Among nerds interested in malware, rootkits are all the rage.
Not only for those who want to detect and analyze, but those
who want to write them. A recent article gives us a detailed
review of 6 rootkit detectors. Whose product best detects
stealth malware? An AV company's, or an independent
programmer's? [It's too bad GMER and Darkspy weren't
included]
For the reader who isn't tech savvy: meet the malicious rootkit.
A magical program that hides itself on a computer and allows an
attacker full access to a machine. It often bypasses Anti-Virus,
Anti-Spyware, and Firewall programs. There is no process visible
in Task Manager, and you need some special tools to find this
malware. An example: you may recall a scandal resulting from
Sony secretly adding rootkits to over 4 million CDs.
*Some programs legitimately make use of rootkit technology (for
example, a firewall that wants to prevent itself from being shutdown
by malware must protect itself by hiding). Outpost, Daemon Tools,
and Alcohol 120% are some examples of programs that use rootkit
technology in a non-malicious way.
What kind of an human being would purposely create such devious
software? Holyfather, author of HackerDefender, one of the most
common & well known NT rootkits addresses this quite well:
"...you might find something strange on the behaviour of
antivirus and other security companies that develop products
to save people from the threats of rookits. They sell the fake
sense of security but they do not bring the real security to your
computer. Yes, they will protect you against wild spread threats
like destructive worms but this is not the real danger for users.
The real danger are pointed attacks where private tools are used.
These tools uses the same methods as our tools but are not
detected because security companies have no chance to
download them and add those few bytes in their database. And
because they catch only tools they know and do not solve the
cause attackers will succeed with their tools. This attitude
brings money to security companies because their users still
download upgrades and buy new versions of their products
and so this is why these security companies don't want to
change the situation. We think this has to be changed. We
believe that Hacker defender project contribute making the
world of computers more secure. It forces security companies
to care about the core of the problems, to develop better and
better products. And after the years we see the results. The
situation here is still better and we believe it is also because of
our work. There is still lot of work to be done with rootkit
detectors and antivirus products. This is why we will continue
in our work to try to find ways how to bypass their poor
products until they come with the real solution."
From: http://hxdef.org/
In fact, Holyfather's rootkit was a very big driving force in making
Anti-Virus companies take notice of this threat (and of their poor
software). Companies like F-Secure began to write tools to battle
rootkits. Then, almost every single AV company jumped on the
bandwagon. Which one of these excellent companies, who recruit
only the most promising developers nabbed the best anti rootkitter
trophy? Two did: a Chinese programmer named 'jfp_' and a team
of independent Russian coders. These programs surpass by far the
half-assed attempts of McAfee, Grisoft, Sophos, and many other
AV companies.
Very few Anti Virus programs (at least quality ones) come with
proactive rootkit defense. An AV with quality RK defense is
Kaspersky 6. In the next year, many companies should integrate
this sort of protection into their products (do not interpret this
as integrating quality rootkit defense). Until then, the best
proactive solutions are DefenseWall (recommended, shareware),
Neoava Guard (free) , and the latest Version of Outpost Pro.
However, proactive defense means little if you're already infected
with a RK. Check the review of programs and the link below for
more details.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you need rootkit related assistance/info, check out this forum.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment