Komplet usynligt rootkit til 2,3 millioner kroner:
Rootkit-ekspert udfordres til at skabe et rootkit, der skulle være umuligt at spore. Pris: 2,3 millioner kroner. Af Jesper Stein Sandal, 29. juni 2007 kl. 09:40
Rootkit-eksperten Joanna Rutkowska har svaret igen på en udfordring fra fire sikkerhedseksperter om at bevise hendes postulat om et rootkit, der er umuligt at spore. Det vil koste hende 2,3 millioner kroner at færdiggøre, hævder hun. Et rootkit er et særligt spionprogram, der kan anvendes til at skjule hacker- eller malwareaktivitet så dybt nede i systemet, at det kræver særlig software at opdage det. Udfordringen drejer sig Joanna Rutkowskas om Joanna Rutkowskas såkaldte Blue Pill-projekt, som på et system, der kører med virtualisering, skulle være umuligt at spore.
Det mener fire af hendes kolleger imidlertid ikke vil kunne lade sig gøre, og de har derfor udfordret hende til at bevise, at Blue Pill virkelig er umuligt at opdage. Det skriver SecurityFocus.
Joanna Rutkowska er angiveligt villig til at tage udfordringen op, men det kræver, at nogen vil betale for færdigudviklingen af Blue Pill. Hvis Joanna Rutkowska og en kollega skal færdiggøre projektet inden for seks måneder, vil det koste omkring 2,3 millioner. Relaterede links * SecurityFocus: Experts challenge claim of undetectable rootkits
Lidt mere om hvad Rootkit er, og hvad det kan..
Første gang vi rigtigt hørte om Rootkit, var da Sony brugte det i deres kopibekyttelse, men efterhånden har dette kedelige fænomen udviklet sig - og flere af de moderne varianter af Vira, trojaner mv benytter denne teknik, og den drillede fælt på den sidste pc jeg rensede...
Når selv Microsoft skiver, at der er kun en sikker vej ud af dette problem, - Format C og ny installation, så gælder det om at have et virksomt backup, inden man rammes...
Rootkit kan uden problemer omgå selv de bedste Antivirus programmer, og de er svære at fjerne - selv med dedikerede tools til opgaven.
Dem som anvender kaspersky antivirus, skal huske at lave en Rescue Boot CD medens systemet er raskt, idet antivirus systemet selv anvender en slags rootkit, for at undgå at blive angrebet af aggresive vira. Vejledningen til dette findes her.
60% rise in malicious code with rootkit features in 2006 Posted on 09.03.2007
PandaLabs has detected an alarming increase in the amount of malicious code using rootkit techniques. In 2006 there was a 62 percent annual increase and the forecast for 2007 is equally pessimistic. Given that in the first two months of the year the laboratory has already detected almost 25 percent of last year’s total, the overall increase this year is expected to be around 40 percent. Rootkits are programs that use stealth techniques to prevent malicious code from being detected by security and system administration software. As it is hidden, the malicious code can then act with complete impunity. Rootkits can also hide processes, files and even modifications to the Windows registry. February's ranking of the most dangerous threats includes three malicious codes that use these techniques: Bagle.HX, Abwiz.A and the highly dangerous Nurech.A.
Defination:
A rootkit is a type of malicious software that is activated each time your system boots up. Rootkits are difficult to detect because they are activated before your system's Operating System has completely booted up. A rootkit often allows the installation of hidden files, processes, hidden user accounts, and more in the systems OS. Rootkits are able to intercept data from terminals, network connections, and the keyboard.
- A rootkit is a collection of tools (programs) that enable administrator-level access to a computer or computer network. Typically, a cracker installs a rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask intrusion and gain root or privileged access to the computer and, possibly, other machines on the network.
A rootkit may consist of spyware and other programs that: monitor traffic and keystrokes; create a "backdoor" into the system for the hacker's use; alter log files; attack other machines on the network; and alter existing system tools to escape detection.
The presence of a rootkit on a network was first documented in the early 1990s. At that time, Sun and Linux operating systems were the primary targets for a hacker looking to install a rootkit. Today, rootkits are available for a number of operating systems, including Windows, and are increasingly difficult to detect on any network.
Rootkits have become more common and their sources more surprising. In late October of 2005, security expert Mark Russinovich of Sysinternals discovered that he had a rootkit on his own computer that had been installed as part of the digital rights management (DRM) component on a Sony audio CD. Experts worry that the practice may be more widespread than the public suspects and that attackers could exploit existing rootkits. "This creates opportunities for virus writers," said Mikko Hypponen, director of AV research for Finnish firm F-Secure Corp. "These rootkits can be exploited by any malware, and when it's used this way, it's harder for firms like ours to distinguish the malicious from the legitimate."
A number of vendors, including Microsoft, F-Secure Corp and Sysinternals, offer applications that can detect the presence of rootkits. If a rootkit is detected, however, the only sure way to get rid of it is to completely erase the computer's hard drive and reinstall the operating system.
http://www.rootkit.com/index.php
Billedet herover af Joanna Rutkowska kommer herfra
Microsoft to admins:
Rootkit means rebuild.
Thanks to Windows' unprotected kernel, recovering from a rootkit infection could require a full OS wipe
By Oliver Rist
So I was skimming Slashdot the other day and found this gem: Seems a program manager in Microsoft’s Security Solutions Center came out and said that recovering from the newest breed of malware may be impossible. You know, time and again, I’ve asked those Redmond folks to be upfront and honest, and now here’s one doing just that, and I’m still nauseated.
The gentleman was referring to the new spyware darlings, namely rootkits. You know, the things recently made so popular by the graces of visionary companies such as Sony. Thank you so much -- I’m boycotting the PS3 just for that (if it ever sees the light of day). These infestations don’t hide in a piece of the PST file or duck into the bowels of IE. They dig just a bit deeper and hide themselves right in the OS kernel -- hence the "root" moniker.
For some of the more popularly known, and thus unsuccessful, rootkits, Microsoft and other companies have come up with specific removal tools, although sometimes they, too, have nasty side effects because of how deep the infection has managed to burrow. Unfortunately, the unknown rootkit infections far outnumber the known ones, so waiting for a removal tool for your particular kernel malaise may be an exercise in futility.
So Microsoft offers the next logical solution: Wipe the OS and start over. Yeah, made me see red for a minute, too; but after thinking about it, I’m only seeing … let’s say pink. The tools to automate an OS rebuild are neither new nor difficult to come by. Altiris , CA, IBM, LANDesk, SMS, and a host of other companies provide desktop management platforms with tools that will save specific OS and application images on the network. They can push those images out to specific groups of clients or even a single machine. After that, you just reload that user’s personal data off the network and he or she is good to go.
Only thing is, even with the right tools, that’s much easier said than done. To make this effective, you must provide for client-side network backup, at the very least, daily and more likely several times during the day. That creates overhead for the client and is a strain on the network. Additionally, even backup solutions with open file managers work best if you target them at only a portion of the client disk -- and that means training your users to make sure all data is saved in those target folders only; not, for example, on their desktops. Not always easy.
Another way might be to provide for personal backup at every client station, I suppose Maxtor OneTouch boxes only go for $200 and would allow each station to have its own backup device right there. But that still requires user intervention -- which is never a good idea. Also, as Bob Garza has pointed out about the Seagate Mirra (a networkable OneTouch competitor), keeping these solutions running in constant backup mode tends to slow client performance to a point of severe frustration -- like with tufts of hair floating around the office.
Making such a solution work will mean purchasing new software; gathering all the relevant OS images and organizing them somehow (and you know that’s going to take some meeting staff-hours); writing a policy on how users can save desktop data so it can be safely backed up to the network; testing network performance to make sure this works without crippling everyone; and then making sure all that user and OS data is kept somewhere that no rootkit infection can ever reach. Not a small order.
That’s why I’m still seeing pink. I understand that kernel infections are difficult to remove, but why is it apparently so easy to get to the Windows kernel? And also apparently so easy to defeat the XP rollback feature that should have been protecting us from just such a problem? It’s not rocket science to add something like a checksum routine that should be able to detect if anything in the kernel gets modified, so why is the responsibility for the safety of these files falling on us?
Perhaps Microsoft’s program manager was speaking in the short term, and the company is working on just such safety measures now. I hope so, although I haven’t heard anything to that effect. If not, then I see it as another block to Vista deployment. After all, if I have to put all this OS imaging and dynamic backup work in now, I’m not going to want to throw all that out in just a few months just to move to the next rootkit haven. I’m going to make that last as long as I can. Vista’ll just have to wait.
Dette værkstøj http://www.resplendence.com/hookanalyzer kan vise om du er ramt/har fået noget rootkit ind. - Hvis du benytter kaspersky, så vises der en del punkter, men kaspersky checker også for rootkit
wikipedia.org/wiki/Rootkit
Sony_BMG_CD_copy_protection_scandal
Sony Sues Rootkit Developer Over Faulty Music CDs
windowsecurity.com
