Saturday, January 27, 2007

How do I destroy Babylon?

Among nerds interested in malware, rootkits are all the rage.
Not only for those who want to detect and analyze, but those
who want to write them. A recent article gives us a detailed
review of 6 rootkit detectors. Whose product best detects
stealth malware? An AV company's, or an independent
programmer's? [It's too bad GMER and Darkspy weren't

For the reader who isn't tech savvy: meet the malicious rootkit.
A magical program that hides itself on a computer and allows an
attacker full access to a machine. It often bypasses Anti-Virus,
Anti-Spyware, and Firewall programs. There is no process visible
in Task Manager, and you need some special tools to find this
malware. An example: you may recall a scandal resulting from
Sony secretly adding rootkits to over 4 million CDs.

*Some programs legitimately make use of rootkit technology (for
example, a firewall that wants to prevent itself from being shutdown
by malware must protect itself by hiding). Outpost, Daemon Tools,
and Alcohol 120% are some examples of programs that use rootkit
technology in a non-malicious way.

What kind of an human being would purposely create such devious
software? Holyfather, author of HackerDefender, one of the most
common & well known NT rootkits addresses this quite well:

" might find something strange on the behaviour of
and other security companies that develop products
to save people
from the threats of rookits. They sell the fake
sense of security but
they do not bring the real security to your
computer. Yes, they will
protect you against wild spread threats
like destructive worms but
this is not the real danger for users.
The real danger are pointed
attacks where private tools are used.
These tools uses the same
methods as our tools but are not
detected because security companies
have no chance to
download them and add those few bytes in their
database. And
because they catch only tools they know and do not
solve the
cause attackers will succeed with their tools. This attitude

brings money to security companies because their users still
upgrades and buy new versions of their products
and so this is why
these security companies don't want to
change the situation. We think
this has to be changed. We
believe that Hacker defender project
contribute making the
world of computers more secure. It forces
security companies
to care about the core of the problems, to develop
better and
better products. And after the years we see the results. The

situation here is still better and we believe it is also because of
our work.
There is still lot of work to be done with rootkit
detectors and antivirus
products. This is why we will continue
in our work to try to find ways
how to bypass their poor
products until they come with the real solution."


In fact, Holyfather's rootkit was a very big driving force in making
Anti-Virus companies take notice of this threat (and of their poor
software). Companies like F-Secure began to write tools to battle
rootkits. Then, almost every single AV company jumped on the
bandwagon. Which one of these excellent companies, who recruit
only the most promising developers nabbed the best anti rootkitter
trophy? Two did: a Chinese programmer named 'jfp_' and a team
of independent Russian coders. These programs surpass by far the
half-assed attempts of McAfee, Grisoft, Sophos, and many other
AV companies.

Very few Anti Virus programs (at least quality ones) come with
proactive rootkit defense. An AV with quality RK defense is
Kaspersky 6. In the next year, many companies should integrate
this sort of protection into their products (do not interpret this
as integrating quality rootkit defense). Until then, the best
proactive solutions are DefenseWall (recommended, shareware),
Neoava Guard (free) , and the latest Version of Outpost Pro.
However, proactive defense means little if you're already infected
with a RK. Check the review of programs and the link below for
more details.

If you need rootkit related assistance/info, check out this forum.

No comments: