Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit Creators Turn Professional

Posted by ryuzaki0 on from the where-the-money-is dept.

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

45 of 117 comments (clear)

  1. How dare they! by LiquidCoooled · · Score: 5, Funny

    Rootkits should be GPL.
    At the very least they should be GNU/Rootkits.

    Somebody contact the EFF or like start throwing chairs or something.

    --
    liqbase :: faster than paper
    1. Re:How dare they! by KiloByte · · Score: 4, Informative

      Like, SuckIt?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:How dare they! by Geminus · · Score: 5, Funny

      Someone should develop the ultimate rootkit, patent it's code... and then sue the antivirus companies for IP infringement when they include it's code in their latest definition.
      "All your oil belong to us."

    3. Re:How dare they! by xappax · · Score: 2, Interesting

      Actually, the free version of the Hacker Defender rootkit mentioned in the article is open source. GPL, I'm not sure about, but it still surprised me. It actually makes a lot of sense, because it allows attackers to customize and recompile the rootkit, probably creating a new binary that malware-detectors are unaware of.

    4. Re:How dare they! by Captain+Splendid · · Score: 4, Interesting
      You know, that's actually not a bad idea. Something similar to this could (hopefully) be used to help overturn (or change) the DMCA.

      --
      Linux, you magnificent bastard, I read the fucking manual!
  2. Easy prey? by adyus · · Score: 3, Insightful

    If it's a known fact that this Golden Hacker Defender rootkit is publically sold, isn't it that much easier to catch the writers? Assuming there's a law against rootkits...

    1. Re:Easy prey? by prichardson · · Score: 5, Insightful

      There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

      A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

      It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

      --
      Help I'm a rock.
    2. Re:Easy prey? by ArsenneLupin · · Score: 4, Informative
      There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

      A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...

      Is VNC a rootkit?

      No. But a tool hiding VNC from the process list might be.

    3. Re:Easy prey? by AdamTheBastard · · Score: 2, Interesting
      "If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild."

      This poses an interesting question. If you did develop a worm with a nastey payload and release it on an entire subnet under your control (and ownership) that is firewalled off. Who would be blamed if a cracker broke in to the infected network, became infected themselves and then started infecting a public network either intentionly or not?

      We see this sort of thing happen a lot on the internet. Someone develops something that could be used to do something without the permission of copyright-holders/box-owners/ISPs but it is also possible to use it with the full permission of those that it effects. Who do we go after? Aparently the answer is both but I, along with a lot of others, disagree.
    4. Re:Easy prey? by Redwin · · Score: 2, Interesting

      This problem of who is guilty also comes up with the use of honeypots, ie if someone breaks into a honeypot system and launches an attack from there who is responsible? The attacker or the person supplying the resources?

      I agree with your point of view that a blanket "all are responsible" response is not the best course of action, as I've wondered how long it will be before people like the authors of security books get bundled into the category of "they supplied the knowledge to make this attack possible, therefore they are guilty as well".

      OTOH it might be considered negligent to have access to a dangerous piece of software available to the public domain at all, (even if it hidden behind some form of security).

      --
      Warning, comments may not have been passed by the sanity department of my brain.
    5. Re:Easy prey? by mOdQuArK! · · Score: 2, Informative

      Some administration tools hide their presence so that corporate office drones won't notice the system administrator monitoring them (for "security" reasons dontcha know). Are they root kits?

  3. Risk to burn karma but... by jamesjw · · Score: 5, Funny

    def n.: Rootkit:
    When an Australian male carries a few spare condoms with him on a night out.

    Ahhh.. maybe I shouldnt have bothered.. :)

    -- Jim.

    --
    -- If at first you don't succeed, lie!
    1. Re:Risk to burn karma but... by Eric+Giguere · · Score: 2, Funny

      If that's the aussie definition of a rootkit, what's the aussie definition of a trojan? Ahhh... never mind...

      Eric
      How the Vioxx recall reduced worldwide spam
    2. Re:Risk to burn karma but... by ajs318 · · Score: 5, Funny

      And no doubt the Aussie definition of an optimist is an opening batsman with sunblock on his nose!

      --
      Je fume. Tu fumes. Nous fûmes!
    3. Re:Risk to burn karma but... by MichaelSmith · · Score: 4, Funny
      the Aussie definition of an optimist is an opening batsman with sunblock on his nose

      In India, where they really do have sunlight, that might be true.

      --
      http://michaelsmith.id.au
  4. Wicked by tezbobobo · · Score: 3, Insightful

    So here's what you do - write a worm and wrap it around a citrix or Windows Term Serv. Then when you have thousands, you can use then with DDOSs.

    Seriously though - Golden Hacker Defender. I've never heard of this. It it were seriously a commercial product, I doubt it would be a rootkit, perhaps a "Remote administration tool." I can't goole (verb) where to purchase it.

    So here's the thing. I wrote a virus, and now I'm going to sell it. It's a commercial virus. Oops! Not it isn't, it's just me selling a virus.

    Move along, nothing to see here.

    1. Re:Wicked by SimilarityEngine · · Score: 3, Informative

      You were looking for this website presumably.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
    2. Re:Wicked by dan+dan+the+dna+man · · Score: 2, Informative

      Hmm it seems to be a new release of something called Hacker Defender. Apparently available here for the curious. Interesting comment in the box about how the commercial version is not released under the GPL :p

      --
      I don't read your sig, why do you read mine?
    3. Re:Wicked by Fred_A · · Score: 2, Interesting

      Shouldn't that be an administratorkit anyway ?

      --

      May contain traces of nut.
      Made from the freshest electrons.
  5. Sell rootkits and become a billionaire! by crazy_zulu · · Score: 5, Funny

    One company in Redmond has made billions from selling rootkits.

    --
    ...and one flew over the cuckoo's nest.
  6. Commercially available? Whatever.... by manarth · · Score: 2, Insightful

    In other news, we learn that script kiddies don't actually write software.

    What's with the "commercially available" business? From TFA:

    The version of the rootkit detected by F-Secure is called Golden Hacker Defender. It is a commercial product that can be bought for around 500, according to the security firm.

    So you can buy it, so what - you can buy cocaine on street corners, does that make it 'commercially available'? Or are they simply heralding Rootkit 101 as the latest product to hit the v-scene? What's next, Virus Writers Monthly?

    Come on, malware's been for sale for donkeys years, someone packaging something up and calling it a product doesn't change the nature of the beast.

    --
  7. What's the point of this type of hacking? by ReformedExCon · · Score: 2, Interesting

    What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

    Or is there a Matrix-esque cabal of midnight hackers out there dressed in trenchcoats and sunglasses who are busy at work undermining the government? I find that hard to believe.

    I find it easy to believe that there are foreign governments very interested in this type of thing, but it is difficult to imagine ordinary citizens having both the desire and the wherewithal to perform serious attacks and avoid prosecution.

    Or maybe I am just having the wool pulled over my eyes.

    --
    Jesus saved me from my past. He can save you as well.
    1. Re:What's the point of this type of hacking? by Tune · · Score: 2, Insightful

      > What kind of pleasure can be had from doing this kind of hacking? After a while, doesn't it just become old hat?

      True, that's what happens to all industries while professionalizing. I guess it's similar to people willing to work in arms industry, so this doesn't just concern foreign governments.

  8. Re:Waiting for Vista by Anonymous Coward · · Score: 3, Informative

    Umm..did you know that rootkits were out for *nix long before windows? The rootkits for those systems are far more sophisticated.

  9. It's organised crime becoming more sophisticated by Anonymous Coward · · Score: 2, Interesting

    If you've been watching the news the last few weeks ex-IRA members have been busted doing forgeries in North Korea, bomb-making in Iraq, and making IED's in Columbia. This is an example of the market for worldwide organised crime skills becoming huge as organisations outsource skillsets, especially nefarious skillsets. It's interesting to note the rise of these types of non-state actors on the world stage and how they are interplaying with governments and corporations. Organised crime is going to become huge and a much more realistic threat than terrorism will ever be on multiple fronts eg. economic (black markets), societal (drugs), morality (the increasing legitizmation of groups and the intertwining with big gov and big biz).

  10. Fact or fiction? by FishandChips · · Score: 5, Interesting

    Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

    I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

    Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.

    --
    Las qué passoun
    tournoun pas maï
    1. Re:Fact or fiction? by Viol8 · · Score: 2, Informative

      "Love the quote from a researcher saying that the alleged sale of rookits means that "

      I think what he meant (tho he could have phrased it much better) is that previously virus writers were just sad spotty adolescents with no social skills in their bedroom writing viruses to prove something to themselves or to impress they're equally sad and
      spotty online "friends". These days a lot of it is paid for by organised crime who have specific targets and specific agendas.

  11. Virus writers go by their own rules. by geo_2677 · · Score: 4, Insightful

    Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
    Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.

  12. Misuse of the term by $RANDOMLUSER · · Score: 5, Insightful
    From TFA:

    A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

    Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

    Definition from the Jargon File.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:Misuse of the term by jaseuk · · Score: 5, Informative

      Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

      There is more to a root kit than just a replacement ps, but of course that is a critical element.

      No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.

    2. Re:Misuse of the term by PhilHibbs · · Score: 3, Informative
      Wikipedia agrees with the Jargon File:
      A root kit is a set of tools used by an intruder after cracking a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes.

      See also Sysinternals's Rootkit Revealer:
      The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.
    3. Re:Misuse of the term by $RANDOMLUSER · · Score: 2, Informative

      Um, no. That's exploiting a vulnerability. As jaseuk's reply to you says, a rootkit is something that hides a process from things that examine the process table.

      --
      No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    4. Re:Misuse of the term by Rich0 · · Score: 5, Interesting

      I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

      We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

      Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is... :)

      For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

      The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

      The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.

    5. Re:Misuse of the term by ArsenneLupin · · Score: 4, Insightful
      There is more to a root kit than just a replacement ps, but of course that is a critical element.

      Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through /proc).

      It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

      The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

    6. Re:Misuse of the term by ajs318 · · Score: 2, Interesting

      And this is why I like the idea of binaries being tied hard to the exact processor for which they were compiled, rather than every processor having the same instruction set. It makes it a stackload harder to do stuff like that, when actually enabling the build environment requires physical access to the machine. As long as there exists binary compatibility between your systen and Some Unknown Bad Guy's system, there will be rootkits.

      Now that we have seen proof of checksum collisions, I do not doubt that the next big thing in malware circles will be to create modified binaries whose checksums are the same as the originals ..... if they haven't already ..... of course, using checksums is actually a pretty christian way of checking for intrusions, because you don't really know for sure that the checksum creator itself hasn't been interfered with.

      --
      Je fume. Tu fumes. Nous fûmes!
    7. Re:Misuse of the term by mikiN · · Score: 2

      A very good way to detect malware (in fact any unauthorized changes to system files is to md5sum (or better) all system files (which are preferrably stored on NAS on a local network) regularly by a separate heavily fortified system and send out an alert on differences.
      A framework for this (mtree, tools for package file checksumming, cron scripts etc.) has been part of the default installation on the *BSDs for ages, but I haven't seen anything like it in the default installation for any Linux distros.
      Of course there may always be holes, but at least they will require an attacker always use in-memory tricks to gain and maintain access, at least until the next vulnerability gets fixed.

      --
      The Hacker's Guide To The Kernel: Don't panic()!
    8. Re:Misuse of the term by hellraizr · · Score: 2, Informative

      well it's obvious you've never actually been hit with one other wise you would know what you were talking about. *EXPLOITS* get you root. rootkits allow you to KEEP root. The average rootkit disables forensics programs like lsof, ps, find, locate, w, who, (sometimes) syslogd. They also modify shit like rc.sysinit or inittab.

      Don't let the name fool you because thats all it is is a name. Exploits and rootkits are 2 entirely different things. You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.

      You don't have to take my word for it but jfyi, I worked as a security admin at a rather large dedicated hosting company and have seen just about every damn rootkit that actually works.

    9. Re:Misuse of the term by Redwin · · Score: 2, Informative

      have seen just about every damn rootkit that actually works

      Isn't that a contradiction?*

      You can get all the exploits you want from packetstormsecurity but I dare you to find a single rootkit there.

      Homepage: Assessments -> RootKits

      What you really want to watch out for are kernel level RootKits, as even checking the integrity of programs doesn't help as they aren't altered. The kernel runs a different program when you call the correct one. Evil I tell you!

      *Laugh, it was supposed to be a joke :-)

      --
      Warning, comments may not have been passed by the sanity department of my brain.
    10. Re:Misuse of the term by Rich0 · · Score: 2, Informative

      Actually, all of this is exactly what tripwire does. It stores a database of file attributes (hashes, mtimes, etc.).

      You can also easily run it on a running system.

      The problem is that on a running system your executable is subject to the whims of the currently-running kernel, glibc, linker, etc. If the rootkit installed a kernel module, or a modified glibc, or something else, then when you scan ps it could just point you to a saved unmodified copy of ps, and then your scan would miss the changes. When you look for running processes via a system call, the kernel patch could deceive you. Even if you are statically linked you are still subject to the kernel for file access. Even if you run as root and directly access the hard drive device, you are going through the kernel device driver. Even if you make low-level hardware calls you are still in userland and a very clever rootkit running in ring 0 could interrupt your program and make it do whatever it wants. Of course, all of these tricks are very difficult to pull off, and most rootkits rely only on a subset of them.

      Also, if your hash database is not stored on read-only media it could have been tampered with.

      However, the safest way to scan for a rootkit is to boot from known-good media and scan against a known-good database. There is no way to defeat this. In the same way, the safest way to clean a virus is to boot off of a clean disk and purge the virus when it has not been loaded into memory.

      Usually the best practice is to run tripwire and do online scans frequently, and offline scans anytime you suspect malicious activity or one some less frequent schedule.

      The problem with tripwire is people like me who are constantly upgrading packages. Your tripwire database needs to be updated anytime you install software, making it best suited to infrequently-changing servers...

  13. arms race by kars · · Score: 5, Funny

    So now we can wait for the AV vendors to come up with a rootkit detector detector detector..

    --
    Take life easy: one bit at a time.
  14. Re:Waiting for Vista by MichaelSmith · · Score: 3, Interesting
    did you know that rootkits were out for *nix long before windows

    Which is the principle difference between *nix and windows. Most of the holes in unices have been found over the years. Windows was only exposed to wide area networks in a serious way over the last ten years. The bugs are still being found.

    --
    http://michaelsmith.id.au
  15. www.hxdef.org....nuff said by harmonics · · Score: 2, Informative

    Golden Hacker Defender does exist, can be purchased, and no it is NOT GPL..

    http://www.hxdef.org/antidetection.php

    They even have a license..

    Paid versions are not released under GPL licence.
    Every customer who buys antidetection service agrees with this licence.
    Customer is not allowed to spread the product or its parts in neither binary nor source code form.
    Violating of this licence will issue in loss of any support
    and also in impossibility of buying new updates and other products and services.
    Customer can do whatever he/she wants with his/her product except
    all activities that are forbidden in this licence.
    Customer can even modify the source code or the binary form of the product.
    Customer is fully responsible for the application of boughten product.
    Provider of antidetection service reserves the right to refuse any customers order.
    If customers order is accepted customer pledges to pay the full sum before he/she gets the product.
    Provider pledges to assemble the product and send it to the customer in 5 working days.
    If provider is not able to fulfil the order the customer will get all his/her money back.
    All payments are provided by e-gold (http://www.e-gold.com/ rarely by prior arrangement
    payments via Moneybookers (http://www.moneybookers.com/ can be accepted too.
    Customer will receive relevant payment information after provider accepts the order.

  16. Quick! How do I give F-Secure all my money? by Rogerborg · · Score: 2, Insightful

    You know, I'd like to see fewer "CRISIS! But wait! FooCorp can save you!" articles on Slashdot, and while we're at it, no dupes, and a pony.

    --
    If you were blocking sigs, you wouldn't have to read this.
  17. Re:designed to by-pass detection? by m50d · · Score: 2, Informative

    The point is this one is not only designed to not be found by "normal" methods, but also to avoid detection by specialist anti-rootkit programs.

    --
    I am trolling
  18. Rootkits can be used for good. by digitalstruct · · Score: 4, Insightful

    Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

    It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

    There is a legitimate use to everything :)