Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

Audacious 3.8.1 Open-Source Music Player Supports Opus Cover Art in the Info Bar

More than two months after the release of the major Audacious 3.8 open-source and cross-platform music player software for GNU/Linux and Microsoft Windows operating system, the first maintenance update arrives on December 6, 2016. Read more

Ubuntu Core has the keys to IoT security

In October, a DDoS attack on Dyn's infrastructure took down a big chunk of the internet, making sites like Amazon and Twitter inaccessible. It was the first major attack involving IoT (internet of things) devices. Fortunately, it was also a benign attack: no one got hurt, no one died. However, the next attack could be catastrophic. No one knows when it will happen. No one knows the magnitude. Read more

Android Marshmallow on PC Falls Flat

The Android-x86 Project eventually may become a viable operating system alternative for your desktop and laptops computers, but it's not there yet. You will have to wait a while for the developers to fix a number of failures with the latest release upgrading Android-x86 to Marshmallow 6.0.1. The developers late this summer released the first stable version of Android-x86 6.0, codenamed "Marshmallow." Android-x86 lets you run the Android OS with the Google Chrome browser on your desktop and laptop computers, rather than buying one of the qualified Chromebooks with the Google Play Store features bolted on. Read more

Korora 25 Linux Released, Based on Fedora 25 Ships with Cinnamon 3.2, MATE 1.16

On December 7, 2016, the development team behind the Fedora-based Korora Linux operating system proudly announced the release and general availability of Korora 25. Read more