Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Antivirus Tests Show Rootkits Hard to Kill

Posted by timothy on from the malice-evolves dept.

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

16 of 178 comments (clear)

  1. Interesting way of putting it by pjt33 · · Score: 5, Funny

    I know that AV software can be fairly intrusive, to the point that it feels like it's taking over your box, but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.

    1. Re:Interesting way of putting it by Anonymous Coward · · Score: 5, Funny

      "removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

      Perhaps you yourself need a lesson in reading and comprehension.

    2. Re:Interesting way of putting it by mckinnsb · · Score: 5, Insightful

      In other news: half of jokes made on Slashdot are incorrectly interpreted as serious commentary.

    3. Re:Interesting way of putting it by Mister+Whirly · · Score: 5, Funny

      You ended that sentence with a "~". Why are you sarcastically advocating a new punctuation mark? ~

      --
      "But this one goes to 11!"
  2. In other news... by Oxy+the+moron · · Score: 5, Insightful

    Grass is green, sky is blue, Pope is Catholic, etc...

    When people create these things... isn't the intent to make them hard to detect/kill?

    What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.

    --

    Proudly supporting the Libertarian Party.

  3. What a title! by Svet-Am · · Score: 5, Funny

    from the article:

    Dan Kaminsky, Director - Penetration Testing

    --
    [move .sig! for great justice, take off every .sig!]
    1. Re:What a title! by Red+Flayer · · Score: 5, Funny

      I hear it's a temporary title, as he changes positions often.

      I wonder if promotion to the position came with a raise.

      I heard he reports to the VP for Internal Affairs.

      His responsibilities include data massage, internal handling of customers, and staff management.

      I could do this all day...

      --
      "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  4. AV's actually doing quite well by Conspicuous+Coward · · Score: 5, Insightful

    If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.

    That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

    Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.

    1. Re:AV's actually doing quite well by Carnildo · · Score: 5, Insightful

      That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).


      It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.
      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  5. Not really surpirsed by neokushan · · Score: 5, Interesting

    Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
    Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
    Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
    I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
    1. Re:Not really surpirsed by Hatta · · Score: 5, Informative

      Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.

      It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.

      --
      Give me Classic Slashdot or give me death!
  6. If you think that's bad by Anonymous Coward · · Score: 5, Funny

    Try working in an area of the building labeled "Mail Insertion" (for stuffing envelopes.) It doesn't come off too well when you tell someone you work over in mail insertion, no matter how you try to emphasize the 'i' in mail.

  7. I don't even bother trying to clean them up. by Dr.+Manhattan · · Score: 5, Interesting
    My nephew got something or other on his laptop. I made a desultory effort to clean it, but whatever crap was on there would kill the anti-spyware install routines within seconds. Fortunately I'd installed Ubuntu on another partition, and he was still able to do web and email and stuff, and I told him to back up the data he needs and I'll wipe it and start fresh.

    I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->

    --
    PHEM - party like it's 1997-2003!
  8. Killing rootkits. You're doing it wrong. by khasim · · Score: 5, Interesting

    Every time this subject comes up, I say the same thing.

    The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.

    With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?

    Anything that cannot be identified can be moved to a different drive. A drive without run permissions.

    Problem solved.

  9. Well, DUH! by Todd+Knarr · · Score: 5, Informative

    First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.

  10. Re:Bootable ClamAV CD image... Ubuntu live CD? by ma1wrbu5tr · · Score: 5, Informative

    Steveha..
    http://www.ultimatebootcd.com/
    http://www.ubcd4win.com/
    Both have excellent tools on them, including some UPDATABLE AV kits.

    --
    Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!