Anti Rootkit Blog

JSharp in a blog entry recently, highlighted the potential of ID-triggered Rootkits, Rootkits that activate when they have reached a “Target” victim. This high profile victim could be a large company with a lot of Intellectual Property and a lot less security.
This does seem far-fetched to the average person but it has happened in the past and it will become more prevalent in the future.

Companies who are in a very competitive environment can only survive if they have the edge over their competitors. This edge can take many forms but information is the key. Information about competitor’s products, techniques, processes and sales are extremely valuable when making decisions about the future.

There would be no problem for an attacker to offer a low paid programmer a lot of money to write a rootkit that is undetectable by any of the current rootkit scanners.  Earlier this year rootkit maker of HackerDefender, an extremely powerful rootkit, had a service whereby an undetectable version of Hacker Defender was made for a price. This super stealth service is now unavailable.

The Attacker could then purchase a zero day exploit, and unknown program vulnerability, from one the many sites offering them.  There is a lot of money to be made from finding holes in software and selling the information or ready to go code for thousands of dollars. 
 
One form of rootkit delivery is via a compromised website. A malware creation kit called Webattacker contains scripts that could check out the version of the visiting user’s browser and send down a rootkit and its payload.  This payload could be a keylogger, perfect for capturing usernames and passwords for later attacks. It could also include file capturing software that could gather up Word documents, Spreadsheets or any other file type that could hold valuable information ready to be sent back via the same route it came in.

Another form of delivery is via email.  Craftily created emails could be sent to employees enticing them to open safe looking attachments and then to release the rootkit and it’s payload.  This happened in May of this year. A large, high profile, unnamed, company in Asia was targeted by an alleged criminal gang.  An email was sent to certain employees in the unnamed company.  The email contained a Word Document that in some way related to the employees area of work.  The Word Document contained exploit code that was unknown to everyone in the world except for the attacker.  The exploit code was then able to give the attack complete control over the employees PC.  This hole in Microsoft Word was patched by Microsoft some months later.  I am sure though that there are many companies out there that are still vulnerable because they have not patched or updated their Office Software.

“Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn’t completely right.
That user detected an email coming in that originated from a domain that looked like their own, but wasn’t their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.” http://isc.sans.org/diary.php?storyid=1345
 
Arrests were made earlier this year in London and Israel after a company found it had rogue software or malware on their PC’s.  It turned out a married couple in London had written software that collected files that were then sent to a rival competitor. This software was used by “Private Investigators” to retrieve information from the competitors companies.

“Companies probed by the Israeli authorities in connection with the case include mobile phone operators, Cellcom and Pelephone, and satellite television provider YES. All firms have denied any wrong doing. The Trojan horse is said to have spied upon the Rani Rahav PR agency (whose clients include Israel’s second biggest mobile phone operator, Partner Communications), and the HOT cable television group. Mayer, a company which imports Volvo and Honda cars to Israel is suspected of having spied on rival Champion Motors, who import vehicles made by Audi and Volkswagen.” http://www.sophos.com/pressoffice/news/articles/2006/01/israeliesp.html

So there you have it. All an attacker bent on Industrial Espionage for gain has to do is get an undetectable rootkit. Package it with a file gathering payload. Deliver it via an unknown exploit to the target company and wait for all the companies’ information to flowing in.

This is why it is important for companies to have software installed on each machine that will stop software getting on to the machine in the first place.

Keep Safe,

regards
Steo
www.antirootkit.com

Mark Giuliani has updated his blog with a posting entitled “New Gromozon” and Rootkit.DialCall. It is written in Italian but the essence of it seems to be that a the Gromozon server redirections have changed and that previously known Premium Dialer called Rootkit.Dialcall is being spread via the same servers that the Gromozon rootkit is being sent out from.

It does not mean that Gromozon and Rootkit.DialCall are linked. The latest Rootkit.DialCall drops a Premium Rate dialer that dials numbers in Italy only. Gromozon did the same.

Mark goes on to say that the Rootkit.DialCall characteristics have changed and drops the rootkit PE386 which uses ADS ( Alternative Data Streams ) to hide. Users who think they have this rootkit can use GMER to remove it.

Marks Blog - Italian

English Translation via Google

What we can see here are the ever evolving tactics of a crime gang directed at Italian internet users.

It will be intersting to see how it all unfolds!

Keep Safe

regards
Steo
www.antirootkit.com

John Heasman of Next Generation Security Software Ltd is well known for bringing us a research paper on how rootkits could use the Power Management section of a BIOS to hide itself. This paper showed us how rootkits could move away from residing on a users Hard Drive and onto a computer chip on a Motherboard. John has come up with a new research paper entitled “Implementing and Detecting a PCI Rootkit” in which he shows us how to plant a rootkit on a regular device like a Sound Card or Modem plugged onto a computer motherboard.

The research paper, avail for download as a 15 Page PDF, shows how to implement and detect a PCI Card rootkit that can be used for any operating system like XP or Linux to name but two.

PCI Rootkits can reside on Sound Cards, Modems, Network Cards, Capture Cards or any other PCI device that has an Expansion ROM and no Trusted Pltform Module or ROM write protection. Most current PCI devices are suseptible to this form of Rootkit infection although newer models have some form of ROM protection.

An attacker can place rootkit code in an Expansion ROM of any PCI device that has no ROM protection. When the PC boots up the code in the ROM is called up by the PC startup sequence (POST - Power On Self Test). The code that runs can in turn be used to “fool” the booting Operating System that there is no threat aboard.

This research paper was published so that Anti Rootkit software makers can adapt to any potential threat of a rootkit attack via the PCI Bus.

Keep Safe

regards
Steo

The strange case of Dr Rootkit and Mr Adware gets more mysterious as the months go by. Marco Giuliani of Prevx, an Internet Security company with its headquarters in England, was one of main virus researchers who dissected the Gromozon Rootkit in detail.

He recently wrote that Gromozon is changing its tactics so it can thwart the security researchers who try to find out it’s next move. Gromozon blocks programs from running so it can avoid being identified and removed from the infected PC. Gromozon also blocks access to certain useful websites. The Gromozon authors have taken the work done by researcher Marco Giuliani to heart and have started using tactics to try and tarnish the researchers names, product and website.

The first new change we see in Gromozon is that there are a host of new websites that it is spawning from. Many new sites are listed but I’m sure that there are many more coming out every day. Marco has a list of the most current that you can block by adding them to your HOSTS file.

Gromozon also blocks websites that may have useful information on how to identify and remove it. Antirootkit.com is one such site that Gromozon blocks, so if you are reading this and you see www.antirootkit.com at the start of your address bar then you more than likely don’t have the newer version of the rootkit (that’s not to say you don’t have the older version!!!). Prevx.com is also blocked along with Marco’s own site www.pcalsicuro.com , the full list can be seen in Marco’s Gromozon Research Paper. (PDF) or (HTML).

Gromozon can also see when the Prevx Gromozon Removal Tool and Anti Rootkit software like GMER, AVG and Icesword are trying to run and it can stop them running so as to try and keep itself rooted onto the infected PC. Tools to try and see what’s going on “inside” the Gromozon code are also blocked. 

Last but not least are the tactics used within the new version to taunt Marco Giuliani and the Prevx company by displaying a window asking for a donation to be made to Marco Giuliani before the Prevx Removal Tool can run. Dr Web contacted Marco to say that within the Gromozon code it says “DO NOT DISTRIBUTE! (c) 2004-2006 Marco Giulani & Prevx.com”. He has also found webpages that “drop” Gromozon, and within the code of the webpage his name is mentioned numerous times again to make it look like Marco is the author of Gromozon.

Strange tactics indeed in the Rootkit versus Anti Rootkit race. The Strange Case of Dr Rootkit and Mr Adware versus The Virus Researchers will I’m sure get stranger, but with researchers like Marco Giuliani around, all the roads to infection that Gromozon takes will be blocked and in doing so Anti Rootkit Tools will become more advanced in their methods of detection and removal from the lessons learned.

Keep Safe

Regards
Steo
www.antirootkit.com

GMER, one of the best rootkit scanners has released a new version.

This latest version is 1.0.12 and it has the following included:

- Added kernel & user mode code sections scanning ( inline hooks )
- Added code restoring
- Added \WINDOWS\gmer_uninstall.cmd script
- Improved “GMER Safe Mode”
- Improved hidden process scanning

GMER also has provided example log files for various Rootkits:

Rustock - http://www.gmer.net/rustock.log
Gromozon - http://www.gmer.net/gromozon.log
Haxdoor - http://www.gmer.net/haxdoor.log
Hacker Defender - http://www.gmer.net/hxdef.log
Badrkdemo - http://www.gmer.net/badrkdemo.log

GMER has also provided a video of GMER scanning and finding the Gromozon rootkit.
GMER Gromozon Rootkit Video

GMER is always updating his software to find new threats and new attack vectors and because of this is one of the best rootkit scanners available today.

For more information see the Antirootkit.com GMER page or head directly to GMER.net

Stay Safe

regards
Steo
www.antirootkit.com

The guys over at Zeppoo have released a new version of their Anti Rootkit Software Zeppoo.

This version is 0.0.4 and the new features in this version includes support for Redhat and Ubuntu with -r option along with AMD64 support. There is also lots of bugfixes thrown in for good measure.

For more details and download see http://www.antirootkit.com/software/Zeppoo.htm

Keep Safe Linux users,

regards
Steo
www.antirootkit.com