Slashdot Mirror
New Antivirus Tests Show Rootkits Hard to Kill
ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."
I know that AV software can be fairly intrusive, to the point that it feels like it's taking over your box, but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.
Grass is green, sky is blue, Pope is Catholic, etc...
When people create these things... isn't the intent to make them hard to detect/kill?
What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.
Proudly supporting the Libertarian Party.
from the article:
Dan Kaminsky, Director - Penetration Testing
[move
If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.
That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).
Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.
Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Try working in an area of the building labeled "Mail Insertion" (for stuffing envelopes.) It doesn't come off too well when you tell someone you work over in mail insertion, no matter how you try to emphasize the 'i' in mail.
Sigs are too short to say anything truly profound so read the above post instead.
Ah. Lazy me for not searching more closely before asking... just found this as one alternative: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html.
I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->
PHEM - party like it's 1997-2003!
Every time this subject comes up, I say the same thing.
The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.
With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?
Anything that cannot be identified can be moved to a different drive. A drive without run permissions.
Problem solved.
First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.
I haven't looked at Windows antivirus products in a few years, but all antivirus products used to do this. Originally, it was a boot floppy; later, a boot CD. The neccessity of an internet connection to get the latest virus definitions would make this harder these days, as you'd need to support an incredible variety of network cards.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Guess you missed the news about the guessable passwords.
All it takes is one bad/ignorant/rogue package manager, and the whole house of cards can come down.
Remember, the world "rootkit" comes from the *nix world, not the windows one.
I don't need no instructions to know how to rock!!!!
AVG Free 8.0 (free.grisoft.com) or AVG free antirootkit if they are using 7.5 free.
Hint: AVG 8 *removes* their old free antirootkit.
For techie users grab the sysinternals toolkit from majorgeeks etc. (Rootkit revealer). For real techies a copy of "Rootkit Unhooker LE" (rku.nm.ru) but (like Hijack This) hide this one from non techie users so they don't fiddle with it ...
(oh and beware some versions of daemon tools which use rootkit like functionality to hide their virtual cd driver).
Andy
What I'm just waiting for is a bootable Linux CD that includes ClamAV ready-to-run.
Once a root kit has its tentacles through your system, you can't trust your system. So it just makes sense to boot a trusted system before running a malware scan.
I know enough that I could boot an Ubuntu CD, make sure clamav is installed, update it to the latest virus definitions, mount each disk volume, and then run clamav by hand. But more people could use it if this was easier.
Originally I was thinking of a CD you boot just for virus scanning. But I already carry around an Ubuntu CD to use as a utility disk (you can boot it as a RAM tester, or you can boot to a desktop to help repair a non-booting computer). And if it finds any malware you will want to fire up a web browser and read about how to clean your system. So now I think the very best thing would be for the standard Ubuntu live CD desktop to have a "scan computer for viruses" icon. Ideally it should have some kind of attractive GUI interface, but I'd settle for a scrolling text display as long as it does everything automatically.
Ideally this would also have a way to download a signed program, verify the signature, and run the program; then people could write programs that automatically clean malware off a computer.
I already give away Ubuntu CDs to friends who use Windows, and I tell them how to use them to test their RAM. It would be so cool if they could also use it to check their computers for malware. (Who knows, they might get tired of cleaning malware off their computers and try running Ubuntu someday.)
Is there any way to suggest this as a "summer of code" project or something?
steveha
lf(1): it's like ls(1) but sorts filenames by extension, tersely
While there are advantages to features like System Restore and the fact that in-use files are locked by their associated programs, these features are often the only things that come between detection and eradication of many of these rootkitting trojans. AV software still doesn't tell you to turn off system restore before it tries to delete viruses, or close program XYZ that is infected, and rootkit removal tools often forget to delete the other half of a virus when they reboot.
On top of that, Google and other engines are so full of spammy removal tools that finding a legitimate tool is a gamble. Tools that do work (eg Hijackthis) often are not intelligent enough to tell good from bad or don't recognize the correlation between multiple pieces of a rootkit. It sometimes comes down to scanning the system, turning it off without shutting down, and booting the recovery console to delete a laundry list of trojan dll files that one tool could not take care.
If I were a smart AV software developer, I'd make a bootable recover tool that will erase viruses and trojans before they can hide and secure themselves. Such tools existed back in the days of Windows 3.1 and into the early days of Win95, but today we have nothing more than windows apps and web-based housecalls. Windows and third-party developers have let their guard down and have forgotten the history of the problem.
"Now Steven Seagal is writing rootkits?
We're screwed."
No way. Not with my new Chuck Norris(TM) brand anti-rootkit software. Not only does it find the rootkit and get rid of it, but it first makes it cry and beg for it's life needlessly.
"But this one goes to 11!"
It is actually quite easy to break a rootkit... however, removal from a running Windows install can be quite impossible.
The best way to remove them is to use another OS to hit the files, then break the rootkit code and/or replication routine from Windows itself.
Unfortunately, full removal of the kernel level coding injected by the rootkit tends to break the kernel itself.
In a nutshell, Windows fragility prevents the proper removal of the rootkit, rather than the stealth and/or hooking used by the rootkit.
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
http://www.ubcd4win.com/
It is not totally burn and go, thanks to Microsoft and the EULA, but very close. I was just updating my images today, as a matter of fact. Several clients have the latest "It burns when I pee" support calls scheduled.
Sometimes it happens to work. If it does, you're lucky. But you can't rely on it, and you never will be able to, and anyone who sells you a product that says it can do that, is deceiving you.
Don't execute the rootkit in the first place. That's the only way to be sure. Once you've run untrusted code, your system is compromised until you boot from read-only media.
Sorry if you don't like hearing that. Sorry if it's inconvenient. Sorry if you're an AV company stockholder and you don't want people to know. But that's just how it is, period.
And when you look at it that way, today's rootkits are actually really easy to kill; you just have to go "far enough" (e.g. nuke the whole damn partition). (I have to say "today's rootkits" because if your BIOS is flashable, well, you've got serious problems.)
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
These days *all* the major AV vendors need to ship a boot CD that
1) connects to the Internet
2) downloads the latest version of itself and verifies the download is authentic
3) scans the disk and cleans up malware
4) reports results to someplace that can be read later
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's called a USER account. Not admin or power user. USER ACCOUNT. Prevention is key. You're asking for trouble if you cruise potentially bad websites or open bad emails.
It's mainly a boot disk geared toward partitioning and hard disk recovery (helped me save a b0rked FakeRaid), but it has lots of tools to help rescue & repair a broken system.
It has ntfs-3g, so you can read and write Windows partitions.
It also has chkrootkit (but apparently not rkhunter) so you can also scan Linux boxes for rootkits.
Speaking about ClamAV, sadly that anti-virus isn't mentioned anyway in the AV-test.org publication. It could be useful to test that one too, because :
- clamav is starting to get popular as a solution to filter e-mails, etc. (and often the rootkits are payload of worms, although Sony proved that they also could be payload of audio CDs) thus detecting the rootkits while still inactive (even though, I must concede the test was also about the active detection and the disinfection)
- clamav's team has been known to have a fast response time to new threats
- clamav is the only open source scanner available. there's some active research being worked on (there's a port to GPGPU engine mentioned in GPU Gems 3, for example).
Even though, I don't think ClamAV could have fared very well in the "inactive detection" chapter, as it a mostly signature-based scanner.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Rather irritatingly, the Avira rescue CD comes as a .exe which (I presume - haven't run wine-safe on it yet) unpacks a .iso. Given that the whole point is to burn to a CD, I don't know why they don't just distribute the .iso.
Any half-competent root-kit will simply tell the scanner what it wants to hear via hooks into the O/S to trap any "diagnostics" that it may perform.
The trick is not not get infected in the first place - once your PC *is* infected, you're fucked. Do not pass go, do not collect $200. Reinstall time - nothing on your box can be trusted any more.
The sooner people "get" this, the better off they'll be.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
With Windows, you protect people from being stupid
You're confusing "stupid" with "ignorant". An ignorant user will have to reinstall Word if he removes one of its DLLs. A stupid user will have to reinstall Word a second time when he removed the DLL after reinstallation.
The ignorant user will no longer be ignorant, and will think twice before removing said file.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest