Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

GNOME Boxes 3.18.1 QEMU-Based Virtualization App Brings More Fixes

While the developers of the GNOME desktop environment are working hard these days to push the first point release of GNOME 3.18 to users worldwide, package maintainers have also prepared various updates to the project's core components and applications. Read more Also: GNOME's Cheese Webcam Viewer App Gets Better Video Preview Scaling and Resizing

Fedora 23 Final Freeze Now In Effect, the Linux OS Arrives on October 27

According to the official release schedule for the forthcoming Fedora 23 Linux operating system, the day of October 13, 2015, marked the Final Freeze milestone in the distribution's development cycle. Read more

Moto 360 (2015) Review: The Most Watch-Like Android Wear Device Yet

Motorola kicked off the age of Android Wear when it announced the original 360 more than six months before it was finally released. It was a beautiful piece of hardware, but was saddled with an ancient TI OMAP ARM chip and recessed lugs that led to cracked back panels. The second generation device addresses many of the shortcomings of that wearable, but some of them are still staring you in the face. Still, it might be the watch you've been waiting for. Read more

Linux Kernel 3.2.72 LTS Is Full of Improvements, Users Urged to Update Now

Just a few moments ago, Ben Hutchings, the maintainer of the long-term supported Linux 3.2 kernel series, has had the pleasure of informing Linux users about the immediate availability for download of Linux kernel 3.2.72 LTS. Read more