Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

The Companies That Support Linux: MariaDB

MariaDB Corporation is a provider of open source database solutions for SaaS, cloud and on-premise applications that require high availability, scalability, and performance. Built by the founder and core engineering team behind MySQL, MariaDB has more than 2 million users globally and over 500 customers in more than 45 countries -- most of whom are running Linux. Read more

UK health service nurtures open source communities

The UK’s National Health Service (NHS) is nurturing a growing number of communities of software developers working on open source solutions. NHS’ Code4Health team is now supporting 17 communities that bring together health care providers, developers and supporters. Read more

LG's got a flip phone that runs Android Lollipop

Flip phones aren't just for retro hipsters and the elderly anymore... well, actually they kind of are. But they're super popular in Asia, and now you can get one that'll run the latest apps: LG's Gentle flip phone. The faux-leather adorned device is running a bleeding edge version of Android 5.1 Lollipop and packing 4G LTE. Otherwise, it's not exactly a power-user's dream with a 3.2-inch 480 x 320 screen, 3-megapixel rear camera, 4GB of (expandable) storage and 1GB of RAM. But for just 20 million won ($175) it would make a fine second phone, provided you live in Korea -- it's unlikely to come here, and similar flip phones can be pricey to import. Read more

Next-gen Android One phone launches in India for $176

The Lava Pixel V1 offers a solid value for the price, combining mid-range hardware with the latest Android software updates from Google. Read more