Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit Creators Turn Professional

Posted by ryuzaki0 on from the where-the-money-is dept.

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

18 of 117 comments (clear)

  1. How dare they! by LiquidCoooled · · Score: 5, Funny

    Rootkits should be GPL.
    At the very least they should be GNU/Rootkits.

    Somebody contact the EFF or like start throwing chairs or something.

    --
    liqbase :: faster than paper
    1. Re:How dare they! by KiloByte · · Score: 4, Informative

      Like, SuckIt?

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:How dare they! by Geminus · · Score: 5, Funny

      Someone should develop the ultimate rootkit, patent it's code... and then sue the antivirus companies for IP infringement when they include it's code in their latest definition.
      "All your oil belong to us."

    3. Re:How dare they! by Captain+Splendid · · Score: 4, Interesting
      You know, that's actually not a bad idea. Something similar to this could (hopefully) be used to help overturn (or change) the DMCA.

      --
      Linux, you magnificent bastard, I read the fucking manual!
  2. Risk to burn karma but... by jamesjw · · Score: 5, Funny

    def n.: Rootkit:
    When an Australian male carries a few spare condoms with him on a night out.

    Ahhh.. maybe I shouldnt have bothered.. :)

    -- Jim.

    --
    -- If at first you don't succeed, lie!
    1. Re:Risk to burn karma but... by ajs318 · · Score: 5, Funny

      And no doubt the Aussie definition of an optimist is an opening batsman with sunblock on his nose!

      --
      Je fume. Tu fumes. Nous fûmes!
    2. Re:Risk to burn karma but... by MichaelSmith · · Score: 4, Funny
      the Aussie definition of an optimist is an opening batsman with sunblock on his nose

      In India, where they really do have sunlight, that might be true.

      --
      http://michaelsmith.id.au
  3. Sell rootkits and become a billionaire! by crazy_zulu · · Score: 5, Funny

    One company in Redmond has made billions from selling rootkits.

    --
    ...and one flew over the cuckoo's nest.
  4. Fact or fiction? by FishandChips · · Score: 5, Interesting

    Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

    I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

    Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.

    --
    Las qué passoun
    tournoun pas maï
  5. Virus writers go by their own rules. by geo_2677 · · Score: 4, Insightful

    Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
    Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.

  6. Misuse of the term by $RANDOMLUSER · · Score: 5, Insightful
    From TFA:

    A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

    Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

    Definition from the Jargon File.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:Misuse of the term by jaseuk · · Score: 5, Informative

      Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

      There is more to a root kit than just a replacement ps, but of course that is a critical element.

      No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.

    2. Re:Misuse of the term by Rich0 · · Score: 5, Interesting

      I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

      We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

      Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is... :)

      For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

      The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

      The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.

    3. Re:Misuse of the term by ArsenneLupin · · Score: 4, Insightful
      There is more to a root kit than just a replacement ps, but of course that is a critical element.

      Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through /proc).

      It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

      The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

  7. Re:Easy prey? by prichardson · · Score: 5, Insightful

    There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

    A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

    It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

    --
    Help I'm a rock.
  8. arms race by kars · · Score: 5, Funny

    So now we can wait for the AV vendors to come up with a rootkit detector detector detector..

    --
    Take life easy: one bit at a time.
  9. Re:Easy prey? by ArsenneLupin · · Score: 4, Informative
    There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

    A rootkit isn't a tool to break into a machine; it's a tool to hide your presence once you've already broken into the machine...

    Is VNC a rootkit?

    No. But a tool hiding VNC from the process list might be.

  10. Rootkits can be used for good. by digitalstruct · · Score: 4, Insightful

    Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

    It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

    There is a legitimate use to everything :)