here's the comment area for today's article found at:
www.zabkat.com/blog/18Nov07.htm
blog: shut the door to malware
Moderators: fgagnon, nikos, Site Mods
How might I ask do you envisage the technical mechanism for this 'disguising' from anti-virus software?If a nasty enters the computer and you happen to be an administrator, it can disguise itself and fool your antivirus
It is important to be clear about such things when discussing a topic with such potential for scaremongering among those less technically knowledgable, whilst also being fair to anti-virus products.
By which mechanism? Rootkits are capable of hiding themselves and other things once they are installed... But how do you envisage a kernel-mode rootkit, which is a device driver, gets installed in the first place whilst evading anti-virus software?
To state this so tersely is a slight to A-V products which do a lot better a job than you are suggesting.
To state this so tersely is a slight to A-V products which do a lot better a job than you are suggesting.
Hi,
Here is from http://en.wikipedia.org/wiki/Rootkit:
"Rootkit binaries are usually detected by most[citation needed] signature or heuristics based antivirus programs, at least until they're run by a user. There are inherent limitations to any program that attempts to detect rootkits while the program is running under the suspect system. Rootkits are suites of programs that modify many of the tools and libraries upon which all programs on the system depend."
You might also want to look at http://www.microsoft.com/technet/sysint ... ealer.mspx
Here is from http://en.wikipedia.org/wiki/Rootkit:
"Rootkit binaries are usually detected by most[citation needed] signature or heuristics based antivirus programs, at least until they're run by a user. There are inherent limitations to any program that attempts to detect rootkits while the program is running under the suspect system. Rootkits are suites of programs that modify many of the tools and libraries upon which all programs on the system depend."
You might also want to look at http://www.microsoft.com/technet/sysint ... ealer.mspx
"At least until they're run by the user"... Well this is inaccurate and sums up precisely my point. This should state 'until they are installed' since it is upon installation that they are able to hide themselves. But how does a user 'run' and thus install the binary if it is detected and therefore blocked by the anti-virus product?
So this doesn't really answer my question...
Ultimately I am asking this in order to highlight the fact that the sentence quoted from the blog does a disservice to a-v products which in most cases are able to prevent the installation of a rootkit in the first place, even when the user is an administrator. There are mechanisms by which a rootkit might be installed of course, but these are not so trivial as might be interpreted by a non-technical user reading the blog...
I am only trying to promote truth and knowledge, and defend a-v firms where due, which is fair enough considering I work for such a firm as a virus researcher.
So this doesn't really answer my question...
Ultimately I am asking this in order to highlight the fact that the sentence quoted from the blog does a disservice to a-v products which in most cases are able to prevent the installation of a rootkit in the first place, even when the user is an administrator. There are mechanisms by which a rootkit might be installed of course, but these are not so trivial as might be interpreted by a non-technical user reading the blog...
I am only trying to promote truth and knowledge, and defend a-v firms where due, which is fair enough considering I work for such a firm as a virus researcher.
As I read this week's blog, the recommendation is to make a habit of operating with a limited account so as to avoid unintentionally installing malware, whether or not your AV is capable of recognizing the threat. A rootkit is one example of malware that is commonly undetectable once installed. Certainly most modern AV products have made strides towards identifying these threats before installation.
Jazzcat, you have a valid point that nikos did not explain this well -- casually dropping the issue as if AV apps were incapable of addressing these threats.
From your experience, perhaps you can expand a bit on the topic of modern AV capabilities and limitations. Neither nikos nor I consider ourselves to be AV experts.
Thanks.
Jazzcat, you have a valid point that nikos did not explain this well -- casually dropping the issue as if AV apps were incapable of addressing these threats.
From your experience, perhaps you can expand a bit on the topic of modern AV capabilities and limitations. Neither nikos nor I consider ourselves to be AV experts.
Thanks.
i would be happy to share my experiences and thoughts on a-vs and their capabilities and limitations, as well as the general topic of how best (i think) a user should mitigate the threat of malware. i began to write this already, but realised i am running out of time as i have to go out now! so i will come back over the weekend and add my 2 pence...
Hi,jazzcat wrote:"At least until they're run by the user"... Well this is inaccurate and sums up precisely my point. This should state 'until they are installed' since it is upon installation that they are able to hide themselves. But how does a user 'run' and thus install the binary if it is detected and therefore blocked by the anti-virus product? So this doesn't really answer my question...
Things are not so simple as you make out. Generally-speaking, computers would never be compromised if hackers did not manage to get through firewalls and antivirus software... But it is a fact of life that they do. As it says in one of the articles below, it is "a cat-and-mouse game". The cat does not always catch the mouse...
Here is from http://www.pcworld.com/article/id,12065 ... ticle.html:
"Like detecting viruses and worms, trapping rootkits is a cat-and-mouse game. Shortly after F-Secure released Blacklight, the author of a rootkit called Hacker Defender posted a video demonstrating a new version of his rootkit defeating Blacklight and several other defensive tools, including RootkitRevealer.
Since rootkits can work with spyware, viruses, and other malware in blended threats, security vendors are sharpening the tools they'll need for detecting them. According to Russ Cooper, who founded and moderates the NTBugtraq newsletter, looking for the kinds of techniques that rootkits use is a good idea. But Cooper doesn't think that rootkit infections are on the rise. "Rootkits are no more prevalent now than they've ever been," he believes. And as for rootkit removal tools, Cooper remarks that "only a person with very little knowledge would try to remove a rootkit," adding that the one certain cure is to wipe the hard disk and reinstall the OS. Mikko Hypponen, F-Secure's director of antivirus research, mostly concurs with Cooper, but points out that Blacklight can address situations where no known good backup is available.
Rootkit detectors and antivirus programs will continue to look for ways to outhack the hackers. But for now, standard security tools such as a good firewall and up-to-date antivirus protection are the best defense against rootkits."
Here is from http://www.pcsupportadvisor.com/rootkits.htm:
"In other words, the malware infection is totally stealthed from your view and the view of most of your security software products.
Because of this stealthing your security software may report that your PC is totally clean from infection when in fact you are infected.
In the past rootkits have been mostly used by hackers to hide trojans. Increasingly however there are being used to hide spyware or mass circulation viruses and worms. That's bad news for users as they are far more likely to encounter these infections than hacker trojans .
Detecting the presence of rootkits and the products they are stealthing is not easy Certainly most anti-virus and anti-spyware scanners can't detect them though a few are just now starting to add features to help with detection. What is needed is a specialist rootkit detector."
Here is from http://free.grisoft.com/doc/download-fr ... t/us/frt/0:
"Rootkits are used to hide the presence of a malicious object like trojans or keyloggers on your computer. If a threat uses rootkit technology to hide itself it is very hard to find the malware on your PC. AVG Anti-Rootkit gives you the power to find and delete the rootkit and to uncover the threat the rootkit is hiding."
"AVG Anti-Rootkit Free protects you against a certain kind of threat: Rootkits. To be protected in realtime against all kind of threats that could harm your computer it is recommended to have a look at AVGs fully integrated solutions."
Here is from http://netsecurity.about.com/od/frequen ... ootkit.htm:
"Detecting a rootkit on your system is easier said than done. Currently, there is no off-the-shelf product to magically find and remove all of the rootkits of the world like there is for viruses or spyware... Many malicious rootkits manage to infiltrate computer systems and install themselves by propagating with a malware threat such as a virus. You can safeguard your system from rootkits by ensuring it is kept patched against known vulnerabilities, that antivirus software is updated and running, and that you don't accept files from or open email file attachments from unknown sources. You should also be careful when installing software and read carefully before agreeing to EULA's (end user license agreements), because some may state overtly that a rootkit of some sort will be installed."
Robert,
The material you quoted is true, but I think it misses jazzcat's point: It is important to distinguish between the detection of an installed rootkit and recognition of its installation package. The former is the subject of most all of your quoted material; the latter is in the open and need only be recognized to prevent its execution -- a relatively straightforward task, requiring only its signature and/or analyzing the installation executable for inappropriate content or some means of monitoring it for generically inappropriate activity.
I await more on what jazzcat can tell us -- after all, he makes his living working as an AV analyst in the subject area.
The material you quoted is true, but I think it misses jazzcat's point: It is important to distinguish between the detection of an installed rootkit and recognition of its installation package. The former is the subject of most all of your quoted material; the latter is in the open and need only be recognized to prevent its execution -- a relatively straightforward task, requiring only its signature and/or analyzing the installation executable for inappropriate content or some means of monitoring it for generically inappropriate activity.
I await more on what jazzcat can tell us -- after all, he makes his living working as an AV analyst in the subject area.
Hi,fgagnon wrote:Robert,
The material you quoted is true, but I think it misses jazzcat's point: It is important to distinguish between the detection of an installed rootkit and recognition of its installation package. The former is the subject of most all of your quoted material; the latter is in the open and need only be recognized to prevent its execution -- a relatively straightforward task, requiring only its signature and/or analyzing the installation executable for inappropriate content or some means of monitoring it for generically inappropriate activity.
I am sorry but I'll stick to what is said in the article above:
"Like detecting viruses and worms, trapping rootkits is a cat-and-mouse game."
And cats cannot be expected to always be on the winning side...