Anti Rootkit Blog

The Authentium Virus Blog posting shows how anti malware programs need to be extremely user friendly for the average user out there. We feel that this is especially true when it comes to Anti Rootkit programs.

There should be a straight forward, non threatening way for users who do not have much computer experience to remove rootkits.

From the Authentium Virus Blog…
“On average we have removed 2 pieces of malware from the machine per day and I suspect that there are at least two different potentially unwanted applications and at least one piece of malware left on the machine. This malware removed includes 2 bots, 1 rootkit, 1 executable that controlled the rootkit and 1 dropper. I suspect that there are still a mass mailer and/or network worm left to be removed. Compliments of a good defense in depth strategy this seems to be contained by the security suite. But it still does not leave the machine in a usable state.”

Read the full posting here…

Keep Safe,

regards

Steo

When Windows Vista  came along we were told that no Rootkits could run in Vista because of all the various security enhancements within. Then over the months since the Beta versions of Vista various people have come up with ways that may be able to install a rootkit ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).

Since the official release of Windows Vista earlier this year there has been a concerted effort by Security Researchers to come up with a ways to install rootkits or hide processes within Vista. 

Security researcher Alex Ionescu is one such researcher who has done a lot of work in the area of Protected Processes in Vista.

From Microsoft:

“The Microsoft® Windows Vista™ operating system introduces a new type of process known as a protected process to enhance support for Digital Rights Management functionality in Windows Vista. These protected processes exist alongside other processes in Windows Vista.”

and

“Constraints on protected processes. A typical process cannot perform operations such as the following on a protected process:
· Inject a thread into a protected process
· Access the virtual memory of a protected process
· Debug an active protected process
· Duplicate a handle from a protected process
· Change the quota or working set of a protected process”

So it looks like a Protected Process has some immunity from being interfered with and thus checked for badness. This sounds very Rootkit like to me. Although a rootkit is designed to hide processes, among other things, the main reason is to avoid programs from seeing what it is up to. A rootkit may be hiding a Keylogger from being detected and the same could be said for a keylogger in Vista after it has become a protected process.

Alex Ionescu has released a tool called D-Pin Purr that can both Protect and Unprotect a Protected Process in Vista.

From Alex’s Blog:

“It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).”

“Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this. I tried it on the only two protected processes I know on Vista (audiodg.exe and mfpmp.exe).”

“Being able to play with the PMP application isn’t really what I was interested in, since most of the high-level security is in the kernel anyway. The intersting thing is that I can make any application of my choosing protected, and thus undebuggable, uninjectable and with its address space secure.”

Well I’m off to have a good mess around Alex’s tool and I’ll report back some findings.

Keep Safe,
regards

Steo
www.antirootkit.com

References:

Why Protected Processes Are A Bad Idea

Introducting D-Pin Purr v1.0 - 32bit Edition

Microsoft Protected Process Whitepaper

Cd-MaN, a popular Romanian Blogger has written in his Blog recently that he is not getting on very well with the creators of one of the best known anti-rootkit scanners, Rootkit Unhooker.

In various posts, No love for RkUnhooker, And so the RkUnhooker saga begins and Mismoderated RkUnhooker comment Cd-MaN details the exchange of “words” between himself, EP_X0FF and MP_ART. It all began with a posting called Mixed links and commentary so start here. I will leave it up to the reader to come to their own conclusion and judgement on the events in these postings.

Following on from these postings Cd-MaN has set up a “Manifesto of the ethical Anti-Rootkit writer” where Anti Rootkit program authors are asked to sign up to a few simple rules :

From Cd-MaN’s Blog….

Manifesto of the ethical Anti-Rootkit writer

• I will give a high level description of the actions performed by my program which can be understood by even moderately technical savvy user (so called “power users“) and I will follow that description to the letter (for example, if you state that “this tool allows the detection of hidden processes“, the tool should only detect the processes, not terminate them. If the tool also terminates them, that should be included in the description).
• The program will not perform possibly dangerous operations without user consent. The message informing the user should contain a simple enough description of the action so that “power users” are able to understand it, and also list the possible risks.
• I will limit my kernel mode code to as little as possible.
• I will clearly list the supported platforms (operating system version and patch level) and give the user warnings if the s/he is using the tool on an unsupported platform.
• I do not approve or am engaged in illegal activities (like site defacement, DDoS, etc)
• All of my research is done on computers owned by me or by consenting people. In case I ask other people to test my programs / products, I will provide them with a detailed description of what the program does, what the associated risks of using this program are and what files / registry keys are associated with / modified by the program.
• I practice responsible disclosure. I notify vendors prior to releasing any information which could negatively impact the security of the people using their products.

So if you are an Anti-Rootkit writer and you would like to sign up please visit his blog posting Manifesto of the ethical Anti-Rootkit writer and read the details.

I wonder if companies like F-Secure, Panda, McAfee and Sophos sign up?

Stay Safe,

Steo

www.antirootkit.com

Q. How do you know when you have written a really good piece of software that protects people from rootkits?

A. When the rootkit writers or users start to target your software.

This is exactly what is currently happening with GMER, a really good antirootkit rootkit scanner. GMER is written by a person who comes from Poland who goes by the name of gmer.

GMER has become a popular antirootkit scanner this year and has become known for finding hard to find rootkits, had a nice interface and was easy to use. GMER also updated the software on a regular basis and when Rustock came on the scene in 2006 GMER adapted to checking ADS streams, a known place that Rustock hid files.

It was surprising though that in December 2006 the homepage for GMER www.gmer.net was unreachable. When a user tried to load the homepage a “page not found” type of error was shown. The hosting service for GMER had to make the site unreachable because of a DDoS ( a Distributed Denial of Service ) attack. A DDoS attack is basically where someone or gang has setup a botnet (computers taken over by hackers for their own use) that continiously tries to load the page at www.gmer.net. This causes a lot of stress on the hosting service and hence the site had to be taken offline. 

All is not lost though. With the help of a lot of people around the internet the name of GMER is getting more popular than ever before and the attacks on the GMER site have highlighted GMER as a threat to rootkit writers and users.

With the GMER site down other sites have provided a mirror of the original GMER site so people can still download and read about GMER.

A list of current sites as of the 7th Jan 2006 @ 23:55 GMT is as follows:

http://archive.mysteryfcm.co.uk/security/antirootkit/gmer/gmer.htm
http://fbeej.dk/gmer/gmer.htm
http://www.alexaur.com/anti-rk/
http://www.pperry.f2s.com/mirror/gmer/gmer.htm
http://martijnc.be/tools/gmer/gmer.htm
http://gmer.spywarefix.org/
http://gmer.it-mate.co.uk/gmer.htm
http://www.majorgeeks.com/GMER_d5198.html

The GMER software can also be downloaded from http://pcalsicuro.phpsoft.it/gmer.zip

Even as I transpose my list it looks as 2 more have been taken down.

People Power will help GMER survive these attacks only strengthen it’s reputation as a very good rootkit scanner.

Keep Safe,
regards,
Steo
www.antirootkit.com

JSharp in a blog entry recently, highlighted the potential of ID-triggered Rootkits, Rootkits that activate when they have reached a “Target” victim. This high profile victim could be a large company with a lot of Intellectual Property and a lot less security.
This does seem far-fetched to the average person but it has happened in the past and it will become more prevalent in the future.

Companies who are in a very competitive environment can only survive if they have the edge over their competitors. This edge can take many forms but information is the key. Information about competitor’s products, techniques, processes and sales are extremely valuable when making decisions about the future.

There would be no problem for an attacker to offer a low paid programmer a lot of money to write a rootkit that is undetectable by any of the current rootkit scanners.  Earlier this year rootkit maker of HackerDefender, an extremely powerful rootkit, had a service whereby an undetectable version of Hacker Defender was made for a price. This super stealth service is now unavailable.

The Attacker could then purchase a zero day exploit, and unknown program vulnerability, from one the many sites offering them.  There is a lot of money to be made from finding holes in software and selling the information or ready to go code for thousands of dollars. 
 
One form of rootkit delivery is via a compromised website. A malware creation kit called Webattacker contains scripts that could check out the version of the visiting user’s browser and send down a rootkit and its payload.  This payload could be a keylogger, perfect for capturing usernames and passwords for later attacks. It could also include file capturing software that could gather up Word documents, Spreadsheets or any other file type that could hold valuable information ready to be sent back via the same route it came in.

Another form of delivery is via email.  Craftily created emails could be sent to employees enticing them to open safe looking attachments and then to release the rootkit and it’s payload.  This happened in May of this year. A large, high profile, unnamed, company in Asia was targeted by an alleged criminal gang.  An email was sent to certain employees in the unnamed company.  The email contained a Word Document that in some way related to the employees area of work.  The Word Document contained exploit code that was unknown to everyone in the world except for the attacker.  The exploit code was then able to give the attack complete control over the employees PC.  This hole in Microsoft Word was patched by Microsoft some months later.  I am sure though that there are many companies out there that are still vulnerable because they have not patched or updated their Office Software.

“Detection is mostly the very hard part in these attacks. This case seems to have been detected by a very alert user detecting a domainname in an email that wasn’t completely right.
That user detected an email coming in that originated from a domain that looked like their own, but wasn’t their own (actually only had an MX record in it). The email was written to look like an internal email, including signature. It was addressed by name to the intended victim and not detected by the anti-virus software.” http://isc.sans.org/diary.php?storyid=1345
 
Arrests were made earlier this year in London and Israel after a company found it had rogue software or malware on their PC’s.  It turned out a married couple in London had written software that collected files that were then sent to a rival competitor. This software was used by “Private Investigators” to retrieve information from the competitors companies.

“Companies probed by the Israeli authorities in connection with the case include mobile phone operators, Cellcom and Pelephone, and satellite television provider YES. All firms have denied any wrong doing. The Trojan horse is said to have spied upon the Rani Rahav PR agency (whose clients include Israel’s second biggest mobile phone operator, Partner Communications), and the HOT cable television group. Mayer, a company which imports Volvo and Honda cars to Israel is suspected of having spied on rival Champion Motors, who import vehicles made by Audi and Volkswagen.” http://www.sophos.com/pressoffice/news/articles/2006/01/israeliesp.html

So there you have it. All an attacker bent on Industrial Espionage for gain has to do is get an undetectable rootkit. Package it with a file gathering payload. Deliver it via an unknown exploit to the target company and wait for all the companies’ information to flowing in.

This is why it is important for companies to have software installed on each machine that will stop software getting on to the machine in the first place.

Keep Safe,

regards
Steo
www.antirootkit.com

We dont get many stats as to how many PC’s in the world have rootkits installed and hiding malware like keyloggers and spyware in the background. Rootkits are too good to be true for the malware authors out there so it only goes to say that rootkits should be more prevalent. Except Microsoft does not think they are.

Microsoft recently published a Security Intelligance report entitled “An in-depth perspective of trends in the malicious and potentially unwanted software landscape in the first half of 2006″. This report had many references to rootkits. The references included the amount of individual PC’s scanned using the Windows Malicious Software Removal Tool (MSRT) and Windows Defender along with the percentage of rootkits found. Symantec today released a Security Brief entitled “Handling Today’s Tough Security Threats” in which they compared their software against other companies like Microsoft and McAffee. The Interesting part of the report for me is the rootkit detection section.

But first lets have a look at the Microsoft stats.

Microsoft says in it’s report that of the 3.2 million computers 8% had rootkits which is a drop from 17% since 2005. This means that Microsoft was able to find 256,000 (256K) computers with rootkits.

Microsoft like Symantec scanned for the Sony XCP rootkit which it could be argued didnt hide malware ( although malware authors used it’s stealth capabiliies to hide their own malware ).

The Symantec report says they tested for rootkits that are currently being used in the wild. Thompson Cyber Security Labs randomly selected 20 rootkits and used their own samples for this test. We dont know if the Sony Rootkit was one of the 20 rootkits picked.

Symantec, in the report state that of the 20 rootkits tested against the Symantec software identified all 20 while Microsoft only identified 5. This shows that Microsoft only identified 20% of the rootkits tested.

So assuming like for like, the Microsoft figure of 256,000 unique computers with rootkits could mean, taking Symantec results into account, Mirosoft have only found 20% of the actual number of computers with rootkit. Thats a staggering 1,280,000 (1.28 Million) computers infected with rootkits.

We could also add the highly publicised Gromozon and Haxdoor rootkits that are taking computers by storm at the moment but again there are no solid figures to use.

Hopefully we can get more precise details so we can really see if Microsoft is falling behind in the identification of rootkits and whether there really are 1.28 Million computers with rootkits hiding malware.

Keep Safe,

regards

Steo
www.antirootkit.com