Language Selection

English French German Italian Portuguese Spanish

Black Hat conference: Newest Stealth Rootkits

Filed under
Security

Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

These guys are here showing us that we haven't even scratched the surface where rootkits are concerned.

Internet security practitioners in attendance described the Shadow Walker prototype as "scary."

Full Story.

More in Tux Machines

Users Can Backup Linux Systems with Clonezilla Live 2.3.1-18

Clonezilla Live, a Linux distribution based on DRBL, Partclone, and udpcast that lets users perform bare metal backup and recovery with very little effort has been upgraded to version 2.3.1-18 and is now ready for download. Read more

KDE Applications 14.12 - New Features, Frameworks Ports

Today KDE released KDE Applications 14.12, delivering new features and bug fixes to more than a hundred applications. Most of these applications are based on KDE Development Platform 4 but the first applications have been ported to KDE Frameworks 5. Frameworks is a set of modularized libraries providing additional functionality for Qt5, the latest version of the popular Qt cross-platform application framework. KDE app dragons This release marks the beginning of a new style of releases replacing the threesome of KDE Workspaces, Platform and Applications in the 4 series which ended with the latest KDE Applications update last month. Read more

What To Expect In 2015: Robots Join The Open-Source Revolution

The number of downloads doubled in 2014, to 3.5 million, and Gerkey expects adoption to spike again with the release of ROS 2.0 this summer. The upgrade will coordinate swarms, improve walking, and support smart sensors—basically, assimilate the world’s robots. Read more

New Input Drivers Coming For Linux 3.19 Kernel

One of the latest pull requests for the Linux 3.19 kernel is the input driver subsystem pull, which includes numerous updates along with a few new drivers. The new drivers will benefit some Google Chromebooks in running the latest upstream kernel. Read more