New Antivirus Tests Show Rootkits Hard to Kill

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

In other news...

[Oxy+the+moron]

Grass is green, sky is blue, Pope is Catholic, etc...

When people create these things... isn't the intent to make them hard to detect/kill?

What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.

Re:Interesting way of putting it

[mckinnsb]

In other news: half of jokes made on Slashdot are incorrectly interpreted as serious commentary.

AV's actually doing quite well

[Conspicuous+Coward]

If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.

That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.

Re:AV's actually doing quite well

[Carnildo]

That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.

Re:Killing rootkits. You're doing it wrong.

[sm62704]

One of the things I hate about Microsoft software (indeed, almost all software thet runs in Windows) is non-descriptive file names. Back in the DOS days XR2732A.DLL might have made sense, but wouldn't "Run-time library of graphics functions for Word.DLL make a whole lot more sense? If in fact you had removed Word (or some game or whatever) you would know that you could delete the file with impunity.

Re:I don't even bother trying to clean them up.

[jimicus]

Don't they have virus scanners you can run from CDs? Let's assume you wanted to write the perfect AV which was able to work from a CD with guaranteed 100% success rate. Once complete, you can be sure that the computer can be rebooted and will neither be affected by a piece of malware, nor will the user inadvertently spread dormant malware.

It would have to compare the checksum of every executable and every DLL on the system to known good examples to confirm they've not been infected (though to be honest I suspect most of them are just taking advantage of the labyrinthine mess that is Windows rather than going to all the hassle of infecting files).

It would have to confirm that every patch which has security implications has been installed (eg. there have been patches which deal with code which loads JPEGs - not much point in rebooting if the first thing that's going to happen is you get reinfected so that's got to be solved).

It would have to delete any application that isn't on a known-good list. So you need a "known-good" list covering every Windows application known to man, and you also need to account for those rare cases where you're dealing with a software developers machine and there are executables on there that aren't known to man.

And remember what I said earlier about "there have been vulnerabilities in code that reads JPEGs"? Well, that means you need to delete any JPEG which isn't known-good, And any other file for which similar vulnerabilities in decoding have been found. Or it's possible that the first thing that will happen on reboot is the user will email out this "kewl JPEG" to all their friends, forwarding the malicious payload in the process.

And you need to do all this without breaking anything in the process. Or else if you do, you might just as well have wiped and rebuilt the system.

Re:Killing rootkits. You're doing it wrong.

[An+ominous+Cow+art]

Maybe, but spaces in file/directory names are an abomination :-). I'd be ok with something like:

Run-timeLibraryOfGraphicsFunctionsForWord.DLL