×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Rootkit Creators Turn Professional

CowboyNeal posted more than 8 years ago | from the where-the-money-is dept.

117

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

117 comments

How dare they! (5, Funny)

LiquidCoooled (634315) | more than 8 years ago | (#13843079)

Rootkits should be GPL.
At the very least they should be GNU/Rootkits.

Somebody contact the EFF or like start throwing chairs or something.

Re:How dare they! (5, Funny)

Geminus (602334) | more than 8 years ago | (#13843714)

Someone should develop the ultimate rootkit, patent it's code... and then sue the antivirus companies for IP infringement when they include it's code in their latest definition.
"All your oil belong to us."

Re:How dare they! (4, Interesting)

Captain Splendid (673276) | more than 8 years ago | (#13844065)

You know, that's actually not a bad idea. Something similar to this could (hopefully) be used to help overturn (or change) the DMCA.

Re:How dare they! (1)

netkid91 (915818) | more than 8 years ago | (#13844077)

You also seem to foget another important thing this could bring, PATENT REFORM. This whole BCGI or whatever incident has also proven that we need this, poor cingulair, don't care about Sprint though :P but seriously DCMA + Patent reform = YEAH!!!

Re:How dare they! (2, Interesting)

xappax (876447) | more than 8 years ago | (#13843980)

Actually, the free version of the Hacker Defender [czweb.org] rootkit mentioned in the article is open source. GPL, I'm not sure about, but it still surprised me. It actually makes a lot of sense, because it allows attackers to customize and recompile the rootkit, probably creating a new binary that malware-detectors are unaware of.

Fisht posht! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13843083)

Groovy!

fp (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#13843084)

first post!

Easy prey? (4, Insightful)

adyus (678739) | more than 8 years ago | (#13843087)

If it's a known fact that this Golden Hacker Defender rootkit is publically sold, isn't it that much easier to catch the writers? Assuming there's a law against rootkits...

Re:Easy prey? (5, Insightful)

prichardson (603676) | more than 8 years ago | (#13843156)

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

Re:Easy prey? (4, Informative)

ArsenneLupin (766289) | more than 8 years ago | (#13843292)

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...

Is VNC a rootkit?

No. But a tool hiding VNC from the process list might be.

Re:Easy prey? (1)

m50d (797211) | more than 8 years ago | (#13843688)

MS sells a remote administration program that will hide its presence completely if you want it to.

Re:Easy prey? (2, Informative)

mOdQuArK! (87332) | more than 8 years ago | (#13844392)

Some administration tools hide their presence so that corporate office drones won't notice the system administrator monitoring them (for "security" reasons dontcha know). Are they root kits?

Re:Easy prey? (1)

Lifewish (724999) | more than 8 years ago | (#13843412)

The examples you gave aren't actually rootkits. However, the Honeynet project could well be described that way, so substitute that for your examples.

Re:Easy prey? (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13843441)

MOD PARENT DOWN. It's not talking about rootkits. Rootkits are *tools for keeping access after having broken into a computer, including hiding said access from the real computer owner*. VNC is not a rootkit. SSH bugs are not rootkits. Etc.

I can see legitimate uses - beyond research - for exploits (updates, regaining lost access, evaluating real threat leves.) The only legitimate use I can see for a rootkit is during research of how to detect rootkits. This (and liberty) may be enough for it to be relevant to keep development free, of course - yet it's significantly different from exploits.

Eivind.

Re:Easy prey? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#13843462)

'A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?" - by prichardson (603676) on Friday October 21, @06:26AM

You do have a point there... PING is another example as well, & it ships with most OS.

It too, can be used to issue a "ping of death" though iirc, most OS are "proofed" against that now (again, iirc).

I would suppose it comes down to 1 thing as an analog:

"Guns don't kill people, people kill people."

APK

P.S.=> This is the 1 thing that "spooks me" somewhat - these rootkits.

Personally, I don't think the "war on virus" can be won either, but in a way, maybe this is all for the 'good of all' in that it makes the creators of our Operating Systems we use have to work to make them better vs. these things (nuts as they are in virus, worms, & yes rootkits).

On another note:

I took a GOOD read, from the BSD folks the other day, & liked what I saw about how they have created some things in their IP stack that make their OS appear to be FAR better vs. another supposedly "unstoppeable" bogus phenomenon out there:

The DDoS/DoS attack!

Take a read -> http://www.securityfocus.com/columnists/361 [securityfocus.com]

Microsoft AND the Linux camp could take a play from the OpenBSD/FreeBSD playbook on THAT account imo!

Between that, & heap/stack protection mechanisms in modern OS now being implemented/started? Things are starting to "look up" imo, but still have a ways to go...

In 2003, one of my bosses (not particularly educated or skilled in this field mind you imo) said something that has stuck by me ever since:

"We're still in the 'wild west days' & stone age of the computer/internet age - give it 10 years & watch how much gets better/stronger/faster"

& I agreed. In 15-20 years, I have seen things get SO much better/nicer in the way of computing, that I must agree... apk

Re:Easy prey? (2, Interesting)

AdamTheBastard (532937) | more than 8 years ago | (#13843555)

"If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild."

This poses an interesting question. If you did develop a worm with a nastey payload and release it on an entire subnet under your control (and ownership) that is firewalled off. Who would be blamed if a cracker broke in to the infected network, became infected themselves and then started infecting a public network either intentionly or not?

We see this sort of thing happen a lot on the internet. Someone develops something that could be used to do something without the permission of copyright-holders/box-owners/ISPs but it is also possible to use it with the full permission of those that it effects. Who do we go after? Aparently the answer is both but I, along with a lot of others, disagree.

Re:Easy prey? (2, Interesting)

Redwin (805980) | more than 8 years ago | (#13843723)

This problem of who is guilty also comes up with the use of honeypots, ie if someone breaks into a honeypot system and launches an attack from there who is responsible? The attacker or the person supplying the resources?

I agree with your point of view that a blanket "all are responsible" response is not the best course of action, as I've wondered how long it will be before people like the authors of security books get bundled into the category of "they supplied the knowledge to make this attack possible, therefore they are guilty as well".

OTOH it might be considered negligent to have access to a dangerous piece of software available to the public domain at all, (even if it hidden behind some form of security).

History Repeating (0)

Anonymous Coward | more than 8 years ago | (#13843090)

It's the new radar-detector-detector-detector-detector-detector -detector!

Waiting for Vista (-1, Troll)

yfkar (866011) | more than 8 years ago | (#13843093)

Let's hope that Vista has better security when it hits the mainstream, it would mean hard times for virus creators.

Or we could all just switch to Linux, BSD and OSX, which is not going to happen.

Re:Waiting for Vista (3, Informative)

Anonymous Coward | more than 8 years ago | (#13843126)

Umm..did you know that rootkits were out for *nix long before windows? The rootkits for those systems are far more sophisticated.

Re:Waiting for Vista (3, Interesting)

MichaelSmith (789609) | more than 8 years ago | (#13843263)

did you know that rootkits were out for *nix long before windows

Which is the principle difference between *nix and windows. Most of the holes in unices have been found over the years. Windows was only exposed to wide area networks in a serious way over the last ten years. The bugs are still being found.

Re:Waiting for Vista (0)

Anonymous Coward | more than 8 years ago | (#13843266)

...and Windows doesn't have "root," it has "Administrator."

Re:Waiting for Vista (-1, Troll)

Anonymous Coward | more than 8 years ago | (#13843670)

Windows doesn't have "root," it has "Administrator."

Most XP-home-editions have Leroy Dumbnigger or Sally Stinkycunt as administrators, which is part of the problem.

As always, (0)

Anonymous Coward | more than 8 years ago | (#13843267)

Microsoft is the last to innovate!

Risk to burn karma but... (5, Funny)

jamesjw (213986) | more than 8 years ago | (#13843095)

def n.: Rootkit:
When an Australian male carries a few spare condoms with him on a night out.

Ahhh.. maybe I shouldnt have bothered.. :)

-- Jim.

Re:Risk to burn karma but... (5, Funny)

ajs318 (655362) | more than 8 years ago | (#13843182)

And no doubt the Aussie definition of an optimist is an opening batsman with sunblock on his nose!

Re:Risk to burn karma but... (1)

gowen (141411) | more than 8 years ago | (#13843199)

Jeez, we win one Ashes series in twenty years, and look at us...
Remember, the reason we enjoyed beating the Aussies so much is that they're such insufferably bad winners. Rise above it, mate.

Re:Risk to burn karma but... (0)

Anonymous Coward | more than 8 years ago | (#13843313)

So what you're saying to the GP is to stop gloating your nation's victory, because it makes it more difficult for you to hold your belief that you are superior sportsmen to them? And that's somehow better?

Re:Risk to burn karma but... (1)

gowen (141411) | more than 8 years ago | (#13843605)

because it makes it more difficult for you to hold your belief that you are superior sportsmen to them
Only pricks gloat, especially about sporting victories in which they were not personally involved. I was merely suggesting the OP not be a prick.

Re:Risk to burn karma but... (4, Funny)

MichaelSmith (789609) | more than 8 years ago | (#13843255)

the Aussie definition of an optimist is an opening batsman with sunblock on his nose

In India, where they really do have sunlight, that might be true.

Re:Risk to burn karma but... (1)

G-funk (22712) | more than 8 years ago | (#13843448)

Ah, you must be from Melbourne :) Try moving to Queensland, it's nice.

Re:Risk to burn karma but... (1)

RedWizzard (192002) | more than 8 years ago | (#13843312)

And no doubt the Aussie definition of an optimist is an opening batsman with sunblock on his nose!
I saw Andrew Symonds wearing sunblock on his lips in a recent game. Would have been perfectly reasonable had they being playing anywhere other than the Telstra Dome!

Re:Risk to burn karma but... (1)

The Grassy Knoll (112931) | more than 8 years ago | (#13843460)

He uses the sunblock on the ball. Quite legally, I should add (even though I'm English).

Oh, and for any perplexed readers, the Telstra Dome has a roof.

.

Wicked (3, Insightful)

tezbobobo (879983) | more than 8 years ago | (#13843103)

So here's what you do - write a worm and wrap it around a citrix or Windows Term Serv. Then when you have thousands, you can use then with DDOSs.

Seriously though - Golden Hacker Defender. I've never heard of this. It it were seriously a commercial product, I doubt it would be a rootkit, perhaps a "Remote administration tool." I can't goole (verb) where to purchase it.

So here's the thing. I wrote a virus, and now I'm going to sell it. It's a commercial virus. Oops! Not it isn't, it's just me selling a virus.

Move along, nothing to see here.

Re:Wicked (2, Informative)

dan dan the dna man (461768) | more than 8 years ago | (#13843120)

Hmm it seems to be a new release of something called Hacker Defender. Apparently available here [czweb.org] for the curious. Interesting comment in the box about how the commercial version is not released under the GPL :p

Re:Wicked (1)

Cryptacool (98556) | more than 8 years ago | (#13843303)

The guy who writes hacker defender offers the source code for free, but offers to customize it to make it invisible to commericial anti-virus software and root kit detection software.

This is a big problem, I do application/infrastructure attack and penentration and have seen/had co-workers see this fairly often in mainly financial and defense clients. This problem definetly exists and is causing some major headaches in the info sec world.

Sell rootkits and become a billionaire! (5, Funny)

crazy_zulu (727861) | more than 8 years ago | (#13843105)

One company in Redmond has made billions from selling rootkits.

MOD PARENT UP!!! (2, Funny)

gazbo (517111) | more than 8 years ago | (#13843116)

In case you don't get it, what he's saying is that Windows is insecure!

Re:MOD PARENT UP!!! (0)

Anonymous Coward | more than 8 years ago | (#13843172)

Thanks for clearing that up. I've been legally dead for the last 20 years, and didn't get the reference.

Commercially available? Whatever.... (2, Insightful)

manarth (919856) | more than 8 years ago | (#13843113)

In other news, we learn that script kiddies don't actually write software.

What's with the "commercially available" business? From TFA:

The version of the rootkit detected by F-Secure is called Golden Hacker Defender. It is a commercial product that can be bought for around 500, according to the security firm.

So you can buy it, so what - you can buy cocaine on street corners, does that make it 'commercially available'? Or are they simply heralding Rootkit 101 as the latest product to hit the v-scene? What's next, Virus Writers Monthly?

Come on, malware's been for sale for donkeys years, someone packaging something up and calling it a product doesn't change the nature of the beast.

Re:Commercially available? Whatever.... (1, Redundant)

SimilarityEngine (892055) | more than 8 years ago | (#13843174)

In other news, we learn that script kiddies don't actually write software.

I'd have thought 450 euros (see here [czweb.org], select "Golden Hacker Defender" from combo box) was a bit beyond the price range of your average copy/paste script kiddies, but then I've never met any so I wouldn't know. Either way, it's not clear to me that the site is breaking any laws by selling this software. Any lawyers around?

What's next, Virus Writers Monthly?

How about this [rootkit.com]?

Re:Commercially available? Whatever.... (1)

geminidomino (614729) | more than 8 years ago | (#13843231)

Bah. Kiddies won't pay a dime.

One "l337 virii crew" gets a copy, and boom, it has a new home in the gnutella bitstream for all eternity.

Re:Commercially available? Whatever.... (1)

xappax (876447) | more than 8 years ago | (#13844078)

It's actually an interesting business model, because it mirrors that of other open source businesses. Yeah, maybe you can get a copy of the code itself, but what you really need is the support agreement. When an attacker buys a commercial rootkit from the Hacker Defender folks, they agree to update his or her rootkit to keep it undetectable from malware-scanners for a given amount of time.

If the attacker were to freely distribute the code they got, it would show up on Norton's radar pretty quick, and become worthless to everyone who used it. The money is not so much for the code as it is for the service of providing an attacker with a cutomized, up to date, undetectable rootkit.

Re:Commercially available? Whatever.... (0)

Anonymous Coward | more than 8 years ago | (#13843271)

you can buy cocaine on street corners, does that make it 'commercially available'?

Yes.

What's the point of this type of hacking? (2, Interesting)

ReformedExCon (897248) | more than 8 years ago | (#13843114)

What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

Or is there a Matrix-esque cabal of midnight hackers out there dressed in trenchcoats and sunglasses who are busy at work undermining the government? I find that hard to believe.

I find it easy to believe that there are foreign governments very interested in this type of thing, but it is difficult to imagine ordinary citizens having both the desire and the wherewithal to perform serious attacks and avoid prosecution.

Or maybe I am just having the wool pulled over my eyes.

Re:What's the point of this type of hacking? (0)

Anonymous Coward | more than 8 years ago | (#13843138)

Forget governments, think families.
Finding out what goes on when your not there is tricky if your virus checker keeps detecting the presence of your bugs.

It's organised crime becoming more sophisticated (2, Interesting)

Anonymous Coward | more than 8 years ago | (#13843143)

If you've been watching the news the last few weeks ex-IRA members have been busted doing forgeries in North Korea, bomb-making in Iraq, and making IED's in Columbia. This is an example of the market for worldwide organised crime skills becoming huge as organisations outsource skillsets, especially nefarious skillsets. It's interesting to note the rise of these types of non-state actors on the world stage and how they are interplaying with governments and corporations. Organised crime is going to become huge and a much more realistic threat than terrorism will ever be on multiple fronts eg. economic (black markets), societal (drugs), morality (the increasing legitizmation of groups and the intertwining with big gov and big biz).

Re:What's the point of this type of hacking? (2, Insightful)

Tune (17738) | more than 8 years ago | (#13843145)

> What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

True, that's what happens to all industries while professionalizing. I guess it's similar to people willing to work in arms industry, so this doesn't just concern foreign governments.

what do you think? (1)

RMH101 (636144) | more than 8 years ago | (#13843233)

it's MONEY. compromised home machines, compromised online banking, identify theft, spam bot-nets...

Re:What's the point of this type of hacking? (1)

m50d (797211) | more than 8 years ago | (#13843608)

What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

There's a constant struggle to defeat the detection measures, or detect newer, stealthier rootkits. I've played around with seeing how well I can hide something on my own system, never used it in anger but there's an intellectual challenge there. Like chess or go, it's basically the same every time but I can see people constantly finding new pleasure in it.

Fact or fiction? (5, Interesting)

FishandChips (695645) | more than 8 years ago | (#13843149)

Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.

Re:Fact or fiction? (2, Informative)

Viol8 (599362) | more than 8 years ago | (#13843178)

"Love the quote from a researcher saying that the alleged sale of rookits means that "

I think what he meant (tho he could have phrased it much better) is that previously virus writers were just sad spotty adolescents with no social skills in their bedroom writing viruses to prove something to themselves or to impress they're equally sad and
spotty online "friends". These days a lot of it is paid for by organised crime who have specific targets and specific agendas.

designed to by-pass detection? (1)

jm91509 (161085) | more than 8 years ago | (#13843150)

Isn't that the point of a rootkit?

Re:designed to by-pass detection? (2, Informative)

m50d (797211) | more than 8 years ago | (#13843645)

The point is this one is not only designed to not be found by "normal" methods, but also to avoid detection by specialist anti-rootkit programs.

Virus writers go by their own rules. (4, Insightful)

geo_2677 (593590) | more than 8 years ago | (#13843154)

Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.

Re:Virus writers go by their own rules. (0)

Anonymous Coward | more than 8 years ago | (#13843320)

Somwhere on here are the six dumest ideas of it security:
http://it.slashdot.org/article.pl?sid=05/09/11/171 6205&tid=172&tid=218 [slashdot.org]

Now
The whole antivirus industry is one of them.

I remember a co-worker once mentioning that while at a confrence for Mcafee this question arose:
So since Anti-Virus compnaies rely so mutch on computer viri, do they employ virus writers?

To which the representative giveing the lecture said:
No We outsource that to contractors to limit liability.

me bieng a contractor makes me wonder...

Re:Virus writers go by their own rules. (1)

m50d (797211) | more than 8 years ago | (#13843626)

Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable.

No it won't. A default deny policy is simply not practical unless you can afford a lot of extra trouble. If I was developing on such a machine, would I have to get every revision of my code signed?

Re:Virus writers go by their own rules. (1)

slashname3 (739398) | more than 8 years ago | (#13843841)

Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.'

This is what selinux brings to the table. It allows you to specify a policy for your system that will block programs from doing things that they should not do. Of course if most windows systems operated with the least privilege rule most of the viruses out there would be unable to work as they do now. Instead of an arms race between virus writers and virus detectors (I'm still no convinced these are not one and the same) applying a few best practices to existing systems would go a long way toward solving this problem. But Microsoft refuses to do this.

As far as commercially available rootkits and this company claiming they have detetected the first one out there, how do they know it is the first one? Any really good rootkit should go undetected by definition. If they can detect it then there is a bug in the code. :)

Misuse of the term (5, Insightful)

$RANDOMLUSER (804576) | more than 8 years ago | (#13843155)

From TFA:

A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

Definition from the Jargon File [catb.org].

Re:Misuse of the term (1, Informative)

Viol8 (599362) | more than 8 years ago | (#13843169)

That definition is wrong. A rootkit is a kit that helps you get
root access on a system either by buffer overflow of a running
process/server or some other method. To prevent a process
showing up in ps all you have to do is put your own version of
the ps command in place, hardly rocket science.

Re:Misuse of the term (5, Informative)

jaseuk (217780) | more than 8 years ago | (#13843184)

Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

There is more to a root kit than just a replacement ps, but of course that is a critical element.

No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.

Re:Misuse of the term (4, Insightful)

ArsenneLupin (766289) | more than 8 years ago | (#13843318)

There is more to a root kit than just a replacement ps, but of course that is a critical element.

Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through /proc).

It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

Re:Misuse of the term (1)

David Off (101038) | more than 8 years ago | (#13843601)

md5ing a system with the md5 program on the system under test sounds like poor practise to me.

Re:Misuse of the term (0)

Anonymous Coward | more than 8 years ago | (#13844782)

The more advanced rootkits will infect hardware, such as your BIOS and the firmware for your video card, hard drive, and cdrom making itself undetectable even if you boot from clean media on a different machine. Such a rootkit would have to be specially written for the target system so you won't see generic malware using such tactics.

Re:Misuse of the term (3, Informative)

PhilHibbs (4537) | more than 8 years ago | (#13843187)

Wikipedia [wikipedia.org] agrees with the Jargon File:
A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes.

See also Sysinternals's Rootkit Revealer [sysinternals.com]:
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

Re:Misuse of the term (2, Informative)

$RANDOMLUSER (804576) | more than 8 years ago | (#13843203)

Um, no. That's exploiting a vulnerability. As jaseuk's reply to you says, a rootkit is something that hides a process from things that examine the process table.

Re:Misuse of the term (0)

Viol8 (599362) | more than 8 years ago | (#13843237)

No , sorry , a rootkit is something that gets you root privs.
Always has been. If I get root access then I rm the ps command
does "rm" suddenly become a rootkit? No, of course not.

Re:Misuse of the term (5, Interesting)

Rich0 (548339) | more than 8 years ago | (#13843261)

I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is... :)

For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.

Re:Misuse of the term (2)

mikiN (75494) | more than 8 years ago | (#13843425)

A very good way to detect malware (in fact any unauthorized changes to system files is to md5sum (or better) all system files (which are preferrably stored on NAS on a local network) regularly by a separate heavily fortified system and send out an alert on differences.
A framework for this (mtree, tools for package file checksumming, cron scripts etc.) has been part of the default installation on the *BSDs for ages, but I haven't seen anything like it in the default installation for any Linux distros.
Of course there may always be holes, but at least they will require an attacker always use in-memory tricks to gain and maintain access, at least until the next vulnerability gets fixed.

Re:Misuse of the term (1)

David Off (101038) | more than 8 years ago | (#13843641)

> I haven't seen anything like it in the default installation for any Linux distros.

You could just tar the rfs or a selection of critical system files, copy to tape, untar and md5sum those files on a non-networked box you keep hanging around for the purpose. For a limited number of key servers this wouldn't be too onerous.

Now md5 hacks exist but a combination of creation date, filesize and md5 would be a fairly good fingerprint - or you could just diff against known good versions for a limited set of system files. The rootkit would need to hack your tar or other command or your tape driver or something to munge the files you are writing to tape.

All this would work fine on running systems. I could knock up a shell script to do this in 5 minutes. It really doesn't sound like rocket salad to me but hey what would I know? I'm just a model.

Re:Misuse of the term (0)

Anonymous Coward | more than 8 years ago | (#13843301)

Please link to rootkit fitting your description.

Re:Misuse of the term (2, Interesting)

ajs318 (655362) | more than 8 years ago | (#13843339)

And this is why I like the idea of binaries being tied hard to the exact processor for which they were compiled, rather than every processor having the same instruction set. It makes it a stackload harder to do stuff like that, when actually enabling the build environment requires physical access to the machine. As long as there exists binary compatibility between your systen and Some Unknown Bad Guy's system, there will be rootkits.

Now that we have seen proof of checksum collisions, I do not doubt that the next big thing in malware circles will be to create modified binaries whose checksums are the same as the originals ..... if they haven't already ..... of course, using checksums is actually a pretty christian way of checking for intrusions, because you don't really know for sure that the checksum creator itself hasn't been interfered with.

Re:Misuse of the term (1)

BVis (267028) | more than 8 years ago | (#13843471)

Are you talking about processor serial numbering, or talking about the difference between an Intel vs Sparc vs AMD vs PowerPC vs whatever? You could further granularize it by using the differences in clock speed, processor ID, etc. Interesting concept. You'd have to rebuild the entire machine to upgrade the CPU(s), though, if you did things either way.

Re:Misuse of the term (1)

ajs318 (655362) | more than 8 years ago | (#13843969)

I'm talking about each and every processor having a different instruction set. There would be two modes, selectable in hardware by shorting a pin to ground or not. In "Compatibility Mode" -- aka "Dangerous Mode" -- the instruction set would be known and standardised; thus allowing you to use a standardised toolchain to compile some bootstrap code {a kernel and a minimal userland} for running in Safe Mode. In "Safe Mode", the processor would use its own "personalised" instruction set, which you would necessarily have the ability to change. It must not be possible to determine, by cross-referencing "Safe Mode" compiled code with its corresponding source code, the full personalisation schema of the target processor. Any sources you compiled in Safe Mode would only run on that processor {or an identically-personalised one}.

In a corporate environment, you might conceivably have all the machines in a department personalised the same way; so you would only have to compile your applications once per department. Any malware that gets on the loose there would be contained.

Some variant of public key encryption / digital signature would be a nice way of doing this; but I fear that once PK-on-a-chip is a reality, The Bad Guys would find a way to use it against us. The serious weak spot in this scheme derives from the need to show your personalisation details to the compiler running in Dangerous Mode -- I don't see how you can be sure that there is no way for an "evil compiler" to send a copy of your schema to some malware author. And as has already been hinted elsewhere, an "evil compiler" is frighteningly possible {the only known antidote being a simple interpreter [just complete enough to interpretatively run the compilation of the compiler source code] written in assembler by someone you trust}.

Re:Misuse of the term (1)

BVis (267028) | more than 8 years ago | (#13844628)

It's certianly a good idea, but I question how practical it would be. Most IT departments are so woefully understaffed as it is that maintaining specific builds for specific users (or departments) would quickly become a near-impossible task (not to mention the storage requirements of those images).

In a technology-centric company that is able to build all its software in-house, this would make more sense, but would be adding "another layer" to what is already a significant amount of work.

Re:Misuse of the term (1)

Cederic (9623) | more than 8 years ago | (#13843399)


Rootkits get you root.

That's pretty much it.

A given rootkit may well do more than that, and evading detection would be a great value-added extra, but making a running process harder to detect is not the core feature of a rootkit.

Even if the jargon file says it is.

Re:Misuse of the term (2, Informative)

hellraizr (694242) | more than 8 years ago | (#13843634)

well it's obvious you've never actually been hit with one other wise you would know what you were talking about. *EXPLOITS* get you root. rootkits allow you to KEEP root. The average rootkit disables forensics programs like lsof, ps, find, locate, w, who, (sometimes) syslogd. They also modify shit like rc.sysinit or inittab.

Don't let the name fool you because thats all it is is a name. Exploits and rootkits are 2 entirely different things. You can get all the exploits you want from packetstormsecurity [packetstormsecurity.nl] but I dare you to find a single rootkit there.

You don't have to take my word for it but jfyi, I worked as a security admin at a rather large dedicated hosting company and have seen just about every damn rootkit that actually works.

Re:Misuse of the term (1)

Cederic (9623) | more than 8 years ago | (#13843727)


No. When I first started using the term 'rootkit', a rootkit implemented an exploit to enable you to acquire root access.

The point of the rootkit was that it allowed a relatively inexperienced attacker to automate exploitation of vulnerabilities.

Maybe you use the term a different way; that makes neither of us inherently right. It certainly doesn't mean the article mis-used the term any more than either of us.

Re:Misuse of the term (0)

Anonymous Coward | more than 8 years ago | (#13843878)

Provide a link to a website or paper which uses the term "rootkit" that way, or zip it.

Re:Misuse of the term (2, Informative)

Redwin (805980) | more than 8 years ago | (#13843913)

have seen just about every damn rootkit that actually works

Isn't that a contradiction?*

You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.

Homepage: Assessments -> RootKits [linuxsecurity.com]

What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!

*Laugh, it was supposed to be a joke :-)

Re:Misuse of the term (1)

randyflood (183756) | more than 8 years ago | (#13844498)


Rootkits are indeed designed to hide malware from the tools that are designed to show what applications, network connections, etc. are running. The article went on to explain this a bit more clearly, but it may have been a bit subtle. Yes, the purpose of a rootkit is to hide running processes from things like ps, and the windows task manager and such. But, the deal is that many Antivirus products include not only static pattern based detection algorithms that look for malware, but also behavior-based detection algortihms. As the article put it, "Adding a rootkit to a virus increases its chances of avoiding detection because modern antivirus applications do not just look for specific code, but incorporate behavioural analysis to catch worms." Because the malware detection tools (antivirus, rkhunter, etc.) are making system calls to a an operating system that has been compromised by a trojan, the trojan is able to hide the activities of the malware from the detection tools. So, any kind of behavioral analysis is likely to fail, unless it is based on something that the rootkit wasn't clever enough to hide.

       

arms race (5, Funny)

kars (100858) | more than 8 years ago | (#13843227)

So now we can wait for the AV vendors to come up with a rootkit detector detector detector..

Re:arms race (1)

Ziviyr (95582) | more than 8 years ago | (#13843414)

Ummm, I'll worry about it when rootkit detector evasion detector evasion is detected...

www.hxdef.org....nuff said (2, Informative)

harmonics (145499) | more than 8 years ago | (#13843280)

Golden Hacker Defender does exist, can be purchased, and no it is NOT GPL..

http://www.hxdef.org/antidetection.php [hxdef.org]

They even have a license..

Paid versions are not released under GPL licence.
Every customer who buys antidetection service agrees with this licence.
Customer is not allowed to spread the product or its parts in neither binary nor source code form.
Violating of this licence will issue in loss of any support
and also in impossibility of buying new updates and other products and services.
Customer can do whatever he/she wants with his/her product except
all activities that are forbidden in this licence.
Customer can even modify the source code or the binary form of the product.
Customer is fully responsible for the application of boughten product.
Provider of antidetection service reserves the right to refuse any customers order.
If customers order is accepted customer pledges to pay the full sum before he/she gets the product.
Provider pledges to assemble the product and send it to the customer in 5 working days.
If provider is not able to fulfil the order the customer will get all his/her money back.
All payments are provided by e-gold (http://www.e-gold.com/ [e-gold.com] rarely by prior arrangement
payments via Moneybookers (http://www.moneybookers.com/ [moneybookers.com] can be accepted too.
Customer will receive relevant payment information after provider accepts the order.

Re:www.hxdef.org....nuff said (1)

Slashcrap (869349) | more than 8 years ago | (#13844374)

Customer is not allowed to spread the product or its parts in neither binary nor source code form.

Ah, very clever. So if you actually put it on someone elses system they can say you were violating the licence agreement?

Customer is fully responsible for the application of boughten product.

Actually, maybe they're just retarded after all.

In other news (0, Offtopic)

DrXym (126579) | more than 8 years ago | (#13843311)

Ex-mental patients start genital shaving business. Please form an orderly queue to use their services.

Quick! How do I give F-Secure all my money? (2, Insightful)

Rogerborg (306625) | more than 8 years ago | (#13843544)

You know, I'd like to see fewer "CRISIS! But wait! FooCorp can save you!" articles on Slashdot, and while we're at it, no dupes, and a pony.

Rootkits can be used for good. (4, Insightful)

digitalstruct (906825) | more than 8 years ago | (#13843763)

Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

There is a legitimate use to everything :)

Re:Rootkits can be used for good. (1)

PooR_IndiaN (876413) | more than 8 years ago | (#13844924)


Really?!?

They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing

Rootkits are not nessesarily bad


I Rest my case (Heh,Heh)

What about kernel level RootKits? (1)

Redwin (805980) | more than 8 years ago | (#13843852)

What about kernel level rootkits such as Knark [packetstormsecurity.org]?

I'm not entirely sure why you would use a RootKit(legitimally) other than for limiting access on machines under your control, something that could surely be done with proper account setups.
 

Re:What about kernel level RootKits? (1)

Slashcrap (869349) | more than 8 years ago | (#13844404)

What about kernel level rootkits such as Knark [packetstormsecurity.org]?

Is there actually such a thing as a non-kernel level rootkit?
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...