Slashdot Mirror
New Developments From Microsoft Research
prostoalex writes "Information Week magazine runs a brief report from Microsoft Research, showcasing some of the new technologies the company's research division is working on. Among them — a rootkit that eliminates other rootkits, a firewall that blocks the traffic exploiting published vulnerabilities, a system for catching lost e-mail, a honeypot targeted at discovering zero-day exploits, and some anti-phishing applications."
Microsoft is re-inventing "intrusion detection" and "packet analysis". Save yourself some stress and deploy Snort today.
http://www.snort.org/
The article is misleading if not outright wrong; GhostBuster isn't a rootkit itself, it's just a rootkit detection thing very similar to RootkitRevealer. (GhostBuster came first and is more complete.)
It's closer to anti-virus than it is to a rootkit itself, though the similarities there don't go very far either. (AVs almost universally work by signature matching; GB works by comparing registry entries and files against each other by multiple means of acquiring that information in order to find the symptoms of having a rootkit -- missing information. This assumes that the rootkit is imperfect in hiding. For instance, this will do a scan of the registry through the standard API calls. But then it will parse the registry hives that are on disk. The assumption is that the rootkit is going to hook the API calls. Hooking the I/O calls is rather more difficult, and it's impossible if you can do a clean boot. (One of the options is to do a diff of a hot scan vs. a known good scan done from a Windows PE boot.) There are still things that rootkit authors can do though, specifically NOT hide from GB itself. IN the case of RootkitRevealer, this has actually turned into a mini-arms race of itself. Rootkits started not hiding from rreveal.exe or whatever it's called (so that it wouldn't detect diffs), so RootkitRevealer started randomly renaming itself each time it runs. The state of the art on the black hat side is to carry a signature of RootkitRevealer-like programs and do pattern matching in very much the same way that AV does pattern matching to find viruses.)
2. Rather than perfecting a rootkit, they should be working towards making a rootkit an impossibility in their OS.
If you can run drivers in kernel mode, you can run a rootkit. (Unless you can statically prove everything you let run in kernel space is safe... this may or may not be possible. For what it's worth, my current research is related to model checking drivers.)
I already have total control over everything in it (provided my user allows me to have it, which is pretty much a given with MS OSs). Why do I need a rootkit?
You don't. It's poor reporting. GhostBuster isn't a rootkit; it's just a rootkit detection program. (Or set of programs.)
Microsoft Research is developing technology for finding rootkits by using their own deceptive behavior against them. Known as GhostBuster, it relies on analyzing and comparing system information at both a high level--from a Win32 API, for example--and a low level--such as the raw disk information. Any difference in the two views--for example, the low-level view indicating a file not present in the high-level view--makes a compelling case that a rootkit is trying to hide.
Simply not true!
I mean, since it is the Exact description of how RootkitRevealer works, I suppose (I'm sure) that it is the same product. For those who do not know,Microsoft acquired sysinternals (maker of RootkitRevealer) a few months ago.
Apple iProduct. Non importa cosa sia, lo comprerete!
... with a completely crippled module system (no functors) and a crippled object system (no structural subtyping) no less. F# is very little more than a bearable syntax for .NET, i.e. it's a PR exercise which only really shows how limited the .NET runtime is.