Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Rootkit Arsenal

samzenpus posted more than 5 years ago | from the protect-ya-neck dept.

Security 79

Nicola Hahn writes "One of the first things I noticed while flipping through this hefty book is the sheer number of topics covered. Perhaps this is a necessity. As the author puts it, rootkits lie "at the intersection of several related disciplines: computer security, forensics, reverse-engineering, system internals, and device drivers." Upon closer inspection, it becomes clear that great pains have been taken to cover each subject in sufficient depth and to present ideas in a manner that's both articulate and well organized. This accounts for the book's girth; it weighs in at roughly 900 pages." Keep reading for the rest of Nicola's review.This book is comprehensive enough to appeal to both novices and journeymen. To set the stage, the Rootkit Arsenal begins with a review of foundation material: the IA-32 execution environment, memory management, kernel-mode subtleties, call hooking, detour patching, and so forth. Yet, while the author devotes a significant amount of effort to explaining prerequisites and customary rootkit techniques, there's an abundance of more sophisticated content to engage more experienced members of the audience. For example, his explanation of how to use the WSK API and the most recent incarnation of the NDIS library (version 6.0) to construct covert channels over DNS is worth a read. I also appreciated his meticulous discussion of how to properly install Call Gates and handle the foibles of multi-processor systems.

One of the book's strong points is that there's coverage of issues which traditionally haven't appeared in books on this subject. For instance, there are several sections devoted to the Windows startup process and how it relates to the operation of bootkits. Part 3 of the book, which consists of four chapters, focuses on anti-forensics, with an emphasis on defeating file system analysis and the examination of an unknown executable. To this end, Reverend Bill ventures off into the tactics used to implement binary armoring, FISTing, obfuscation, code morphing, file scrubbing, and data contraception.

Not content to merely explain the basic mechanics of a particular scheme, Reverend Bill often illustrates how he derived his results and encourages the reader to verify what they've seen with a kernel debugger. This is a recurring theme throughout the book. Rather than just teach the reader a collection of tricks, the author demonstrates how the reader can identify new ones independently. After all, specific holes come and go, but the art of finding new ones will always have utility. This more than justifies the lengthy discussion of kernel debugging earlier on in the book.

All told, the book is reasonably self-contained. The source code examples are clean, instructive, and have been included in the book's appendix. As Reverend Blunden notes, the "Rootkit Arsenal" isn't about a specific rootkit that someone wrote (though such books exist). It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit. In this spirit, examples are long enough to illuminate potential sticking points but not so long that the reader feels like they're wading through mud in search of diamonds.

The author also exhibits good form in terms of giving credit where it's due. In the book's preface he specifically acknowledges a number of researchers who have made lasting contributions to the collective repository of knowledge (Mark Ludwig, Greg Hoglund, the grugq, Sven Schreiber, Joanna Rutkowska, Richard Bejtlich, etc.). While the author admits that many of the book's ideas can be unearthed by skulking about obscure regions of the internet, the real service that this book provides is to consolidate all of this disparate information together into one place, offering working implementations of each concept, and doing so in a remarkably lucid manner.

Yet, is this a responsible thing to do? Is it wise to show aspiring Black Hats how to manipulate forensic evidence so that they can implicate innocent people? Will publicizing the finer points of system modification make life easier for aspiring bad guys? Is he basically handing the reader a loaded gun and teaching them the nuances of a kill shot?

To a degree, Reverend Blunden sidesteps this issue as irrelevant. In the end he claims that he's just a broker of information, and that he doesn't care who uses the information or how they use it. If you asked me, this is a bit of a cop out (he sounds a little like an arms dealer). Furthermore, he accuses other authors (the ones who fall back on the traditional argument that they're bolstering security by encouraging vendors to improve their products) of churching up their books in "ethical window dressing." In the eyes of Reverend Bill, this book is what it is ...without apology: another source of useful data.

If I had one complaint about the Rootkit Arsenal, it's that the author sticks primarily to software-based rootkit technology. For instance, he eschews BIOS-based tools. At one point the author states:

"In my opinion, a firmware-based rootkit is essentially a one-shot deal that should only be used in the event of a high-value target where the potential return would justify the R&D required to build it. Also, because of the instance-specific nature of this technique, I'd be hard pressed to offer a single recipe that would a useful to the majority of the reading audience. Though a firmware-related discussion may add a bit of novelty and mystique, in the greater scheme of things it makes much more sense to focus on methods which are transferable from one motherboard to the next."

Last but not least, the author's tendency towards the political arena, which defined a couple of his previous books, rears its head again in The Rootkit Arsenal's final chapter. Here, the good Reverend suggests that if it's possible to control a sprawling operating system like Windows with a relatively small rootkit binary, then perhaps the metaphor carries over into the body politic of the United States. Could a small segment of the population be quietly influencing the trajectory that society takes? Dave Emory and Noam Chomsky look out!

Readers interested in getting a closer look at the book's organization and table to contents can visit the author's web site.

You can purchase The Rootkit Arsenal from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Sorry! There are no comments related to the filter you selected.

Ironic (5, Funny)

sycodon (149926) | more than 5 years ago | (#27588547)

This story on how to create malware comes immediately following a story on Slashdot about the increase in Malware.

Re:Ironic (2, Funny)

Evelas (1531407) | more than 5 years ago | (#27588567)

How else will we keep the trend from the first story going?

Re:Ironic (1)

InvisibleClergy (1430277) | more than 5 years ago | (#27588863)

1. Viruses cause spam.
2. Spam destroys the environment.
3. By transitivity, viruses destroy the environment.

This book is about how to destroy the environment!

900 pages x mega sales = dead forests (1)

davidwr (791652) | more than 5 years ago | (#27588955)

This book is about how to destroy the environment!

1) Write 900 page book
2) Publicize book
3) ???
4) Destroy the environment, er, I mean, PROFIT!

Too bad curling up with a Kindle isn't my idea of fun.

Re:900 pages x mega sales = dead forests (0)

Anonymous Coward | more than 5 years ago | (#27591281)

Hey treehugger,

have you ever seen a tree farm or understand how they work?

Do you understand how much energy it take to 'recycle'?

I love my planet too but until I stop seeing black soot from every other semi on the road that's exactly where my concern will begin and end

thanks
-AC

Re:Ironic (0, Offtopic)

Pharago (1197161) | more than 5 years ago | (#27589035)

i lol'd a lot

Several Related Disciplines? (0, Troll)

sexconker (1179573) | more than 5 years ago | (#27588623)

As the author puts it, rootkits lie "at the intersection of several related disciplines: computer security, forensics, reverse-engineering, system internals, and device drivers."

Subdivide all you want - computer science is a single discipline.

Re:Several Related Disciplines? (1)

sqlrob (173498) | more than 5 years ago | (#27593377)

Subdivide all you want, the only discipline in the world is Quantum Mechanics.

Is this a responsible thing to do? (4, Insightful)

flaming error (1041742) | more than 5 years ago | (#27588643)

> is this a responsible thing to do?
Of course it is. How can we implement security if we don't understand the ways we can be attacked?

Re:Is this a responsible thing to do? (4, Funny)

Anonymous Coward | more than 5 years ago | (#27588735)

Just buy Windows Vista. It is the most secure OS ever!

Re:Is this a responsible thing to do? (5, Funny)

gmuslera (3436) | more than 5 years ago | (#27589023)

> is this a responsible thing to do?
>> Of course it is. How can we implement security if we don't understand the ways we can be attacked?
>>>Just buy Windows Vista. It is the most secure OS ever!

The order of the lines of the thread seems to be badly mixed up.

Re:Is this a responsible thing to do? (1)

yukonbob (410399) | more than 5 years ago | (#27593537)

There is the theory of the mobius; A twist in the fabric of space, where time becomes a loop...

time becomes a loop...

time becomes a loop...

Re:Is this a responsible thing to do? (0)

Anonymous Coward | more than 5 years ago | (#27594245)

i know a guy who tried to write a book on viruses (in the 80s). The publisher was told by the defense department that the book could not be written, as it was too powerful a weapon for enemies.

Re:Is this a responsible thing to do? (0)

Anonymous Coward | more than 5 years ago | (#27594703)

That's the joke of the year, my good sir.

Re:Is this a responsible thing to do? (0)

Anonymous Coward | more than 5 years ago | (#27624981)

Just buy Windows Vista. It is the most secure OS ever!

Are you steve ballmer? Come on show up...

Re:Is this a responsible thing to do? (2, Insightful)

Anonymous Coward | more than 5 years ago | (#27588813)

Also this information *IS* already out there. All it does is remove a bit of leg work needed. If you are savvy enough to make a root kit digging for it would not exactly be out of reach...

Re:Is this a responsible thing to do? (1)

drinkypoo (153816) | more than 5 years ago | (#27588967)

Another argument: This proves conclusively that the information is out there in the wild, and that any manufacturer who doesn't do the known things needed to defeat these types of attacks and yet claims to be doing everything they can to improve security is acting in bad faith. I'm not sure that gains you anything but the moral high ground or the smug satisfaction of running something else, if you do... Because it's hard to sell people the facts.

Re:Is this a responsible thing to do? (0)

Anonymous Coward | more than 5 years ago | (#27589501)

Humankind cannot stand very much reality.
    - T. S. Eliot

Re:Is this a responsible thing to do? (2, Interesting)

fm6 (162816) | more than 5 years ago | (#27589681)

Besides, not publicizing this information amounts to security through obscurity [wikipedia.org] . Nowadays, all security experts with any credibility consider obscurity to be the opposite of security, at least with respect to computer systems. If a vulnerability exists, some malware author will find it, no matter how many nooks and crannies need to be poked into. Even if there are million nooks and crannies, it's easy to automate the search!

I gotta wonder at the reliability of an author who insists on using his affiliation with a quasi-satirical religion [subgenius.com] as if it were a professional qualification!

I also find it very scary that I have to read 900 pages to become properly acquainted with just one particular kind of malware! Hmm, maybe you do need to be a Dobbshead to deal with that.

Re: a quasi-satirical religion (0)

Anonymous Coward | more than 5 years ago | (#27589915)

"a quasi-satirical religion"

I've yet to see a religion that isn't quasi-satirical, at the very least.

Apparently from your judgmental comment, you believe in an Imaginary Friend that is always serious then?

Boring.

Re:Is this a responsible thing to do? (1)

ClosedSource (238333) | more than 5 years ago | (#27592571)

"Nowadays, all security experts with any credibility consider obscurity to be the opposite of security, at least with respect to computer systems."

The problem is that some security experts tangle up STO with their philosophy on F/OSS and their dislike for anything MS. So they aren't looking at it solely from a security POV.

"If a vulnerability exists, some malware author will find it, no matter how many nooks and crannies need to be poked into. Even if there are million nooks and crannies, it's easy to automate the search!"

Funny how the creators of software can't automatically search for all possible vulnerabilities but malware authors magically can even if they don't have the source code. Of course if they have the source code it becomes an order of magnitude easier to do.

Re:Is this a responsible thing to do? (1)

fm6 (162816) | more than 5 years ago | (#27593307)

The problem is that some security experts tangle up STO with their philosophy on F/OSS and their dislike for anything MS.

Like who? Yes, there are a lot of idiots are there who think that proprietary software is evil, and that MS is Satan. But I don't know any credible security experts who talk that way, just the usual religious nuts.

Funny how the creators of software can't automatically search for all possible vulnerabilities but malware authors magically can even if they don't have the source code.

Here's the difference: people probing for security holes aren't on deadline. And there are a lot of them. Think thousands. I mean jeez, nowadays every Mumbai slumdweller with an old laptop is a potential script kiddie. I've worked for software organization of all different sizes, and not even the big guys can compete with that kind of resource.

Also, it's a given that the people suck at finding mistakes in their own code. Code review helps, but a code review by one person is nothing like the kind of poking and prodding you get when you open the source tree.

Re:Is this a responsible thing to do? (1)

ClosedSource (238333) | more than 5 years ago | (#27594467)

These people looking for security holes aren't coordinating their efforts, so the number of them (which we can only speculate on) can be misleading when comparing them to team who is attempting to deliver a secure application.

It's only because of the Agile fad that people started believing that the developer was the only one who should be testing the code. We've known better than that for decades and those who are serious about bugs (security or otherwise) always perform independent review and testing.

Re:Is this a responsible thing to do? (1)

leuk_he (194174) | more than 5 years ago | (#27590037)

Well. a book of 900 pages is a formidable weapon. you can beat someone to death with it... Is it hardcover?

not pleased with this review (1, Insightful)

SethJohnson (112166) | more than 5 years ago | (#27588703)



I really would prefer that Slashdot not help promote a book that is intended to help educate would-be malware coders. While I realize the information would still be out there without this review, Slashdot is undoubtedly contributing sales to the author by raising the profile of this book.

Seth

Re:not pleased with this review (5, Insightful)

sumdumass (711423) | more than 5 years ago | (#27589061)

I understand that in today's society there are enough people who have ignored their responsibilities and obligations as well as the laws of the land and common decency towards others that you immediately think to the worst that can happen.

However, the premise of innocent until proven guilty has a deeper meaning towards society in that they will obey the laws of the society and that when faced with the question, they will act responsibly, ethically, and legally. In other words, it's not just a principle that allows criminals to get out of trouble. It's a deeper ideal that speaks to society and how we want to be in general. It's a reflection of values provided by society that people will not act on their own in an unlawful way if they know of the law and have legal options. Based on that simple principle, we need the freedom to educate people who will act in favor of us and in ways detrimental to those who would harm us. If I say "this is how people get killed", it could be enough for someone to know how to kill someone. However, at the same time, it is enough so that others can make changes that stop people from getting killed in that way.

This book, even though it has the potential of training/educating future malware coders, also has the same if not more potential to train the people who will make the malware ineffective and/or obsolete. Most of the people who would read it would likely have the potential of doing good rather then bad even if the bad they did was because they thought they were doing good.

When looking at the good in people, or the potential for good, I see nothing wrong with this book nor do I see anything wrong with a review on it. I would hope you can consider this optimistic outlook and wait until you are proven wrong on the concept before taking the negative attitude toward it. Sometimes it's hard to do, especially when we are bombarded by negative news about the failings of people all the time, but I know that they are a minority of society because we simply wouldn't have enough time to hear about the negatives of everyone if that was the case.

Re:not pleased with this review (2, Insightful)

shadowofwind (1209890) | more than 5 years ago | (#27589531)

I think your explanation of "presumption of innocence" is very good, even inspiring. And the reviewer seems to be on the same page with it.

If the reviewer's characterization of the book is accurate however, the book's author does not share this enlightened value. He's not saying "this is how people get killed, and I implicitly presume that you'll use this information innocently". He's saying "this is how people get killed, and whether you use it to protect or murder people is fine with me." That is an overtly amoral stance, and it is reasonable for people to criticize it. The value of the book may far outweigh this defect, but that's a judgment call.

I don't think the parent post deserved to be modded a troll.

Re:not pleased with this review (1)

sumdumass (711423) | more than 5 years ago | (#27598403)

I see your point. It took me a few reads to see that it wasn't just the reviewers opinion over the potential of it being used by bad intentioned people, but the authors agnostic approach to the situation too.

However, the part about innocent until proven guilty was more or less intended at the readers of the books and not so much to the author who is pretending to be "just a broker of information". I'm not even sure the author should have to make a comment about how the information is used. Remember, we expect people to follow the laws and ethics of society so of course they wouldn't be using it for illegal means.

Whoever reads the book will have to know that if the information is out there in plain sight, people are working to negate the possible problems someone can create using those methods and information. But even with the author sidestepping the ethics question, we still have to assume that the people reading it will not be doing illegal things with it. I think it's quite possible that tools to detect those types of root kits and so on might be made before anyone insidious comes up with malware.

One tool might be (and yes, I was talking with a guy on this just the other way who thinks it is possible), a boot CD that loads like a live Linux distro which in turn emulates all the hardware present on the board and loads the operating system in a transparent VM giving it the impression that it is running on the actual computer itself. From here, you can monitor the memory and processor interactions outside of any root kit's abilities as well as dump live registry and file system data to be compared with off line reports to find hidden programs by comparing the two and looking for the differences. Many root kit detection techniques do this already but within windows or Linux so there is a change that it can be effected by the same root kits but one running above or below the OS without any dependence on it stands a greater chance of not being able to hide. I'm not capable of programing anything like that myself so if anyone else wants to play- go for it. And If I'm completely wrong on those assumptions, tell me too. And if it is already being done and I'm not aware of it, point me in that direction please.

Anyways, I think the benefit of doubt is at least warranted for the people who will be reading it. I don't shrug in fear of every chemistry student who has the potential knowledge to create a bomb. I don't look at them as if they are creating synthetic or illegal drugs because they have the knowledge to figure it out if they wanted to. I don't question the neighbor who purchased a new gun, or the guy across town who bought his old one. I don't suspect the reviewer of this book as creating a root kit with the intentions of releasing it onto the world. I expect that I am safe or safe enough because none of their actions have showed me that they are using their knowledge or guns or this book for illegal purposes even though the potential is there. For all I know, they are law abiding citizens as society expects them to be. They are innocent until proven guilty.

Re:not pleased with this review (0)

Anonymous Coward | more than 5 years ago | (#27593117)

You're making it too complex. Innocent proven guilty is the only moral and just solution precisely because to implement the opposite (guilty before proven innocent) requires an initiation of coercion (meaning force) against others. The initiation of coercion is, of course, immoral and unjust by human nature (i.e. self-evident).

Re:not pleased with this review (0)

Anonymous Coward | more than 5 years ago | (#27602679)

Well, what I was attempting to get at was because of the way our society has built our presumption of being within the law until proven to be operating or working against the law, then it's reasonable to assume that whoever takes the information, however dangerous it may be, will use it within the bounds of the law.

It's the premise that allows the innocent until proven guilty which is inherent to our society. Therefore, we can reasonably assume that good not evil will come from the actions of presenting the information in the books. I would personally love to see someone figure a way to detect and end all threat possibilities presented in the books which exposure on this level may just bring solutions from otherwise unlikely sources.

I know I took the long way around to it, I just felt it needed to be stressed that just because someone could do something illegal doesn't mean they will nor does it mean that if someone does take it to the illegal side of things, they everyone else will follow. It really is the premise of having to prove guilt instead of defending your innocence. And it should be applied here too.

Re:not pleased with this review (5, Interesting)

GNUbuntu (1528599) | more than 5 years ago | (#27589629)

I really would prefer that Slashdot not help promote a book that is intended to help educate would-be malware coders.

So then they should never post any reviews of any books on the topic of security? Pretty much any book that is going to teach you anything of worth in the are of security is going to have information to help those who want to write malicious code.

While I realize the information would still be out there without this review, Slashdot is undoubtedly contributing sales to the author by raising the profile of this book.

So we should just put our fingers in our ears and shut our eyes and pretend it doesn't exist? Yeah that's going to do all of jack and shit.

this book isn't about security (1)

SethJohnson (112166) | more than 5 years ago | (#27590127)



From the book review above: "It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit."

This isn't about security. It's not written from the perspective of, "Attackers will use these techniques, you need to defend in this manner." This is a "Here is how you do some lame shit" guide. I'm not advocating security through obscurity. I'm saying, the guy who wrote this book is trying to make money by equipping retards with information to fuck up people's computers. I would have hoped Slashdot would promote books intended to help protect people's computers.

Seth

Re:this book isn't about security (3, Informative)

GNUbuntu (1528599) | more than 5 years ago | (#27590231)

From the book review above: "It's really about the rootkit that the reader will construct, such that the focus is on the nature of the tactics rather than a proof-of-concept rootkit."

Which is just the reviewers characterization of the author not a direct quote.

This isn't about security.

Yes it is.

It's not written from the perspective of, "Attackers will use these techniques, you need to defend in this manner." This is a "Here is how you do some lame shit" guide.

Says a person who hasn't actually read the book but is relying on another person's characterization.

I'm not advocating security through obscurity.

Actually you are. By saying that we should hide this information away from people because someone could do bad stuff with it is very much security through obscurity.

I'm saying, the guy who wrote this book is trying to make money by equipping retards with information to fuck up people's computers.

So you can read the author's mind to know that was his motivation to write this book? That's pretty astounding.

I would have hoped Slashdot would promote books intended to help protect people's computers.

But a book that would help people protect themselves and how to fight against rootkits would contain just the same information this book does otherwise it would be worthless.

Re:this book isn't about security (1)

SethJohnson (112166) | more than 5 years ago | (#27591697)

Which is just the reviewers characterization of the author not a direct quote.

From the Amazon.com 'editorial review': [amazon.com]

The spectrum of topics covered includes how to:

* Hook kernel structures on multi-processor systems
* Use a kernel debugger to reverse engineer operating system internals
* Inject call gates to create a back door into Ring-0
* Use detour patches to sidestep group policy
* Modify privilege levels on Windows Vista by altering kernel objects
* Utilize bootkit technology
* Defeat both live incident response and post-mortem forensic analysis [emphasis mine]
* Implement code armoring to protect your deliverables
* Establish covert network channels using the WSK and NDIS 6.0

Those 'editorial reviews' are generally furnished to Amazon by the publisher. Here, the publisher has chosen to (in your words) characterize this book as a 'how to guide' for all the above methods of circumventing weak security. Given the opportunity to describe the book however they may, the publisher did not say, "Here's a book that will help strengthen your security policies."

I'm not saying this book shouldn't exist. I'm saying the guy who wrote it comes off as a scumbag and Slashdot is helping promote his scumbag product. While full disclosure is a great rationale for pressuring corporations into bugfixing, it also becomes a license to harm innocent people. The author of this book seeks to fatten his wallet by propagating information to people interested in causing problems. That's why I think it's sleazy for Slashdot to promote sales of this book.

Seth

Re:this book isn't about security (1)

Nazlfrag (1035012) | more than 5 years ago | (#27594875)

If it wasn't for 'scumbags' like this we'd still be rootkitted by Sony and be oblivious to the fact. It's not the black hats writing security books that troubles me, it's the level of abuse by powerful multinationals immune to prosecution which would be impossible to expose without knowledge such as this.

Your point that this is irresponsible is ludicrous, those who seek this information for nefarious purposes can easily find it on the internet. The only ones who this will help and who will bother to fork out for this publication are professional researchers and academia, perhaps curious amateurs but it's certainly not needed and probably already considered outdated by the digital underground.

Re:this book isn't about security (0)

Anonymous Coward | more than 5 years ago | (#27597139)

I am a security engineer and I may buy this book to help in my deeper understanding of malware. I may also use it as a reference when I need to write reports.

Re:not pleased with this review (1)

muridae (966931) | more than 5 years ago | (#27590319)

So we should just put our fingers in our ears and shut our eyes and pretend it doesn't exist? Yeah that's going to do all of jack and shit.

But that is what everyone outside the tech world does when we talk about a problem. Why shouldn't it work for us too?

Re:not pleased with this review (1)

GNUbuntu (1528599) | more than 5 years ago | (#27591421)

Why shouldn't it work for us too?

Because the last 15 years of Windows viruses/worms have shown that this view doesn't work?

Re:not pleased with this review (0)

Anonymous Coward | more than 5 years ago | (#27591759)

*whoosh*

Or wait...maybe your reply was whooshing over me! It's a whoosh of a whoosh... is that a meta-whoosh? a sub-whoosh? the second derivative of whoosh(comment) with respect to infinitesimal changes to 'comment'?

Hmm. I may have just whooshed myself. Dammit.

Re:not pleased with this review (3, Insightful)

Hatta (162192) | more than 5 years ago | (#27590239)

Hey, fuck you. This shit is fascinating, but I don't care to go trawling through the dark underbelly of the internet to get to it. People who actually plan to write rootkits can already get this information. Curious onlookers can't get it easily, until now.

I've never synthesized a drug in my life, and don't plan to. But PiHKAL [erowid.org] is still one of my favorite books. What's so bad about that?

Re:not pleased with this review (1)

Dragonslicer (991472) | more than 5 years ago | (#27592843)

Slashdot is undoubtedly contributing sales to the author by raising the profile of this book.

Considering how many people around here read past the summery of anything posted, "undoubtedly" isn't the word I would use.

Re:not pleased with this review (0)

Anonymous Coward | more than 5 years ago | (#27628485)

The author addresses this subject on his home page. The heading is "Rootkit Arsenal: Approach versus Intent."

Now perhaps we can say that we know what the author objective is...

Strange Terms (2, Funny)

Nerdfest (867930) | more than 5 years ago | (#27588733)

Binary armour and FISTing? That second term certainly clarifies the need for the first.

Re:Strange Terms (3, Funny)

dcollins117 (1267462) | more than 5 years ago | (#27588805)

IMHO digital armor would be a preferable defense to FISTing. Your mileage may vary.

Re:Strange Terms (0)

Anonymous Coward | more than 5 years ago | (#27589107)

But not so much the "data contraception." I s'pose the need for contraception is a potential corollary to FISTing.....

Yes but... (0)

Anonymous Coward | more than 5 years ago | (#27588831)

What accounts for CmdrTaco's girth?

Too many tacos?

Rootkits (0)

Anonymous Coward | more than 5 years ago | (#27588883)

Rootkits?? I just use miracle grow.

Windows needs a root-kit-cleaner CD (2, Interesting)

davidwr (791652) | more than 5 years ago | (#27588921)

Let me rephrase that:
Computers should ship with an "alternative" boot environment that cannot be permanently changed, only toggled to and from the main boot environment.

The job of the alternative boot environment is to allow cleanup tools to delete threats.

An example of how this could be done in Vista:
Boot computer using a back-up, read-only firmware to a Vista CD that had a stripped-down network stack or stripped-down USB-drivers. Having stripped-down software removes some points of vulnerability. From the clean BIOS+Vista boot, load and authenticate security modules. These can be loaded from a web site or external media. The authentication is key: If it's not authenticated it's rejected. The authenticated security modules would then clean up the system as best they could, and would run a heuristic analysis on the non-booted environment to look for remaining suspicious behavior, such as the loading of unsigned device drivers or a BIOS that contains non-authenticated patches.

Why Vista? It's not the best technical solution but in a year or two it will be the most familiar bootable CD out there.

As a side bonus, a similar "clean boot environment" can be used for web-access kiosks. However, these would need a richer network stack, a web browser and plugins, and would need to be re-created almost daily to keep up with security threats. An immutable BIOS with a CD that loads, authenticates, and runs a "boot image" over the network, with a daily reboot to grab the freshest image, might be the way to go here.

Re:Windows needs a root-kit-cleaner CD (0)

Anonymous Coward | more than 5 years ago | (#27589223)

Windows has a "root-kit-cleaner" CD. It's called the Ubuntu install disc.

As for the rest of your comments, someone once told IBM: "If you build the TPM, they will come."

Guess what? No one uses it.

Re:Windows needs a root-kit-cleaner CD (1)

RiotingPacifist (1228016) | more than 5 years ago | (#27589397)

ubuntu is pretty lame as liveCDs go, slax is the route you want to go down for a liveCD, knoppix was the best, but i don't think they've released any CDs in a while.

what happened to knopix.... (1)

SethJohnson (112166) | more than 5 years ago | (#27591411)

Not sure, but for some reason the Knoppix stuff couldn't deal with SATA chipsets. That might be why they haven't released anything in a while. But that INSERT disc used to be my fave, too.

Seth

Re:Windows needs a root-kit-cleaner CD (1)

rfolkker (443051) | more than 5 years ago | (#27596741)

People seem to be quick to forget Linux was really the first to get rootkitted. Rootkits are fairly new (in the way of software intercession) to the Windows Platform, and most AV software wasn't ready for it. However, AV for Linux (or at least the flavors I am aware of) were primarily RK detection software.

So, Linux as a root-kit-cleaner is about as accurate as hiding this book in the sand. Ignorance does not make you safer, just happier when you don't notice it happening to you.

Re:Windows needs a root-kit-cleaner CD (1)

TheRealMindChild (743925) | more than 5 years ago | (#27589691)

Thing is, once you are compromised, you shouldn't trust that machine again. You detected and removed something, so you know you were vulnerable. How many are there you DIDN'T detect?

Format, reinstall.

Detection and removal (0)

Anonymous Coward | more than 5 years ago | (#27590261)

If the BIOS is immutable or at least guaranteed-clean-replaceable, "I detected and removed the hard drive" and replacing the infected component gives you a usable machine.

Re:Windows needs a root-kit-cleaner CD (1)

lord_sarpedon (917201) | more than 5 years ago | (#27590571)

No. Boot from read-only media, flash bios, format, reinstall.

Re:Windows needs a root-kit-cleaner CD (1)

Yaur (1069446) | more than 5 years ago | (#27590727)

If the bios is already compromised how can you trust anything that happens after it boots?

Re:Windows needs a root-kit-cleaner CD (0)

Anonymous Coward | more than 5 years ago | (#27595017)

Replace the motherboard, reinstall from read-only media perhaps.

Re:Windows needs a root-kit-cleaner CD (1)

lord_sarpedon (917201) | more than 5 years ago | (#27608269)

You can't. But then again, you can't really trust the pre-flashed chip as it came from the scary third world country either.

If you're feeling frisky, you can reflash in the hope that you've exceeded the sophistication of anything in the wild.

Re:Windows needs a root-kit-cleaner CD (1)

EponymousCustard (1442693) | more than 5 years ago | (#27589791)

also try backtrack live cd, or deft or helix for forensics

time (5, Insightful)

Lord Ender (156273) | more than 5 years ago | (#27589013)

Forensics is such an incredibly time-consuming process, most businesses have no time for it. Reimage the machine and get back to work. It's a shame.

Re:time (0)

Anonymous Coward | more than 5 years ago | (#27589393)

Ever hear of Root Cause Analysis?

Re:time (1)

geekymachoman (1261484) | more than 5 years ago | (#27589441)

Those "businesses" tend to be exploited again after reimage, which is logical, because the bug wasn't fixed.

I've seen it happen a lots of times, and in the end.. they are forced to do some action, besides 'reimaging'.

Re:time (1)

geekymachoman (1261484) | more than 5 years ago | (#27589467)

Also, "businesses" don't need to have time for fixing the issue.

Businesses hire people to do that for them and if the people who where hired don't do the job, then businesses sack them, and hire someone else.

Re:time (3, Insightful)

Lord Ender (156273) | more than 5 years ago | (#27589781)

Security engineer: "Our network logs show there is some sort of rootkit or bot on labAD01, boss."

Boss geekymachoman: "Find out how it got on there and what it did."

Security engineer: "OK, should take about three days to do a full forensic analysis."

Boss geekymachoman: "What? We can't delay all the other projects by three days! I hired you to do a job! Do it instantly or I will sack you! And I want a pony."

Yeah... it sure would be great working with you, buddy!

Re:time (1)

geekymachoman (1261484) | more than 5 years ago | (#27590725)

1. Three days ? From where did you get that info ? Bullshit.

2. If you can't 'clean' the server in acceptable time period, you then find out (which can be done in max few hours) what the rootkit/exploit does, and block it (or block everything except the business stuff, either firewall or various ACL systems). And/or move the production stuff on different server, from the one affected, and tighten the security of it to the max.
In the mean time you diagnose the real problem on that already cracked server.

The point is to block the rootkit and the attacker of having control over your server.

Businesses have failover/backup systems, at least they should have, if they don't, they are not a business. It's like hospital having only one doctor.

After you 'contain' the problem, it isn't much of a problem anymore.

Of course, Im talking about Linux, and from my experience. Maybe you need 3 days and maybe you use reimaging as a solution (and if you do, I bet you use Windows), but it's utterly stupid to say that reimage is the only practical solution.

Re:time (1)

Lord Ender (156273) | more than 5 years ago | (#27591273)

It seems you do not know what "forensics" means. Hint: it's the only way you can be sure what the rootkit did to your system. Look it up. I think you would do best to leave security to the security professionals, machoman. There's nothing wrong with that. It's actually good to be able to recognize your own limitations.

Re:time (1)

geekymachoman (1261484) | more than 5 years ago | (#27591617)

When you find out what the exploit/rootkit/whatever do, then you know what it "did to you".

If you need days to do that, and you don't have any backups systems to move prod stuff to, then it would be good for you too, to start recognizing your limitations, and start looking for a new job.

I'm of course talking about server platforms, not some stupid workstations running windows xp sp1, which is falling apart of malware infestation.

Also, reimaging is ok, as long as you have protected your system, so the next time exploiting fails. - Read my first reply, I was talking about this. Not about some stupid made up concepts of you l33t rpm admins.

Re:time (3, Insightful)

Lord Ender (156273) | more than 5 years ago | (#27598255)

It is horribly obvious you have never even attempted a forensic analysis of an infected machine. Stop embarrassing yourself. Reimaging is NOT a forensic analysis. Reimaging does not take three days. Analysis takes three days AT MINIMUM for something like a rootkit.

I am a security engineer in a large, international software company with multiple datacenters. You are a punk kid talking out his rear. You're not fooling anyone.

Re:time (1)

illtud (115152) | more than 5 years ago | (#27631473)

I agree 100% with what you said, I just wanted to say

You are a punk kid talking out his rear

was funny coming from Lord Ender.

OK, well it was when I started typing this...

Re:time (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27592727)

Point number 2: REALLY? I get moving production onto another server if you have clean backups. But saying you're going to clean up a hacked system is unprofessional madness for anything but the lowest common denominator of virus--and even then, you're basically flipping a coin and hoping that it wasn't just used as a vector for something bigger and nastier--hiding in the obvious. You ever heard of t0rn--a rootkit that had another rootkit hidden in it... not that anyone knew for a few years.

Many of the hacks I've seen studied and reversed have taken people a minimum of 30-40 hours for people to reverse, and often up into the hundreds. There's contests devoted to it. Unless you're talking driveby downloads you're way off mark.

So, you'll block what the rootkit does, and allow the core of the business...? You mean like you should have in the firewall to start with? What if it communicates through outbound ICMP, DNS, or even on port 80/443? I've seen all but ICMP in the wild, and I've got the software to tunnel through ICMP on my drives... And there's not getting into the *really* stealthy stuff.

How do you block out a threat you haven't even identified yet, where the attack had absolute access to the hardware, may have broken out of the VM, or blue pilled the operating system? You don't actually think your antivirus will catch every rootkit out there do you? You're going to have to shut it off anyway to scan--there's already ones that will hijack the system calls the A/V makes.

And I bet whatever A/V you run will recognize the exploit too... What're you going to do, send the entire disk to Symantec and tell them it got hacked somehow? There's documented cases of rootkits in freaking printers--these people have experience hiding their code.

Don't tell me you're going to clean that problem up in three days. You're going to get rid of everything you know about and find on it in three days, and pray that your boss never finds out.

Re:time (0)

Anonymous Coward | more than 5 years ago | (#27674731)

"And I want a pony"

A pony is rhyming slang for defecating

pony and trap - crap

Malware in the wild (1)

hesaigo999ca (786966) | more than 5 years ago | (#27589379)

I would really like to hear from someone who has experience in that domain comment or review these books, we always have these nobodies that we can't really do a search on, but if you had someone that worked at the NSA and said "yep this is a great book about cryptology" or
someone at the FBI saying "yep this book is the one that is effective in helping someone
create the perfect background search" etc.

For once, just....for once. :(

Re:Malware in the wild (1)

WhiteHorse-The Origi (1147665) | more than 5 years ago | (#27594199)

Well I would but I can't afford the book because my job was outsourced to India.

I don't want to see strange images on the fp (0, Offtopic)

gumpish (682245) | more than 5 years ago | (#27589465)

Please stick to standard topic images.

(Yes, I will be blocking these images if possible... sure would be nice if it were an option though.)

millions of massing minions are forming... (4, Funny)

archangel9 (1499897) | more than 5 years ago | (#27589643)

Rootkit: The New Scientology. Our Kool-Aid isn't just tasty, it's ubicwi, ubitiquis, ubitquit... it's everywhere.

Rootkit? (1)

Drone69 (1517261) | more than 5 years ago | (#27592023)

I trust there are chapters dedicated to Sony & EMI, purveyors of fine stealthy rootkits.

Scary (2, Interesting)

jweller13 (1148823) | more than 5 years ago | (#27592503)

I just returned from a week long Information Security convention for my government agency. It was eye opening how vulnerable supposedly "secure" systems are. Especially after the Gartner, and NIST speakers finished their presentation. It seems that locking up your computer in a lead lined box and burying it in a hole 12 feet deep is about what you need to do, lol. They also talked about FRID and how very vulnerable, for example, the new passports -- which have much of your private info on them -- with the encryted RFID chips in them are. Also how there are contests to see who can pick up RFID and wifi signals from the farthest away. I believe he said they got up to 100ft for RFIDs and 3 miles for those 300ft radius wifi routers.

Re:Scary (1)

WhiteHorse-The Origi (1147665) | more than 5 years ago | (#27594211)

It's no surprise. The people in charge are good 'ol boys, not computer experts.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?