Thursday, July 28, 2005

New Rootkit Techniques Spell Trouble

Just when we thought we were getting safer from computer intrusion comes word of a new type of stealth rootkit. This new proof of concept rootkit means the bad guys are gaining on us again. Just the though that someone can install a piece of software on your system to perform secret acts while remaining completely undetected is a very scary though. But it's more than a though or possibility its being done right now with rootkits readily available. Worse the new method revealed shows that it can be done at a level and in a way that it’s not detectable by most if not all of the current detection software programs available.

Jamie Butler (a director of engineering at HBGary Inc.) and Sherri Sparks (a student at the University of Central Florida) demonstrated a technique at the recent Black Hat Briefings in Las Vegas that uses DKOM to prevent the Windows Event Viewer from seeing a program. The technique can even hide drivers and such allowing for just about any activity that a hacker could possible want to do. Worse still is that it can be done with little or no impact on performance?

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks. With its use of DKOM (Direct Kernel Object Manipulation) to hide from the Windows Event Viewer it makes forensics virtually impossible and will require that scanners improve and expand existing rootkit detection technologies.

So what's the answer?

The same as it's always been; pay close attention and stay vigilant. Look for and monitor changes in how your system functions. Is it taking longer for your system to start up? Is it hanging or freezing up? Does your computers response and activity seem slower or different than usual?

Any of these danger signs mean that you should be checking your system even closer than normal. This also means that it’s becoming necessary to use dedicated software for Trojan and Rootkit detection.

Sadly we've reached the stage in computer security that Rootkit Trojans and other such software have became enough of a danger that only specialty software can address the problem.

So pay attention, do your homework, and get a good Trojan/Rootkit detection program to go with your Spyware/Antivirus software and use them frequently.

Check out the eWeek article on the same subject at;,1759,1841266,00.asp?kc=EWRSS03129TX1K0000614

No comments: