Forgot your password?
typodupeerror

Rootkit Creators Turn Professional 117

Posted by CowboyNeal
from the where-the-money-is dept.
pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."
This discussion has been archived. No new comments can be posted.

Rootkit Creators Turn Professional

Comments Filter:
  • by LiquidCoooled (634315) on Friday October 21, 2005 @06:02AM (#13843079) Homepage Journal
    Rootkits should be GPL.
    At the very least they should be GNU/Rootkits.

    Somebody contact the EFF or like start throwing chairs or something.
  • Easy prey? (Score:3, Insightful)

    by adyus (678739) on Friday October 21, 2005 @06:03AM (#13843087) Homepage
    If it's a known fact that this Golden Hacker Defender rootkit is publically sold, isn't it that much easier to catch the writers? Assuming there's a law against rootkits...
    • Re:Easy prey? (Score:5, Insightful)

      by prichardson (603676) on Friday October 21, 2005 @06:26AM (#13843156) Journal
      There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

      A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

      It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.
      • Re:Easy prey? (Score:5, Informative)

        by ArsenneLupin (766289) on Friday October 21, 2005 @07:23AM (#13843292)
        There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

        A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...

        Is VNC a rootkit?

        No. But a tool hiding VNC from the process list might be.

        • MS sells a remote administration program that will hide its presence completely if you want it to.
        • Re:Easy prey? (Score:2, Informative)

          by mOdQuArK! (87332)
          Some administration tools hide their presence so that corporate office drones won't notice the system administrator monitoring them (for "security" reasons dontcha know). Are they root kits?
      • The examples you gave aren't actually rootkits. However, the Honeynet project could well be described that way, so substitute that for your examples.
      • Re:Easy prey? (Score:1, Insightful)

        by Anonymous Coward
        'A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?" - by prichardson (603676) on Friday October 21, @06:26AM

        You do have a point there... PING is another example as well, & it ships with most OS.

        It too, can be used to issue a "ping of death" though iirc, most OS are
      • Re:Easy prey? (Score:3, Interesting)

        "If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild."

        This poses an interesting question. If you did develop a worm with a nastey payload and release it on an entire subnet under your control (and ownership) that is firewalled off. Who would be blamed if a cracker broke in to the infected network, became infected themselves and then started infecting a public network either intentionly or not?

        We see this sort of thing happen a lot on the internet.

        • Re:Easy prey? (Score:2, Interesting)

          by Redwin (805980)
          This problem of who is guilty also comes up with the use of honeypots, ie if someone breaks into a honeypot system and launches an attack from there who is responsible? The attacker or the person supplying the resources?

          I agree with your point of view that a blanket "all are responsible" response is not the best course of action, as I've wondered how long it will be before people like the authors of security books get bundled into the category of "they supplied the knowledge to make this attack possible, th
  • by jamesjw (213986) on Friday October 21, 2005 @06:07AM (#13843095) Homepage
    def n.: Rootkit:
    When an Australian male carries a few spare condoms with him on a night out.

    Ahhh.. maybe I shouldnt have bothered.. :)

    -- Jim.
  • Wicked (Score:3, Insightful)

    by tezbobobo (879983) on Friday October 21, 2005 @06:10AM (#13843103) Homepage Journal
    So here's what you do - write a worm and wrap it around a citrix or Windows Term Serv. Then when you have thousands, you can use then with DDOSs.

    Seriously though - Golden Hacker Defender. I've never heard of this. It it were seriously a commercial product, I doubt it would be a rootkit, perhaps a "Remote administration tool." I can't goole (verb) where to purchase it.

    So here's the thing. I wrote a virus, and now I'm going to sell it. It's a commercial virus. Oops! Not it isn't, it's just me selling a virus.

    Move along, nothing to see here.
    • Re:Wicked (Score:3, Informative)

      You were looking for this website [czweb.org] presumably.
    • Re:Wicked (Score:3, Informative)

      Hmm it seems to be a new release of something called Hacker Defender. Apparently available here [czweb.org] for the curious. Interesting comment in the box about how the commercial version is not released under the GPL :p
    • The guy who writes hacker defender offers the source code for free, but offers to customize it to make it invisible to commericial anti-virus software and root kit detection software.

      This is a big problem, I do application/infrastructure attack and penentration and have seen/had co-workers see this fairly often in mainly financial and defense clients. This problem definetly exists and is causing some major headaches in the info sec world.
    • Re:Wicked (Score:3, Interesting)

      by Fred_A (10934)
      Shouldn't that be an administratorkit anyway ?
  • by crazy_zulu (727861) on Friday October 21, 2005 @06:10AM (#13843105) Homepage Journal
    One company in Redmond has made billions from selling rootkits.
  • In other news, we learn that script kiddies don't actually write software.

    What's with the "commercially available" business? From TFA:

    The version of the rootkit detected by F-Secure is called Golden Hacker Defender. It is a commercial product that can be bought for around 500, according to the security firm.

    So you can buy it, so what - you can buy cocaine on street corners, does that make it 'commercially available'? Or are they simply heralding Rootkit 101 as the latest product to hit the v-scene?

    • In other news, we learn that script kiddies don't actually write software.

      I'd have thought 450 euros (see here [czweb.org], select "Golden Hacker Defender" from combo box) was a bit beyond the price range of your average copy/paste script kiddies, but then I've never met any so I wouldn't know. Either way, it's not clear to me that the site is breaking any laws by selling this software. Any lawyers around?

      What's next, Virus Writers Monthly?

      How about this [rootkit.com]?

      • Bah. Kiddies won't pay a dime.

        One "l337 virii crew" gets a copy, and boom, it has a new home in the gnutella bitstream for all eternity.
        • It's actually an interesting business model, because it mirrors that of other open source businesses. Yeah, maybe you can get a copy of the code itself, but what you really need is the support agreement. When an attacker buys a commercial rootkit from the Hacker Defender folks, they agree to update his or her rootkit to keep it undetectable from malware-scanners for a given amount of time.

          If the attacker were to freely distribute the code they got, it would show up on Norton's radar pretty quick, and bec
  • What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

    Or is there a Matrix-esque cabal of midnight hackers out there dressed in trenchcoats and sunglasses who are busy at work undermining the government? I find that hard to believe.

    I find it easy to believe that there are foreign governments very interested in this type of thing, but it is difficult to imagine ordinary citizens having both the desire and the wherewithal to perform serious attacks a
    • by Anonymous Coward
      If you've been watching the news the last few weeks ex-IRA members have been busted doing forgeries in North Korea, bomb-making in Iraq, and making IED's in Columbia. This is an example of the market for worldwide organised crime skills becoming huge as organisations outsource skillsets, especially nefarious skillsets. It's interesting to note the rise of these types of non-state actors on the world stage and how they are interplaying with governments and corporations. Organised crime is going to become hu
    • > What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

      True, that's what happens to all industries while professionalizing. I guess it's similar to people willing to work in arms industry, so this doesn't just concern foreign governments.
    • it's MONEY. compromised home machines, compromised online banking, identify theft, spam bot-nets...
    • What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

      There's a constant struggle to defeat the detection measures, or detect newer, stealthier rootkits. I've played around with seeing how well I can hide something on my own system, never used it in anger but there's an intellectual challenge there. Like chess or go, it's basically the same every time but I can see people constantly finding new pleasure in it.

  • Fact or fiction? (Score:5, Interesting)

    by FishandChips (695645) on Friday October 21, 2005 @06:25AM (#13843149) Journal
    Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

    I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

    Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.
    • Re:Fact or fiction? (Score:3, Informative)

      by Viol8 (599362)
      "Love the quote from a researcher saying that the alleged sale of rookits means that "

      I think what he meant (tho he could have phrased it much better) is that previously virus writers were just sad spotty adolescents with no social skills in their bedroom writing viruses to prove something to themselves or to impress they're equally sad and
      spotty online "friends". These days a lot of it is paid for by organised crime who have specific targets and specific agendas.
  • Isn't that the point of a rootkit?
  • by geo_2677 (593590) on Friday October 21, 2005 @06:26AM (#13843154)
    Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
    Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.
    • Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable.

      No it won't. A default deny policy is simply not practical unless you can afford a lot of extra trouble. If I was developing on such a machine, would I have to get every revision of my code signed?

      • Default deny of executables, and requiring every executable be signed would be certian parties' wet dream.

        The "real" software developers (i.e. Microsoft, IBM, Adobe, Sun, Macromedia, etc., etc.) won't have a problem with the required code signing.

        All that will be harmed is the "freeware" and "open source" software. They will claim that this is a good thing. After all, that software merely serves to undermine the profitability of the "real" software developers.

        We'll hear arguments like: if The GIM
    • Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.'

      This is what selinux brings to the table. It allows you to specify a policy for your system that will block programs from doing things that they should not do. Of course if most windows systems operated with the least privilege rule most of the viruses out there would be unable to work as they do now. Instead of an arms race between
  • Misuse of the term (Score:5, Insightful)

    by $RANDOMLUSER (804576) on Friday October 21, 2005 @06:26AM (#13843155)
    From TFA:

    A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

    Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

    Definition from the Jargon File [catb.org].

    • by Viol8 (599362)
      That definition is wrong. A rootkit is a kit that helps you get
      root access on a system either by buffer overflow of a running
      process/server or some other method. To prevent a process
      showing up in ps all you have to do is put your own version of
      the ps command in place, hardly rocket science.
      • by jaseuk (217780) on Friday October 21, 2005 @06:37AM (#13843184) Homepage
        Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

        There is more to a root kit than just a replacement ps, but of course that is a critical element.

        No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.
        • by ArsenneLupin (766289) on Friday October 21, 2005 @07:34AM (#13843318)
          There is more to a root kit than just a replacement ps, but of course that is a critical element.

          Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through /proc).

          It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

          The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

          • md5ing a system with the md5 program on the system under test sounds like poor practise to me.

          • What if rmp is repleaced as well to spit bogus results for a --verify?

            Knoppix is probably the only way to really find this stuff. And what do you look for? A new version of ls that is a different size than it should be?
      • by PhilHibbs (4537) <snarks@gmail.com> on Friday October 21, 2005 @06:37AM (#13843187) Homepage Journal
        Wikipedia [wikipedia.org] agrees with the Jargon File:
        A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes.

        See also Sysinternals's Rootkit Revealer [sysinternals.com]:
        The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.
      • Um, no. That's exploiting a vulnerability. As jaseuk's reply to you says, a rootkit is something that hides a process from things that examine the process table.
        • No , sorry , a rootkit is something that gets you root privs.
          Always has been. If I get root access then I rm the ps command
          does "rm" suddenly become a rootkit? No, of course not.
          • by Rich0 (548339) on Friday October 21, 2005 @07:07AM (#13843261) Homepage
            I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

            We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

            Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is... :)

            For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

            The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

            The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.
            • A very good way to detect malware (in fact any unauthorized changes to system files is to md5sum (or better) all system files (which are preferrably stored on NAS on a local network) regularly by a separate heavily fortified system and send out an alert on differences.
              A framework for this (mtree, tools for package file checksumming, cron scripts etc.) has been part of the default installation on the *BSDs for ages, but I haven't seen anything like it in the default installation for any Linux distros.
              Of cour
              • > I haven't seen anything like it in the default installation for any Linux distros.

                You could just tar the rfs or a selection of critical system files, copy to tape, untar and md5sum those files on a non-networked box you keep hanging around for the purpose. For a limited number of key servers this wouldn't be too onerous.

                Now md5 hacks exist but a combination of creation date, filesize and md5 would be a fairly good fingerprint - or you could just diff against known good versions for a limited set of

                • by Rich0 (548339)
                  Actually, all of this is exactly what tripwire does. It stores a database of file attributes (hashes, mtimes, etc.).

                  You can also easily run it on a running system.

                  The problem is that on a running system your executable is subject to the whims of the currently-running kernel, glibc, linker, etc. If the rootkit installed a kernel module, or a modified glibc, or something else, then when you scan ps it could just point you to a saved unmodified copy of ps, and then your scan would miss the changes. When you
                  • thanks for taking the trouble to reply, as the mods say that is very informative. Damn those rootkits. I would suspect that the hardest trick to pull off is a raw dump of the fs but that is not very convient to manipulate.

                    I think the weakest link in most companies are idiot staff (like an ex-boss who brought more viruses into the company via his laptop than a Bombay hooker) and idiot sysadmins. In years of having a computer directly connected to the Internet I only got hit once when I installed a dodgy bina
      • by ajs318 (655362)
        And this is why I like the idea of binaries being tied hard to the exact processor for which they were compiled, rather than every processor having the same instruction set. It makes it a stackload harder to do stuff like that, when actually enabling the build environment requires physical access to the machine. As long as there exists binary compatibility between your systen and Some Unknown Bad Guy's system, there will be rootkits.

        Now that we have seen proof of checksum collisions, I do not doubt that
        • Are you talking about processor serial numbering, or talking about the difference between an Intel vs Sparc vs AMD vs PowerPC vs whatever? You could further granularize it by using the differences in clock speed, processor ID, etc. Interesting concept. You'd have to rebuild the entire machine to upgrade the CPU(s), though, if you did things either way.
          • I'm talking about each and every processor having a different instruction set. There would be two modes, selectable in hardware by shorting a pin to ground or not. In "Compatibility Mode" -- aka "Dangerous Mode" -- the instruction set would be known and standardised; thus allowing you to use a standardised toolchain to compile some bootstrap code {a kernel and a minimal userland} for running in Safe Mode. In "Safe Mode", the processor would use its own "personalised" instruction set, which you would ne
            • It's certianly a good idea, but I question how practical it would be. Most IT departments are so woefully understaffed as it is that maintaining specific builds for specific users (or departments) would quickly become a near-impossible task (not to mention the storage requirements of those images).

              In a technology-centric company that is able to build all its software in-house, this would make more sense, but would be adding "another layer" to what is already a significant amount of work.

    • Rootkits get you root.

      That's pretty much it.

      A given rootkit may well do more than that, and evading detection would be a great value-added extra, but making a running process harder to detect is not the core feature of a rootkit.

      Even if the jargon file says it is.

      • by hellraizr (694242)
        well it's obvious you've never actually been hit with one other wise you would know what you were talking about. *EXPLOITS* get you root. rootkits allow you to KEEP root. The average rootkit disables forensics programs like lsof, ps, find, locate, w, who, (sometimes) syslogd. They also modify shit like rc.sysinit or inittab.

        Don't let the name fool you because thats all it is is a name. Exploits and rootkits are 2 entirely different things. You can get all the exploits you want from packetstormsecurity [packetstormsecurity.nl] but

        • No. When I first started using the term 'rootkit', a rootkit implemented an exploit to enable you to acquire root access.

          The point of the rootkit was that it allowed a relatively inexperienced attacker to automate exploitation of vulnerabilities.

          Maybe you use the term a different way; that makes neither of us inherently right. It certainly doesn't mean the article mis-used the term any more than either of us.

        • by Redwin (805980)
          have seen just about every damn rootkit that actually works

          Isn't that a contradiction?*

          You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.

          Homepage: Assessments -> RootKits [linuxsecurity.com]

          What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!

          *Laugh, it was supposed to be a joke :-)

    • Rootkits are indeed designed to hide malware from the tools that are designed to show what applications, network connections, etc. are running. The article went on to explain this a bit more clearly, but it may have been a bit subtle. Yes, the purpose of a rootkit is to hide running processes from things like ps, and the windows task manager and such. But, the deal is that many Antivirus products include not only static pattern based detection algorithms that look for malware, but also behavior-based dete
    • Rootkit-- the software equivalent of a ninja. It is cunning and stealthy and its enemy has no knowledge of its presence.
  • arms race (Score:5, Funny)

    by kars (100858) on Friday October 21, 2005 @06:52AM (#13843227) Homepage
    So now we can wait for the AV vendors to come up with a rootkit detector detector detector..
  • Golden Hacker Defender does exist, can be purchased, and no it is NOT GPL..

    http://www.hxdef.org/antidetection.php [hxdef.org]

    They even have a license..

    Paid versions are not released under GPL licence.
    Every customer who buys antidetection service agrees with this licence.
    Customer is not allowed to spread the product or its parts in neither binary nor source code form.
    Violating of this licence will issue in loss of any support
    and also in impossibility of buying new updates and other products and services.
    Customer can do
    • Customer is not allowed to spread the product or its parts in neither binary nor source code form.

      Ah, very clever. So if you actually put it on someone elses system they can say you were violating the licence agreement?

      Customer is fully responsible for the application of boughten product.

      Actually, maybe they're just retarded after all.
  • In other news (Score:1, Offtopic)

    by DrXym (126579)
    Ex-mental patients start genital shaving business. Please form an orderly queue to use their services.
  • by Rogerborg (306625) on Friday October 21, 2005 @08:30AM (#13843544) Homepage
    You know, I'd like to see fewer "CRISIS! But wait! FooCorp can save you!" articles on Slashdot, and while we're at it, no dupes, and a pony.
  • by digitalstruct (906825) on Friday October 21, 2005 @09:16AM (#13843763)
    Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

    It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

    There is a legitimate use to everything :)

    • Really?!?

      They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing

      Rootkits are not nessesarily bad


      I Rest my case (Heh,Heh)
    • You cannot be serious! Which clowns modded this 'insightful'? I would hardly call spying on employees with a rootkit a 'legitimate' use! Your analogy with a format utility is extremely flawed.
  • What about kernel level rootkits such as Knark [packetstormsecurity.org]?

    I'm not entirely sure why you would use a RootKit(legitimally) other than for limiting access on machines under your control, something that could surely be done with proper account setups.
     
  • Check out this webcast [microsoft.com] from Microsoft. While not as in-depth as some of us would like, it has some good information on things you can do to prevent rootkit infection.

    Also, check out SysInternal's RootKitRevealer [sysinternals.com]. Not only is it a handy tool, but the page gives a pretty good definition of rootkits as they apply to Windows.

"Just think of a computer as hardware you can program." -- Nigel de la Tierre

Working...