Slashdot Mirror
New Antivirus Tests Show Rootkits Hard to Kill
ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."
I know that AV software can be fairly intrusive, to the point that it feels like it's taking over your box, but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.
Now Steven Seagal is writing rootkits?
We're screwed.
Grass is green, sky is blue, Pope is Catholic, etc...
When people create these things... isn't the intent to make them hard to detect/kill?
What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.
Proudly supporting the Libertarian Party.
Quote: ... had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare ...
Whadd'ya talkin 'bout? Isn't everything on Windows a potential rootkit?
Windows 3.1x calc: 3.11 - 3.10 = 0.00
from the article:
Dan Kaminsky, Director - Penetration Testing
[move
"AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."
I hate when McAfee doesn't detect Live OneCare, and vice versa!
If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.
That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).
Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.
Rootkits are not viruses. So what does antivirus have to do with defending against rootkits? Or is all malware today called 'virus' no matter what it does? I've been on a malware-free OS for so long that I don't even know the terminology anymore.
It is dangerous to be right when the government is wrong.
Just stating the obvious: /., then don't click that link.
If you're new to
It is dangerous to be right when the government is wrong.
Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Try working in an area of the building labeled "Mail Insertion" (for stuffing envelopes.) It doesn't come off too well when you tell someone you work over in mail insertion, no matter how you try to emphasize the 'i' in mail.
A slightly related question:
Does any vendor offer an antivirus program that is delivered on an auto-booting CD-ROM / DVD-ROM?
Scenario: Aunt Tilly phones that she suspects viruses on her Windows computer. She got afraid so she shut down the computer. You arrive, but don't want to boot the computer up as it will activate the virus, too. You insert your bootable disc, the antivirus program boots up, auto-downloads the latest program updates along with the newest virus and malware definitions from the Internet, and you can successfully disinfect the computer without having to run any code from the infected computer's hard disk. Does a solution like this exist? I tried to search the net but found only instructions how to make your own bootable antivirus floppy disks or making your own bootable rescue CD-ROM by combining different utilities with preinstalled Windows using BartPE, and so on.
But are there any supported products available?
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
I'm glad I chose Bitdefender as my AV scanner. Which the article states did very well. (not perfect) I it use on my Windows machines and I've been very pleased with it.
I recommend it to anyone who asks, as it's very resource friendly unlike McCaffe and Norton.
Do not read this
Rootkits are actually very easy to kill, and the tool to kill them can be found here or here
I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->
PHEM - party like it's 1997-2003!
Every time this subject comes up, I say the same thing.
The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.
With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?
Anything that cannot be identified can be moved to a different drive. A drive without run permissions.
Problem solved.
First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.
AVG Free 8.0 (free.grisoft.com) or AVG free antirootkit if they are using 7.5 free.
Hint: AVG 8 *removes* their old free antirootkit.
For techie users grab the sysinternals toolkit from majorgeeks etc. (Rootkit revealer). For real techies a copy of "Rootkit Unhooker LE" (rku.nm.ru) but (like Hijack This) hide this one from non techie users so they don't fiddle with it ...
(oh and beware some versions of daemon tools which use rootkit like functionality to hide their virtual cd driver).
Andy
It's not a dangling modifier: all the words are present, but the order is misleading. It's a bad usage of anaphor such that the immediate antecedent is the wrong one.
What I'm just waiting for is a bootable Linux CD that includes ClamAV ready-to-run.
Once a root kit has its tentacles through your system, you can't trust your system. So it just makes sense to boot a trusted system before running a malware scan.
I know enough that I could boot an Ubuntu CD, make sure clamav is installed, update it to the latest virus definitions, mount each disk volume, and then run clamav by hand. But more people could use it if this was easier.
Originally I was thinking of a CD you boot just for virus scanning. But I already carry around an Ubuntu CD to use as a utility disk (you can boot it as a RAM tester, or you can boot to a desktop to help repair a non-booting computer). And if it finds any malware you will want to fire up a web browser and read about how to clean your system. So now I think the very best thing would be for the standard Ubuntu live CD desktop to have a "scan computer for viruses" icon. Ideally it should have some kind of attractive GUI interface, but I'd settle for a scrolling text display as long as it does everything automatically.
Ideally this would also have a way to download a signed program, verify the signature, and run the program; then people could write programs that automatically clean malware off a computer.
I already give away Ubuntu CDs to friends who use Windows, and I tell them how to use them to test their RAM. It would be so cool if they could also use it to check their computers for malware. (Who knows, they might get tired of cleaning malware off their computers and try running Ubuntu someday.)
Is there any way to suggest this as a "summer of code" project or something?
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
While there are advantages to features like System Restore and the fact that in-use files are locked by their associated programs, these features are often the only things that come between detection and eradication of many of these rootkitting trojans. AV software still doesn't tell you to turn off system restore before it tries to delete viruses, or close program XYZ that is infected, and rootkit removal tools often forget to delete the other half of a virus when they reboot.
On top of that, Google and other engines are so full of spammy removal tools that finding a legitimate tool is a gamble. Tools that do work (eg Hijackthis) often are not intelligent enough to tell good from bad or don't recognize the correlation between multiple pieces of a rootkit. It sometimes comes down to scanning the system, turning it off without shutting down, and booting the recovery console to delete a laundry list of trojan dll files that one tool could not take care.
If I were a smart AV software developer, I'd make a bootable recover tool that will erase viruses and trojans before they can hide and secure themselves. Such tools existed back in the days of Windows 3.1 and into the early days of Win95, but today we have nothing more than windows apps and web-based housecalls. Windows and third-party developers have let their guard down and have forgotten the history of the problem.
If I know what it is and I still click the link, does that mean I'm sick in the head?
I'm gonna take you to the bank, Rootkits. To the blood bank! DUN DUN DUNDUNDUN
It is actually quite easy to break a rootkit... however, removal from a running Windows install can be quite impossible.
The best way to remove them is to use another OS to hit the files, then break the rootkit code and/or replication routine from Windows itself.
Unfortunately, full removal of the kernel level coding injected by the rootkit tends to break the kernel itself.
In a nutshell, Windows fragility prevents the proper removal of the rootkit, rather than the stealth and/or hooking used by the rootkit.
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
At least on linux, it's possible for a rootkit to hide itself completely from anything you can run in that OS to try to find it.
:(
The only way to be sure without shutting down and booting from trusted media, eg a CD, is to virtualize the OS and examine it from the hypervisor.
This does assume the hypervisor itself is safe from the guest. We've had kernel bugs in the past that might leave it vulnerable.
Sometimes it happens to work. If it does, you're lucky. But you can't rely on it, and you never will be able to, and anyone who sells you a product that says it can do that, is deceiving you.
Don't execute the rootkit in the first place. That's the only way to be sure. Once you've run untrusted code, your system is compromised until you boot from read-only media.
Sorry if you don't like hearing that. Sorry if it's inconvenient. Sorry if you're an AV company stockholder and you don't want people to know. But that's just how it is, period.
And when you look at it that way, today's rootkits are actually really easy to kill; you just have to go "far enough" (e.g. nuke the whole damn partition). (I have to say "today's rootkits" because if your BIOS is flashable, well, you've got serious problems.)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
These days *all* the major AV vendors need to ship a boot CD that
1) connects to the Internet
2) downloads the latest version of itself and verifies the download is authentic
3) scans the disk and cleans up malware
4) reports results to someplace that can be read later
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I'm fixing a computer of my neighbor's who had a tonne of viri (that's a technical term) including Smitfraud and something related to command.exe. I don't know if it replaced command.com with it's own variant, cause I can't seem to get rid of it even in safe mode. Though, I haven't tried turning off system restore ... now that I think about it .. that's probably why it keeps getting resurrected. Thanks for your help me! Now, where is the me that knows how to make a casino ...
Atlas Shrugged : Thematic Story
Do you know what you call a PC with Symantec or McAfee anti-virus?
Slow and infected.
Those two products are the equivalent of banging your head against the ground to prevent the common cold. It doesn't actually help, but it feels like you must be doing something, otherwise it wouldn't hurt so much.
It's called a USER account. Not admin or power user. USER ACCOUNT. Prevention is key. You're asking for trouble if you cruise potentially bad websites or open bad emails.
This thread is very timely for me because I'm currently trying to develop a way of "vetting" various Windows binaries that I don't yet trust... to make sure that they don't contain any rootkit/keylogger/etc.
My current plan is to start with my linux box and use VirtualBox to install Windows as a guest OS. Last time I checked, VirtualBox and VMWare create virtual network interfaces for providing network capability to the guest OS. So, I can use WireShark (formerly ethereal) to watch all traffic on that interface and see everything that goes into or out of the guest.
Additionally, I want to use some tool that looks at the registry and all files installed and then compares it to some previous snapshot, but I'm still looking for a good free tool that does that.
Two questions: 1) Has anybody else already developed a sandboxing method like this (and, if so, could you describe it and what kind of stuff you catch with it)? 2) Can you recommend a good "snapshot & compare" tool for the registry and filesystem like I mentioned?
Don't try to erase the HDD. Remove it and throw it away.
Engineering is the art of compromise.
Doesn't work on Vista. The direct source for Rootkit revealer is Microsoft since they bought up Sysinternals.
We are the 198 proof..
Goatse! Don't click.
It's mainly a boot disk geared toward partitioning and hard disk recovery (helped me save a b0rked FakeRaid), but it has lots of tools to help rescue & repair a broken system.
It has ntfs-3g, so you can read and write Windows partitions.
It also has chkrootkit (but apparently not rkhunter) so you can also scan Linux boxes for rootkits.
Speaking about ClamAV, sadly that anti-virus isn't mentioned anyway in the AV-test.org publication. It could be useful to test that one too, because :
- clamav is starting to get popular as a solution to filter e-mails, etc. (and often the rootkits are payload of worms, although Sony proved that they also could be payload of audio CDs) thus detecting the rootkits while still inactive (even though, I must concede the test was also about the active detection and the disinfection)
- clamav's team has been known to have a fast response time to new threats
- clamav is the only open source scanner available. there's some active research being worked on (there's a port to GPGPU engine mentioned in GPU Gems 3, for example).
Even though, I don't think ClamAV could have fared very well in the "inactive detection" chapter, as it a mostly signature-based scanner.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Isn't it kind of redundant to say that rootkits are hard to kill ? That's why we call them rootkits. They replace key features of the OS with infected ones, specifically to make it exceedingly difficult to find and clean them using OS-supplied functionality.
If it's done properly, a virus could theoretically hide itself ENTIRELY from any scanner, by hooking the appropriate entry points and function calls - if it can intercept every single I/O on the system, it can present an altered reality to all the software running on that system. Machines on the outside will still see that it's pumping spam like it's Sanford Wallace's birthday, but the local processes will be deaf, dumb and blind! That includes any anti-virus suite.
The only sure-fire way to sniff out a disk-borne virus is to boot in a trusted environment (in most cases a bootable CD), then run the scanner from there. Ideally one would compare files between the running system and the safe-booted one. This still allows firmware-based viruses to work their magic, but at that point the battle is pretty much lost.
-Billco, Fnarg.com
Who really expects AV software to get rid of this shit? Norton, Mcafee, CA, it all sucks complete ass and makes your computer a whore.. Although, even some of the better products out there such as Panda AV I wouldn't expect to get rid of a bad rootkit. the important thing is locating the stem of these rootkits and using a utility like Combofix, Killbox, or the Recovery Console to get rid of them.. I personally have never used AV software in my whole life and encourage people to practice safe browsing habits rather than whore up their computers, but if they're going to be idiots that look at goat porn, then I think Panda suffices for most people.. It runs the least amount of services and process that I've seen in any AV software, and it is equally as effective.. The thing that has been killing me lately is Comcast customers.. They Comcast techicians come out to your house and install their Security Suite and for fuck's sake you might as well destroy the person's computer.. My bottom line is that AV software is bullshit and it should be up to Microsoft to protect their users with a stable operating system..
*plays the Apogee theme song music*
Any half-competent root-kit will simply tell the scanner what it wants to hear via hooks into the O/S to trap any "diagnostics" that it may perform.
The trick is not not get infected in the first place - once your PC *is* infected, you're fucked. Do not pass go, do not collect $200. Reinstall time - nothing on your box can be trusted any more.
The sooner people "get" this, the better off they'll be.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
Have an interesting little story: I've got a commercial app (plug: AutoScreen) that deals with monitoring through automatic screenshots. A great feature would be to prevent a casual user from terminating the program. So I did some research, and it seems hooking to TerminateProcess() and redirecting the call if the PID matches my app's PID does the trick, as that's the function that the Task Manager in NT uses. The problem is, if I were to do this, some anti-virus applications would say my program was a potential SPR. My app isn't very well known; if a few users' AV's were to say my program was a SPR, I'd be toast. So I didn't implement the feature. I just can't afford it.
So, while we're on the subject -- anyone know a good method of hiding a process/preventing it's termination that won't cause AV's to warn users, or an alternative method? I'd rather not use a service because my app runs on Win9x as well.
Need an automatic screenshot taker? Try here.
With Linux, you assume that anyone stupid enough to sudo rm -f /usr/bin/ls knows what they are doing. With Windows, you protect people from being stupid, safe in the correct knowledge that the overwhelming majority of folks who would attempt manual deletion of a DLL are not, in fact, as expert as they think they are. This saves you from having your paid support lines clogged up with would-be l33t p0w3r userz. (Linux, of course, has the option of just ignoring folks in the newsgroups.)
In the Windows paradigm, exposing extra developer-level information to the end user just encourages them to think it is safe to break things.
"Durr, I never use the graph feature in Excel, I will delete this to save 302 kb because I don't need any bloatware! Durr, why doesn't it start..."
Help poke pirates in the eyepatch, arr.
For what it's worth, I dumbly installed a rootkit when I thought I was running a keygen (serves me well for trying to play CoD4 online for free). Since I know which file I ran to install it, I pointed a few decent anti-viruses to it (F-Prot, Avast! and a couple of anti spywares) and none of them found anything wrong about the very file that was the root of all this evil. Eventually Avast! alarted me it had found a rootkit on my system, but the boot-time scan of every single file on my system didn't fix anything.
On a side note, what this rootkit does is somehow get loaded with every program as a randomly named couple of .dll files, and hasn't done much besides consistently prevent the displaying of certain web pages in either Opera, Firefox or IE. And since for some reason when I try to reinstall Windows my machine BSoDs, now I have to do all my web browsing in a Windows 2000 virtual machine. And actually, it's not bad to do all your browsing in a VM. Really, it's pretty good.
You just got troll'd!
It is dangerous to be right when the government is wrong.
1. Install O/S and applications in partition A, your data in partition B.
2. Take snapshot of partition A.
3. when you suspect a rootkit, restore partition A from snapshot.
Of course that's not a real solution, but a way to bypass the problem. A real solution would be for Windows to be secure, but that will never happen, as long as Microsoft does not make the O/S virtual per user.