Anti Rootkit Blog

Microsoft have just gained one of the best anti rootkit teams on the planet. EP_X0FF and the development team of Rootkit Unhooker have joined Microsoft. They are currently making plans to ship off to Wittenberg in Germany ( where Martin Luther is buried ) where the Rootkit Unhooker team will finish off work on their, up to now,secret project called Secured Eye (SEye),“…in a two words this is project mix of software/hardware related to distributed calculations and virtualization technologies based on Vanderpool / Pacifica extensions. Not a Blue Pill. To be more correct some parts of SEye can be used as a pill for any kind of Blue Pill variations ”

When Windows Vista  came along we were told that no Rootkits could run in Vista because of all the various security enhancements within. Then over the months since the Beta versions of Vista various people have come up with ways that may be able to install a rootkit ( see Microsoft Vista Kernel Protection is Cracked and MS Watches as Vista Gets ‘0wn3d’ by Rootkit).

Since the official release of Windows Vista earlier this year there has been a concerted effort by Security Researchers to come up with a ways to install rootkits or hide processes within Vista. 

Security researcher Alex Ionescu is one such researcher who has done a lot of work in the area of Protected Processes in Vista.

From Microsoft:

“The Microsoft® Windows Vista™ operating system introduces a new type of process known as a protected process to enhance support for Digital Rights Management functionality in Windows Vista. These protected processes exist alongside other processes in Windows Vista.”

and

“Constraints on protected processes. A typical process cannot perform operations such as the following on a protected process:
· Inject a thread into a protected process
· Access the virtual memory of a protected process
· Debug an active protected process
· Duplicate a handle from a protected process
· Change the quota or working set of a protected process”

So it looks like a Protected Process has some immunity from being interfered with and thus checked for badness. This sounds very Rootkit like to me. Although a rootkit is designed to hide processes, among other things, the main reason is to avoid programs from seeing what it is up to. A rootkit may be hiding a Keylogger from being detected and the same could be said for a keylogger in Vista after it has become a protected process.

Alex Ionescu has released a tool called D-Pin Purr that can both Protect and Unprotect a Protected Process in Vista.

From Alex’s Blog:

“It’s based on the Microsoft documentation which says “Please don’t use a driver to bypass this”, which led me to believe that it would be possible to do this (which wouldn’t work on 64-bit Vista, of course).”

“Unforunately, it is trivial to make a process protected or unprotected by bypassing all the Code Integrity checks and sandbox in which protected processes are supposed to run. I wrote a small application which I called D-Pin Purr which does exactly this. I tried it on the only two protected processes I know on Vista (audiodg.exe and mfpmp.exe).”

“Being able to play with the PMP application isn’t really what I was interested in, since most of the high-level security is in the kernel anyway. The intersting thing is that I can make any application of my choosing protected, and thus undebuggable, uninjectable and with its address space secure.”

Well I’m off to have a good mess around Alex’s tool and I’ll report back some findings.

Keep Safe,
regards

Steo
www.antirootkit.com

References:

Why Protected Processes Are A Bad Idea

Introducting D-Pin Purr v1.0 - 32bit Edition

Microsoft Protected Process Whitepaper

We dont get many stats as to how many PC’s in the world have rootkits installed and hiding malware like keyloggers and spyware in the background. Rootkits are too good to be true for the malware authors out there so it only goes to say that rootkits should be more prevalent. Except Microsoft does not think they are.

Microsoft recently published a Security Intelligance report entitled “An in-depth perspective of trends in the malicious and potentially unwanted software landscape in the first half of 2006″. This report had many references to rootkits. The references included the amount of individual PC’s scanned using the Windows Malicious Software Removal Tool (MSRT) and Windows Defender along with the percentage of rootkits found. Symantec today released a Security Brief entitled “Handling Today’s Tough Security Threats” in which they compared their software against other companies like Microsoft and McAffee. The Interesting part of the report for me is the rootkit detection section.

But first lets have a look at the Microsoft stats.

Microsoft says in it’s report that of the 3.2 million computers 8% had rootkits which is a drop from 17% since 2005. This means that Microsoft was able to find 256,000 (256K) computers with rootkits.

Microsoft like Symantec scanned for the Sony XCP rootkit which it could be argued didnt hide malware ( although malware authors used it’s stealth capabiliies to hide their own malware ).

The Symantec report says they tested for rootkits that are currently being used in the wild. Thompson Cyber Security Labs randomly selected 20 rootkits and used their own samples for this test. We dont know if the Sony Rootkit was one of the 20 rootkits picked.

Symantec, in the report state that of the 20 rootkits tested against the Symantec software identified all 20 while Microsoft only identified 5. This shows that Microsoft only identified 20% of the rootkits tested.

So assuming like for like, the Microsoft figure of 256,000 unique computers with rootkits could mean, taking Symantec results into account, Mirosoft have only found 20% of the actual number of computers with rootkit. Thats a staggering 1,280,000 (1.28 Million) computers infected with rootkits.

We could also add the highly publicised Gromozon and Haxdoor rootkits that are taking computers by storm at the moment but again there are no solid figures to use.

Hopefully we can get more precise details so we can really see if Microsoft is falling behind in the identification of rootkits and whether there really are 1.28 Million computers with rootkits hiding malware.

Keep Safe,

regards

Steo
www.antirootkit.com

Security company Authentium has revealed that it has cracked the Vista Kernel Protection called PatchGuard. Microsoft in their recently released half yearly security report said that PatchGuard was created to stop malware like rootkit’s from getting into the kernel where they can hide almost anything on the computer especially Keyloggers and Spyware.

“Kernel Patch Protection for x64 Windows: Kernel Patch Protection improves security and makes it more difficult for hackers to hide malware, such as rootkit’s, deep in the OS where antimalware technologies may have a more difficult time removing it. ”
Source: Microsoft Security Intelligence Report - January - June 2006

Helmuth Feericks, chief technology officer of Authentium told Reuters recently that his company had found a way to turn off Patchguard, install software and turn it back on again. Although no specific details have been given as to how they were able to turn off Patchguard, it does seem that other people like crafty hackers will soon find their own way and publish it.
The Authentium Blog shows an entry where PatchGuard Kernel Protection is described as “not very useable or useful”. The entry does not go into much detail because of a gag-order from Microsoft. It goes to show that if big Security companies see it as useless then we all will be targets of it’s uselessness.

It is ironic how Microsoft is currently only using PatchGuard on 64 bit Vista as an added security attraction for businesses who are the most likely users of this version of Vista. Ordinary everyday users of the 32 bit version will not have Patchguard protecting them and they could be lucky as this would have given them a false sense of security.

In recent weeks we have seen security companies like McAffee asking Microsoft for access to the Vista kernel so that they can provide HIPS ( Host Intrusion Prevention System ) applications to their 64 bit Vista customers.

Vista Kernel Protection is cracked and it will not be long then until we see Rootkit’s for 64 bit Vista.

Keep Safe

regards
Steo
www.antirootkit.com