Slashdot Mirror
Rootkit Creators Turn Professional
pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."
Rootkits should be GPL.
At the very least they should be GNU/Rootkits.
Somebody contact the EFF or like start throwing chairs or something.
liqbase
If it's a known fact that this Golden Hacker Defender rootkit is publically sold, isn't it that much easier to catch the writers? Assuming there's a law against rootkits...
It's the new radar-detector-detector-detector-detector-detector -detector!
def n.: Rootkit:
:)
When an Australian male carries a few spare condoms with him on a night out.
Ahhh.. maybe I shouldnt have bothered..
-- Jim.
-- If at first you don't succeed, lie!
So here's what you do - write a worm and wrap it around a citrix or Windows Term Serv. Then when you have thousands, you can use then with DDOSs.
Seriously though - Golden Hacker Defender. I've never heard of this. It it were seriously a commercial product, I doubt it would be a rootkit, perhaps a "Remote administration tool." I can't goole (verb) where to purchase it.
So here's the thing. I wrote a virus, and now I'm going to sell it. It's a commercial virus. Oops! Not it isn't, it's just me selling a virus.
Move along, nothing to see here.
One company in Redmond has made billions from selling rootkits.
...and one flew over the cuckoo's nest.
In other news, we learn that script kiddies don't actually write software.
What's with the "commercially available" business? From TFA:So you can buy it, so what - you can buy cocaine on street corners, does that make it 'commercially available'? Or are they simply heralding Rootkit 101 as the latest product to hit the v-scene? What's next, Virus Writers Monthly?
Come on, malware's been for sale for donkeys years, someone packaging something up and calling it a product doesn't change the nature of the beast.
What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?
Or is there a Matrix-esque cabal of midnight hackers out there dressed in trenchcoats and sunglasses who are busy at work undermining the government? I find that hard to believe.
I find it easy to believe that there are foreign governments very interested in this type of thing, but it is difficult to imagine ordinary citizens having both the desire and the wherewithal to perform serious attacks and avoid prosecution.
Or maybe I am just having the wool pulled over my eyes.
Jesus saved me from my past. He can save you as well.
In case you don't get it, what he's saying is that Windows is insecure!
They sell cocaine openly on the web?
Umm..did you know that rootkits were out for *nix long before windows? The rootkits for those systems are far more sophisticated.
If you've been watching the news the last few weeks ex-IRA members have been busted doing forgeries in North Korea, bomb-making in Iraq, and making IED's in Columbia. This is an example of the market for worldwide organised crime skills becoming huge as organisations outsource skillsets, especially nefarious skillsets. It's interesting to note the rise of these types of non-state actors on the world stage and how they are interplaying with governments and corporations. Organised crime is going to become huge and a much more realistic threat than terrorism will ever be on multiple fronts eg. economic (black markets), societal (drugs), morality (the increasing legitizmation of groups and the intertwining with big gov and big biz).
Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.
I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.
Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.
Las qué passoun
tournoun pas maï
Isn't that the point of a rootkit?
Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.
A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.
Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".
Definition from the Jargon File.
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
In other news, we learn that script kiddies don't actually write software.
I'd have thought 450 euros (see here, select "Golden Hacker Defender" from combo box) was a bit beyond the price range of your average copy/paste script kiddies, but then I've never met any so I wouldn't know. Either way, it's not clear to me that the site is breaking any laws by selling this software. Any lawyers around?
What's next, Virus Writers Monthly?
How about this?
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
So now we can wait for the AV vendors to come up with a rootkit detector detector detector..
Take life easy: one bit at a time.
Bah. Kiddies won't pay a dime.
One "l337 virii crew" gets a copy, and boom, it has a new home in the gnutella bitstream for all eternity.
it's MONEY. compromised home machines, compromised online banking, identify theft, spam bot-nets...
Which is the principle difference between *nix and windows. Most of the holes in unices have been found over the years. Windows was only exposed to wide area networks in a serious way over the last ten years. The bugs are still being found.
http://michaelsmith.id.au
...and Windows doesn't have "root," it has "Administrator."
Microsoft is the last to innovate!
you can buy cocaine on street corners, does that make it 'commercially available'?
Yes.
Golden Hacker Defender does exist, can be purchased, and no it is NOT GPL..
http://www.hxdef.org/antidetection.php
They even have a license..
Paid versions are not released under GPL licence.
Every customer who buys antidetection service agrees with this licence.
Customer is not allowed to spread the product or its parts in neither binary nor source code form.
Violating of this licence will issue in loss of any support
and also in impossibility of buying new updates and other products and services.
Customer can do whatever he/she wants with his/her product except
all activities that are forbidden in this licence.
Customer can even modify the source code or the binary form of the product.
Customer is fully responsible for the application of boughten product.
Provider of antidetection service reserves the right to refuse any customers order.
If customers order is accepted customer pledges to pay the full sum before he/she gets the product.
Provider pledges to assemble the product and send it to the customer in 5 working days.
If provider is not able to fulfil the order the customer will get all his/her money back.
All payments are provided by e-gold (http://www.e-gold.com/ rarely by prior arrangement
payments via Moneybookers (http://www.moneybookers.com/ can be accepted too.
Customer will receive relevant payment information after provider accepts the order.
Ex-mental patients start genital shaving business. Please form an orderly queue to use their services.
You know, I'd like to see fewer "CRISIS! But wait! FooCorp can save you!" articles on Slashdot, and while we're at it, no dupes, and a pony.
If you were blocking sigs, you wouldn't have to read this.
Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.
:)
It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.
There is a legitimate use to everything
What about kernel level rootkits such as Knark?
I'm not entirely sure why you would use a RootKit(legitimally) other than for limiting access on machines under your control, something that could surely be done with proper account setups.
Warning, comments may not have been passed by the sanity department of my brain.
It's actually an interesting business model, because it mirrors that of other open source businesses. Yeah, maybe you can get a copy of the code itself, but what you really need is the support agreement. When an attacker buys a commercial rootkit from the Hacker Defender folks, they agree to update his or her rootkit to keep it undetectable from malware-scanners for a given amount of time.
If the attacker were to freely distribute the code they got, it would show up on Norton's radar pretty quick, and become worthless to everyone who used it. The money is not so much for the code as it is for the service of providing an attacker with a cutomized, up to date, undetectable rootkit.
Check out this webcast from Microsoft. While not as in-depth as some of us would like, it has some good information on things you can do to prevent rootkit infection.
Also, check out SysInternal's RootKitRevealer. Not only is it a handy tool, but the page gives a pretty good definition of rootkits as they apply to Windows.
Rootkits don't just get into a computer magically, they have to exploit a vulnerability in the OS or trick the user. *nix based systems don't let user stupidity do much harm to the computer itself as the user has restricted access to the filesystem.
On Windows, I've seen viruses getting full admin privileges and install a rootkit even if it's caught by a user with a restricted user account. That's why I'd like Vista to be more secure than WinXP. Call me a troll, I'm just talking about my own experiences.
I saw it at BestBuy but it was behind locked glass and they said you had to have a note from your mommy.
You cannot be serious! Which clowns modded this 'insightful'? I would hardly call spying on employees with a rootkit a 'legitimate' use! Your analogy with a format utility is extremely flawed.
Sorry.