Author Topic: Root Kit??  (Read 15963 times)

0 Members and 1 Guest are viewing this topic.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Root Kit??
« on: September 26, 2006, 02:41:31 AM »
i know that a "root kit" hides by tricking the file system into not listing it.  :o

i have also read some that there are "root kit detectors".  :o

so...

which is the best, or better yet, which one works?
and how does one go about using it?  that is, to detect and more importantly, remove a root kit.

ps
hope this post is in the right place... :blink:

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Root Kit??
« Reply #1 on: September 26, 2006, 10:34:31 AM »
Hi, Temmu.  Just like anti-malware scanners, root kit detectors depend on the definitions in tbeir database.  In fact, certain root kits are detected by the specialized tools used in malware removal.  Commonly used in the community are the Blacklight trial from F-Secure at http://www.f-secure.com/blacklight/try.shtml and Rootkit Revealer from http://www.sysinternals.com/utilities/rootkitrevealer.html .  GMER received a lot of attention due to the Gromozon Rootkit and is at the top of the list.  It works with NT/W2K/XP.  GMER Home page:  http://gmer.net/ .

MS MVP "wng" has done testing of various rootkit detectors.  His reports are available from http://spyware-free.us/2006/07/on-to-rootkit-testing.html .  Links to additional resources are at the bottom of my "Deep Roots" blog posting.

Hope this helps. 



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Temmu

  • The Assimilator
  • Hero Member
  • *****
  • Posts: 5404
    • View Profile
    • gooooooooogle
Re: Root Kit??
« Reply #2 on: September 26, 2006, 04:44:07 PM »
thanks, corrine!  :rose:

as always, much appreciated.

Offline Assarbad

  • AV research & development
  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 368
    • View Profile
    • WinDirStat
Re: Root Kit??
« Reply #3 on: December 26, 2006, 11:15:12 AM »
While I agree that there is usually a way to detect rootkits, some have proven that this can be spoiled (e.g. Rustock). Of course the arsenal on both sides is getting more advanced, so what you need is at least always the latest version of a rootkit detector.

Now how do they help? "Not much" I would say. Unless you have exactly a very well-known and fully analysed version of a rootkit, I would simply reinstall the system (or even better restore from a clean backup). If the rootkit is not fully analysed, there could be leftovers in your system - and although the may not be hidden anymore, the damage could already be done once you notice it.

Two articles back from my time at Lavasoft:
http://blog.assarbad.net/wp-content/uploads/2006/11/Oliver_about_rootkits.zip
Oliver (working at FRISK but posting here as a private person!)

Clogged disks on Windows? Check out: WinDirStat

Offline mikey

  • Predator
  • Visiting Experts
  • Full Member
  • *****
  • Posts: 81
    • View Profile
    • VOP
Re: Root Kit??
« Reply #4 on: December 28, 2006, 04:36:24 PM »
If you can't stop these test's, I suggest you learn to stop the delivery methods; http://www.voiceofthepublic.com/test_tools/testfiles.html
The ones at the bottom of the list(DFK) are rootkit type tests.

When using a good HIPS type firewall, the only way you can be infected is if you allow it to happen. If it can't initiate, it can't infect.

For more than half a decade, neither I nor any of my clients have ever had an unwanted ware on board any appliance. The only thing we aren't immune to is our own negligence.

Anyone, including the novice, can learn to be secure and the route isn't thru using all the many reactive resource hogs that the predominant anti-malware industry would preach/sell.

Good luck.
***
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

"Spyware/adware is NOT freeware, it costs all of us dearly." SpywareWarrior

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.

"You may never need to outrun a Decepticon, but it's nice to know you can." NW's Bevo

Offline Assarbad

  • AV research & development
  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 368
    • View Profile
    • WinDirStat
Re: Root Kit??
« Reply #5 on: December 28, 2006, 06:45:20 PM »
If you can't stop these test's, I suggest you learn to stop the delivery methods; http://www.voiceofthepublic.com/test_tools/testfiles.html
The ones at the bottom of the list(DFK) are rootkit type tests.

When using a good HIPS type firewall, the only way you can be infected is if you allow it to happen. If it can't initiate, it can't infect.
For the majority of threats I would agree (yes, even most known rootkits). However, you or anyone else using popular AV/AS/A-whatever software will not withstand a targeted attack.

Also, how do you know you don't have a rootkit if you can't see it? Actually you don't. The places inspected by popular tools are always the same and tend to be compromised if a rootkit is already resident. Rustock.A (and B) has shown how stealth such conventional rootkits can be. None of the rootkit detectors recommended here could detect it.

For more than half a decade, neither I nor any of my clients have ever had an unwanted ware on board any appliance. The only thing we aren't immune to is our own negligence.

Anyone, including the novice, can learn to be secure and the route isn't thru using all the many reactive resource hogs that the predominant anti-malware industry would preach/sell.
True. http://www.landzdown.com/index.php?topic=11977.0
Oliver (working at FRISK but posting here as a private person!)

Clogged disks on Windows? Check out: WinDirStat

Offline mikey

  • Predator
  • Visiting Experts
  • Full Member
  • *****
  • Posts: 81
    • View Profile
    • VOP
Re: Root Kit??
« Reply #6 on: December 28, 2006, 07:33:24 PM »
Quote
whatever software will not withstand a targeted attack
If it can't initiate, it can't infect. I would have to specifically allow it to initiate before it could run in any way. Only admin can decide what processes are allowed to initiate. Not even a disgruntled employee can load a new ware without my say so.

Quote
Rustock.A (and B) has shown how stealth such conventional rootkits can be.

As with all malwares, it is of no concern to us. It still has to be delivered and there are no known methods to do that and I doubt there ever will be. But that last part is yet to be proven.



***
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

"Spyware/adware is NOT freeware, it costs all of us dearly." SpywareWarrior

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.

"You may never need to outrun a Decepticon, but it's nice to know you can." NW's Bevo

Offline mikey

  • Predator
  • Visiting Experts
  • Full Member
  • *****
  • Posts: 81
    • View Profile
    • VOP
Re: Root Kit??
« Reply #7 on: December 28, 2006, 08:05:51 PM »
Just to clarify, yes, I can be tricked into thinking something is legit when it isn't. However, that is why nothing is allowed on the LANs without first I test it on an isolated sys using multiple types of event snapshots.

I really don't think the average user needs to take the same drastic means I do with my enterprise situation. The average user need only google up any unknown item. If it doesn't show up in a google with plenty of info, then it is highly suspect and should not be allowed to initiate without at least further study.
***
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

"Spyware/adware is NOT freeware, it costs all of us dearly." SpywareWarrior

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.

"You may never need to outrun a Decepticon, but it's nice to know you can." NW's Bevo

Offline Assarbad

  • AV research & development
  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 368
    • View Profile
    • WinDirStat
Re: Root Kit??
« Reply #8 on: December 28, 2006, 08:09:55 PM »
Quote
whatever software will not withstand a targeted attack
If it can't initiate, it can't infect. I would have to specifically allow it to initiate before it could run in any way. Only admin can decide what processes are allowed to initiate. Not even a disgruntled employee can load a new ware without my say so.
Well, leaving other attack vectors (which you neglected) aside, what would prevent the employee to load something? Missing admin rights? How about booting the system from USB/CD? Some years as network admin in the university (Windows network) have taught me that there are always loopholes. Basically you'd have to store the machines themselves in a bunker with no entrance. And last but not least there is social engineering (yes, I saw the reply which arrived meanwhile).

The best you can do is to be able to restore quickly.

Quote
Rustock.A (and B) has shown how stealth such conventional rootkits can be.

As with all malwares, it is of no concern to us. It still has to be delivered and there are no known methods to do that and I doubt there ever will be. But that last part is yet to be proven.
I wonder whether this statement was made due to lack of knowledge, due to negligence or ignorance or due to any other reason. But you surely must be kidding us here.

So how do you know you are not infected? I can tell you that I just don't know it for my machine! --- because I know there is no 100% reliable way to tell ... not even comparison between the live and offline system for some specific types of rootkits.
Oliver (working at FRISK but posting here as a private person!)

Clogged disks on Windows? Check out: WinDirStat

Offline mikey

  • Predator
  • Visiting Experts
  • Full Member
  • *****
  • Posts: 81
    • View Profile
    • VOP
Re: Root Kit??
« Reply #9 on: December 28, 2006, 08:24:22 PM »
I guess you just as yet don't understand what a process firewall does. Let me explain it; No process can initiate without a specific permission given. No hook or thread can form in any manner without that permission. A file can sit there dormant till hell freezes over but it can not initiate. Again, if it can't initiate it can't infect.

As I said to someone else a while back; there are no magical files that can infect if they arent allowed to initiate to begin with. Period.

I've been asking everyone I know in the sec world to provide me with a scenario that shows where anything outside my own neglect could cause an infection to our sys. So far I haven't seen anything that would get past my preinstall testing...much less something that could penetrate without my even examining it first.

And now, I ask you for the same thing.
***
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

"Spyware/adware is NOT freeware, it costs all of us dearly." SpywareWarrior

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.

"You may never need to outrun a Decepticon, but it's nice to know you can." NW's Bevo

Offline Assarbad

  • AV research & development
  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 368
    • View Profile
    • WinDirStat
Re: Root Kit??
« Reply #10 on: December 28, 2006, 08:37:38 PM »
I guess you just as yet don't understand what a process firewall does. Let me explain it; No process can initiate without a specific permission given. No hook or thread can form in any manner without that permission. A file can sit there dormant till hell freezes over but it can not initiate. Again, if it can't initiate it can't infect.
I know it very well. I even have the knowledge to write one (at least for the Windows NT platform). Any AV has this capability but the difference is the rule for allowing something to execute - which is somewhat automated.

As I said to someone else a while back; there are no magical files that can infect if they arent allowed to initiate to begin with. Period.
Right, but there are vulnerabilities in any software. It does not matter which software we talk about, be it the OS or the HIPS or tell me what ...

I've been asking everyone I know in the sec world to provide me with a scenario that shows where anything outside my own neglect could cause an infection to our sys. So far I haven't seen anything that would get past my preinstall testing...much less something that could penetrate without my even examining it first.
It depends. You might have a quite safe system established. And if so you have my full respect, but there are dozens of methods beyond your neglect. Why? Easy:
  • Did you write the software?
    • Yes you did?! Are you perfect enough to claim it's free of bugs?
    • You didn't? How much do you trust those who did? And even if you trust them, are they perfect?
This list could be continued, but the strongest arguments are on the table ...

And now, I ask you for the same thing.
What same thing? To prove that you are infected or not? I cannot prove either way, but I can prove that there is no 100% safe way of proving either fact! And that was my (stated) point.
Oliver (working at FRISK but posting here as a private person!)

Clogged disks on Windows? Check out: WinDirStat

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20704
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Root Kit??
« Reply #11 on: December 28, 2006, 10:53:31 PM »
Oliver, one thing you need to know about Mikey; that is, he loves a good debate.  (Oh, BTW, don't tell him I told you, but he has the same common connection with your former employer that I have--except he got out long before I was there.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline mikey

  • Predator
  • Visiting Experts
  • Full Member
  • *****
  • Posts: 81
    • View Profile
    • VOP
Re: Root Kit??
« Reply #12 on: December 28, 2006, 11:14:31 PM »
Did I write the wares for our process filtering? No

But I have studied our commercial HIPS products in great detail. As noted, I need to maintain a bit higher standard than average user for my clients. My clients are lawyers, title companies, banks, etc.

In addition, what I have done, is tested against every attack vector I know of and can find...and I know of many more than what is published publically.

I must say that I'm a little disappointed. Most of the professionals I've given this quest to have at least tried to come up with a scenario/vector/POC/something that would vex me. If you want a list of wares to beat...OK but I'm certainly not going to lay out our enterprise security measures.

If you can, show me how you can infect a w2k sys with no AV or any other type of resident other than a simple end point packet filter and a single process filter installed. I just happen to be here at home working on one just like that. You can have my current IP, email addy, or any other info you'd like to have.

I'll even go to any page you want me too and record the entire transaction via sniffers and a multitude of various types of event snapshots to proove that I did indeed take any test you might devise and also show how well the nasties were stopped if that be the case. :) I'll even do it with IE set to Low sec and my local proxies disabled. Actually, I'll need to leave Fiddler up as one of the monitors of the transaction. If you want to throw an infected email at me, I'll open it in OE with the very same criteria I just mentioned.

If you can devise such a test, I think it would help me greatly to convince all the folks that are stuck in a mold that I'm not just a mad man. :)

Let me know if you are up to it. Since it will take a few hours to set up all the monitors to capture/proove the event, I will need some time to get ready. 2-3 hrs should be enough but it's too late today...I'm headed for bed shortly.

===

Well at any rate, if there are any users around here who really want to learn how to protect themselves and don't want to spend a lot of money and don't want to have to be a genius to figure it out. I'll be more than happy to work with you.

So far I've taught lots of noobs how to protect their sys and I've taught many who have been subjected to all the salesmen pitching the status quo for many years now. They have all found it amazingly easy once they actually took the time to look at what I'm preaching.

If you can learn how to run a scanner properly, you can also learn how to make yourself almost impregnable. 'Almost' is because no ware can protect you from yourself...except possibly a sandbox and my thoughts on those can be found here; http://www.voiceofthepublic.com/test_tools/twohips.html

Bottom line, the proof is in the pudding. For those who don't know what I mean by that; it simply means you should see for yourself.

BTW My quest above is open to any in the industry. Sho me a vector that I can't control. If there is such a thing, then my clients deserve better than what I offer.

Just so everyone knows, I'm not selling anything. There are now quite a few process firewalls around that are easy enough for the novice to use...some even free...and I'm quite familiar with many of them...especially the ones I mentioned on my firewall page. Some even include anti-malware definitions for those of you who need that added sense.


***
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

"Spyware/adware is NOT freeware, it costs all of us dearly." SpywareWarrior

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.

"You may never need to outrun a Decepticon, but it's nice to know you can." NW's Bevo

Offline Assarbad

  • AV research & development
  • Malware Experts
  • Sr. Member
  • *****
  • Posts: 368
    • View Profile
    • WinDirStat
Re: Root Kit??
« Reply #13 on: December 29, 2006, 12:13:06 AM »
In addition, what I have done, is tested against every attack vector I know of and can find...and I know of many more than what is published publically.
A quote for you from "Rootkits" (Hoglund/Butler 2005) from the "Preface" on page XV - emphasis by me:
Quote
The fact that a product claims to provide some level of protection does not necessarily mean it actually does. By playing the part of an attacker, we are always at an advantage. As the attacker we must think of only one thing that a defender didn't consider. Defenders, on the other hand, must think of every possible thing an attacker might do. The numbers work in the attacker's favor.

Since I am not taken serious here, I let world-renowned experts speak (i.e. write) for me.

If you can, show me how you can infect a w2k sys with no AV or any other type of resident other than a simple end point packet filter and a single process filter installed. I just happen to be here at home working on one just like that. You can have my current IP, email addy, or any other info you'd like to have.
This would be illegal even with consent as the impact cannot be foreseen. I am not going to put my job at risk to prove my point. And even if I managed to get in, it would at most prove that your system is vulnerable right now - no more. Therefore this is way off the topic of detection and does not contribute at all to my point that there is no 100% safe detection.

So far I've taught lots of noobs how to protect their sys and I've taught many who have been subjected to all the salesmen pitching the status quo for many years now. They have all found it amazingly easy once they actually took the time to look at what I'm preaching.
... Yet Another Religion?  :grin:

BTW My quest above is open to any in the industry. Sho me a vector that I can't control. If there is such a thing, then my clients deserve better than what I offer.
You lost me here. This is just as if you ask me to write a virus just because I tell you I would be able to do it.

Just so everyone knows, I'm not selling anything. There are now quite a few process firewalls around that are easy enough for the novice to use...some even free...and I'm quite familiar with many of them...especially the ones I mentioned on my firewall page. Some even include anti-malware definitions for those of you who need that added sense.
And none of them will save you from everything. I like TrustNoExe, btw. But well, I'll stop and leave you with yet another nice term from IT sec: "remote code injection".

Good luck with your "process firewalls" and your certainty to be safe :rolleyes: :sinking:
Oliver (working at FRISK but posting here as a private person!)

Clogged disks on Windows? Check out: WinDirStat

Offline mikey

  • Predator
  • Visiting Experts
  • Full Member
  • *****
  • Posts: 81
    • View Profile
    • VOP
Re: Root Kit??
« Reply #14 on: December 29, 2006, 12:54:45 AM »
Just the kind of response I would expect from someone who produces a lessor tool. The same type tool and vending I describe in the second post here; http://www.landzdown.com/index.php?topic=12973.0

That's OK, many in the sec arena have tried to find such a vector and failed. It's called R&D. Even if you had the courage to try, you would have likely failed. I don't blame you at all for not trying.

Even one of the leading anti-malware devs decided to completely retool their operation, shutdown their offering of a scanner, and denounced the faulty premise of reactionary scanning. Other devs have also followed at least partial suit by adding HIPS to their suites also. And of course, there is the current rash of dev in this direction.

IMO Any dev who doesn't retool and continues to try selling only the worthless garbage we've been subjected to for the last decade will only fall behind. And I hope they fall hard because the technologies I speak of have actually been around for about a decade or more. It's just that most didn't/don't wish to kill their cash cow by giving folks real security.

Well if trying to preach the truth is a religion...then so be it. :)
***
W2K/2K3/XP/2K8/Vista/W7/RHE/DEBIAN/SUSE

"Spyware/adware is NOT freeware, it costs all of us dearly." SpywareWarrior

Mikey's Stuff

Fiddler and friends...essential web diagnostic, forensic, & development tools.

"You may never need to outrun a Decepticon, but it's nice to know you can." NW's Bevo