Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit Creators Turn Professional

Posted by ryuzaki0 on from the where-the-money-is dept.

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

11 of 117 comments (clear)

  1. How dare they! by LiquidCoooled · · Score: 5, Funny

    Rootkits should be GPL.
    At the very least they should be GNU/Rootkits.

    Somebody contact the EFF or like start throwing chairs or something.

    --
    liqbase :: faster than paper
    1. Re:How dare they! by Geminus · · Score: 5, Funny

      Someone should develop the ultimate rootkit, patent it's code... and then sue the antivirus companies for IP infringement when they include it's code in their latest definition.
      "All your oil belong to us."

  2. Risk to burn karma but... by jamesjw · · Score: 5, Funny

    def n.: Rootkit:
    When an Australian male carries a few spare condoms with him on a night out.

    Ahhh.. maybe I shouldnt have bothered.. :)

    -- Jim.

    --
    -- If at first you don't succeed, lie!
    1. Re:Risk to burn karma but... by ajs318 · · Score: 5, Funny

      And no doubt the Aussie definition of an optimist is an opening batsman with sunblock on his nose!

      --
      Je fume. Tu fumes. Nous fûmes!
  3. Sell rootkits and become a billionaire! by crazy_zulu · · Score: 5, Funny

    One company in Redmond has made billions from selling rootkits.

    --
    ...and one flew over the cuckoo's nest.
  4. Fact or fiction? by FishandChips · · Score: 5, Interesting

    Hmnn, this article is thin on facts and figures. And like so much "news" coming from the security industry, you're never really sure how much of it is fud and puffery in order to sell new products. Still, I guess things will continue to get worse so long as much of the IT industry plays pass the parcel, a shuffling process that always ends with the hit landing up on the poor old end-user, the person who is usually least qualified to deal with it.

    I guess Bruce Schneier is right when he suggests that the way to improve some aspects of security, anyway, is by placing responsibility firmly on outfits like banks and ISPs who'll get smacked mightly hard in the wallet - by law, this time - unless they raise their game. That might put some pressure on OS-makers and their pals to design products that don't also need AV checkers that are dependent on signature libraries and prey to zero-day exploits.

    Love the quote from a researcher saying that the alleged sale of rookits means that "there is a criminalisation of the virus world going on." As if it hasn't been criminal till now, just good clean fun ho ho.

    --
    Las qué passoun
    tournoun pas maï
  5. Misuse of the term by $RANDOMLUSER · · Score: 5, Insightful
    From TFA:

    A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

    Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

    Definition from the Jargon File.

    --
    No folly is more costly than the folly of intolerant idealism. - Winston Churchill
    1. Re:Misuse of the term by jaseuk · · Score: 5, Informative

      Root kits will normally includ things such as modded ps and other modified binaries so that the system appears to be running fine, yet has a backdoor and any logging / system monitoring tools will not show any processes or activity.

      There is more to a root kit than just a replacement ps, but of course that is a critical element.

      No it's not rocket science, but in practice modding system binaries whilst on the outside keeping the system appearing to be running normally is much harder, different library / operating system / architectures to deal with and the fact that you are messing around with core system files.

    2. Re:Misuse of the term by Rich0 · · Score: 5, Interesting

      I think at this point the burden of proof is on you to come up with a reference. I've personally always heard the term rootkit used in the manner used now by about three people who have replied to you, and as described on three different fairly-definitive websites referenced in this thread.

      We can sit here all night posting back and forth "is not," "is too" but I don't think that we'll get any further. If you're so certain on your position please take 30 seconds and find something reasonably definitive to support your position.

      Mods - before modding anything else in this thread please take the time to actually look up what a rootkit is... :)

      For the record, an exploit is software designed to gain unauthorized access to a system. A rootkit is a set of tools used to maintain such access without the knowledge of the admin of the cracked system. Typically it includes modified ps, login/su/sshd, etc.

      The whole idea of a rootkit is to make sure you can get back into the system a week later when the admin has patched the original vulnerability. If you rm the ps command it probably won't take long for the admin to figure out what happened.

      The best way to detect a rootkit is via tripwire, run from a boot CD. There really isn't any way of defeating this method of detection, but it is very inconvenient since it requires brining the system offline for scanning. There are tools like rkhunter which search for rootkits on running systems, and in theory these can be defeated by a very clever rootkit.

  6. Re:Easy prey? by prichardson · · Score: 5, Insightful

    There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

    A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

    It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

    --
    Help I'm a rock.
  7. arms race by kars · · Score: 5, Funny

    So now we can wait for the AV vendors to come up with a rootkit detector detector detector..

    --
    Take life easy: one bit at a time.