines, not limited to rootkit detection, but also linked to verifiable integrity of new system deployments... (Google "Microsoft Research" "Strider GhostBuster")
     
  11. Billy Blaze

    Billy Blaze Registered Member

    Joined:
    Mar 12, 2005
    Posts:
    79
    Location:
    Vorticon VI
    This is not entirely true.

    Are there ways to circumvent Sysinternals' RootkitRevealer... YES (just like there are ways to circumvent any other rootkit "scanner/detector.")
    One way being talked about is to simply not hide from the basic API.
    http://blogs.msdn.com/robert_hensing/archive/2005/03/10/392092.aspx

    The problem with rootkits is that they are made to be flexible and are loaded with numerous methods used to hide from "detectors" and "scanners." Any "new" method used to detect a rootkit can be countered etc. This can be seen more evidently in the case above.

    RootkitRevealer works by comparing data returned from the Windows API and data from a raw scan of FAT/NTFS volume's file system structures.

    If there is no difference it is not shown in RootkitRevealer.

    People who use HackerDefender now single out the RootkitRevealer process and allow it to view hidden files so it does not show up as a difference when RootkitRevealer runs its raw scan.

    A possible workaround to the issue listed above is to rename rootkitrevealer.exe to an uncommon name. Because most people will not configure HackerDefender to allow executable abcxyz.exe to view hidden files.

    But just like someone in the link mentioned above, they might then just start using other methods like md5s to determine what processes for the rootkit to look for.

    With that in mind...

    I think Steve at the BBR forum said it best when describing the benefits of programs like RootkitRevealer
    http://www2.dslreports.com/forum/remark,12740716~mode=flat

    So it is really not a matter of how easy it is to fool a process in Windows. Because on a rooted computer, anything is possible.

    As far as the topic of NOD32 improving rootkit detection... that would be great (in theory). Prevention is key when it comes to rootkits. Unfortunately it is very difficult for any signature based scanner to keep up with rootkits when they are by nature custom tools of evil.

    Basically what alerter said :p
     
  12. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    That's fantastic, but it describes a general method, and doesn't mean that RKR is "easy" to fool. "Simple" doesn't mean "easy".
     
  13. alerter

    alerter Guest

    Maybe you should re-read my post.

    I never said or implied that evading RkR is "easy."

    The fact that RkR will, by design, never detect those rootkits that "hide in plain sight," would be the only case of "simple" evasion that was mentioned.

    The people who write rootkits are not below-average variety miscreants. Whether or not the rootkit writers find RkR easy to evade is a matter of their opinions.

    You asked how easily RkR could be evaded. Someone else ("anon") gave you a wise-*ss non-reponse. Without saying anything about "easy," I pointed out to you what sysinternals openly admits -- RkR evasion is do-able.

    At the same time, I still believe that RkR is a valuable and useful tool and stated why.

    What's the fusso_O...
     
  14. nonmirecordo

    nonmirecordo Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    145
    Location:
    Cambridgeshire, UK
    At the moment this is of academic interest only but you might be interested to read about Ghostbuster.
     
  15. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I simply assumed that you and "anon" were one and the same... Oops, and whatever.
     
Thread Status:
Not open for further replies.