Rootkit Creators Turn Professional

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

Easy prey?

[adyus]

If it's a known fact that this Golden Hacker Defender rootkit is publically sold, isn't it that much easier to catch the writers? Assuming there's a law against rootkits...

Re:Easy prey?

[prichardson]

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

Re:Easy prey?

'A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?" - by prichardson (603676) on Friday October 21, @06:26AM

You do have a point there... PING is another example as well, & it ships with most OS.

It too, can be used to issue a "ping of death" though iirc, most OS are "proofed" against that now (again, iirc).

I would suppose it comes down to 1 thing as an analog:

"Guns don't kill people, people kill people."

APK

P.S.=> This is the 1 thing that "spooks me" somewhat - these rootkits.

Personally, I don't think the "war on virus" can be won either, but in a way, maybe this is all for the 'good of all' in that it makes the creators of our Operating Systems we use have to work to make them better vs. these things (nuts as they are in virus, worms, & yes rootkits).

On another note:

I took a GOOD read, from the BSD folks the other day, & liked what I saw about how they have created some things in their IP stack that make their OS appear to be FAR better vs. another supposedly "unstoppeable" bogus phenomenon out there:

The DDoS/DoS attack!

Take a read -> http://www.securityfocus.com/columnists/361

Microsoft AND the Linux camp could take a play from the OpenBSD/FreeBSD playbook on THAT account imo!

Between that, & heap/stack protection mechanisms in modern OS now being implemented/started? Things are starting to "look up" imo, but still have a ways to go...

In 2003, one of my bosses (not particularly educated or skilled in this field mind you imo) said something that has stuck by me ever since:

"We're still in the 'wild west days' & stone age of the computer/internet age - give it 10 years & watch how much gets better/stronger/faster"

& I agreed. In 15-20 years, I have seen things get SO much better/nicer in the way of computing, that I must agree... apk

Wicked

[tezbobobo]

So here's what you do - write a worm and wrap it around a citrix or Windows Term Serv. Then when you have thousands, you can use then with DDOSs.

Seriously though - Golden Hacker Defender. I've never heard of this. It it were seriously a commercial product, I doubt it would be a rootkit, perhaps a "Remote administration tool." I can't goole (verb) where to purchase it.

So here's the thing. I wrote a virus, and now I'm going to sell it. It's a commercial virus. Oops! Not it isn't, it's just me selling a virus.

Move along, nothing to see here.

Commercially available? Whatever....

[manarth]

In other news, we learn that script kiddies don't actually write software.

What's with the "commercially available" business? From TFA:

The version of the rootkit detected by F-Secure is called Golden Hacker Defender. It is a commercial product that can be bought for around 500, according to the security firm.

So you can buy it, so what - you can buy cocaine on street corners, does that make it 'commercially available'? Or are they simply heralding Rootkit 101 as the latest product to hit the v-scene? What's next, Virus Writers Monthly?

Come on, malware's been for sale for donkeys years, someone packaging something up and calling it a product doesn't change the nature of the beast.

Re:What's the point of this type of hacking?

[Tune]

> What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

True, that's what happens to all industries while professionalizing. I guess it's similar to people willing to work in arms industry, so this doesn't just concern foreign governments.

Virus writers go by their own rules.

[geo_2677]

Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.

Misuse of the term

[$RANDOMLUSER]

From TFA:

A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

Definition from the Jargon File.

Re:Misuse of the term

[ArsenneLupin]

There is more to a root kit than just a replacement ps, but of course that is a critical element.

Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through /proc).

It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

Quick! How do I give F-Secure all my money?

[Rogerborg]

You know, I'd like to see fewer "CRISIS! But wait! FooCorp can save you!" articles on Slashdot, and while we're at it, no dupes, and a pony.

Rootkits can be used for good.

[digitalstruct]

Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

There is a legitimate use to everything :)