Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

Ubuntu Devs and Users Talk About Windows with Buttons on the Wrong Side

The Ubuntu community is having a vivacious discussion regarding the placement of the window buttons on the left side. From the looks of it, some users would prefer to have the option of moving the buttons to the right side. Read more

Tiny UAV-oriented i.MX6 SBC has HDMI in and out

Gateworks unveiled a tiny, UAV-oriented SBC that runs Linux or Android on an i.MX6 SoC, and offers HDMI in/out, USB, serial, GPIO, CAN, mini-PCIe, and more. Like other Gateworks Ventana boards, such as the recent Ventana GW5200, the tiny “Ventana GW5510″ runs Linux or Android on a Cortex-A9-based Freescale i.MX6 SoC clocked to 800MHz, and offers a wide-range power supply and -40 to 85°C temperature support. Other Ventana-like features include a programmable pushbutton switch, as well as programmable board shut-down and wake-up for remote sensor applications. Read more

Ubuntu 15.04 review: Beauty or “boring” is in the eye of the beholder

Snow melts and trees blossom, but nothing really says spring around the Ars Orbital HQ like the arrival of a new version of Ubuntu Linux. Right on schedule, Canonical has recently released Ubuntu 15.04, also known as Vivid Vervet. Ubuntu 15.04 arrived in late April and has, judging by other reviews, largely underwhelmed. According to the popular storyline, there's not much new in 15.04. Of course, a slew of changes and unforeseen features in 15.04 could have just as easily earned a negative reaction, probably from the same people calling the actual release boring. The top of the Linux mountain is a lonely, criticism-strewn place. The truth is, this line of thought is partially correct. There isn't much new in 15.04, at least not in terms of visible changes to the Unity desktop. Read more