Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Rutkowska: Anti-Virus Software Is Ineffective



 By: Ryan Naraine
2006-10-26
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Rutkowska: Anti-Virus Software Is Ineffective
  2. ' Rootkit Threats '
  3. ' Vista '
  4. ' Scanners and Tools '

Rate This Article:
Poor Best
Rutkowska: Anti-Virus Software Is Ineffective
( Page 1 of 4 )

Q&A: Stealth malware researcher Joanna Rutkowska discusses her interest in computer security, the threat from rootkits and why the world is not ready for virtual machine technology.

Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMDs SVM/Pacifica virtualization technology to create "100 percent undetectable malware."

In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.

For the benefit of readers who may not have heard about you, can you introduce yourself?

Im a security researcher focusing on stealth technology and system compromise detection. This includes topics like kernel rootkits, stealth malware and covert network communications. I currently work for COSEINC, a Singapore-based IT security company. I live in Warsaw, Poland.

Resource Library:

At what age did you get your first computer? Can you describe it?

I think I was 11 when the first computer appeared at my home. It was the PC AT-286, 2MB of RAM and 40MB of hard disk, and it ran with blazing speed of about 16 MHz, if I remember correctly. Actually, that was a high-end machine in those days (beginning of 1990s). However, because of the poor graphics capabilities (Hercules card), I couldnt run most of the games on that computer, so, very quickly, I started my adventures with programming, first with BASIC.

What prompted your interest in computer security?

I have always been interested in how things work. So, when I started programming, I naturally became interested in how the operating system worked. I started learning x86 assembler (on MS-DOS back in those days) and got involved in virus research. Then, for a few years, I broke off from security, focusing on stuff like math and Artificial Intelligence. Then I became interested in networking, Linux and system programming and that eventually brought me back into security, this time focusing on exploit development for Linux x86 and then Win32.

After some time, I gravitated toward the what-to-do-after-successful-exploitation field (kernel backdoors, rootkits, covert channels, etc.) and how to defend against it. But I must say that I have always considered exploit-writing as a very sophisticated art, and I have always had lots of respect for people who could create reliable, "offset-independent" exploits. Theyre very aesthetically pleasing.

On your primary machine, what OS is running? What kinds of security software are you using?

On my primary machine, I run Windows XP x64. I dont use any anti-virus products to secure any of my machines. The reason—I just dont like their approach, which is to block only known malware. Needless to say, I also dont believe in all those AI-based Host Intrusion Detection Systems to stop the unknown attack vectors. So, I just try to be careful when surfing, use NoScript, never open suspicious e-mails or PowerPoint/PDF documents…

Of course, Im still aware that its not enough, as somebody can embed a very reliable and "silent" zero-day exploit for my .TXT editor in some README file. Or that they can find a bug in my Wi-Fi driver. Or an attacker can inject an exploit for my browser after setting up a man-in-the-middle attack in a hotspot at the airport.

So, from time to time, I might run some custom tools of mine to check the integrity of my system or start Wireshark to see what my traffic looks like. In other words, Im not very satisfied with the existing commercial solutions, because I know how easy it is to create malware to bypass them all.

When/how was the first time you heard about rootkits?

As I said before, I was first focusing on exploit development and then started thinking about what to do after we got "the shell." Of course, I was not the first one thinking about this, so I quickly came across various Linux-based rootkits, like Knark or Adore. I think that was at the end of the 1990s. Then I started thinking about how to generically detect those kinds of malware.

Next Page: Rootkit threats.





  Reader Comments: Rutkowska: Anti-Virus Software Is Ineffective
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8s;iW1ŋvI-5eYKU-EB!)ܽ~fMZ]9[m["2H${$ W7-gJz)ٟ(O,zIjÛP{ g͂()o1mnf], _hoL,Q tjOt0.Qk: Z575ק4o/N~e0S-:II>)6j9iݑ |i @I>R(ާ#Ѻ!YQyHږyD6D'Jߣ"c7 ݹx8/DeO‡d*Fӽ NZ]"Zsˆ辥$)5 < \d`4QL1H6}~8KZ QM%$7 V.mqVR0~b[4Ip\.: 뺷}=-:֍۩.,|, .j.9am 3 OdRr-2YʲnMw3a[mѡlطGZ4jjC)7_E}`[ⓅS wܼmpTUMSFop=*Fc[wn u5`(zݓ6$7u@.{A~$Vj;}&UJDZ-i& 0h!5fttX{CF0n;|#(7Ji%٥~dY̞of V҄ gUU,T~6t.Cn ;l,aV4*2V]鮙&ȏwA{yڿ59|t ݅O|LM Whp0N[_lo!맹MXCEC0JCR "3t?~Y_tOHA҉,O?· `םBm۲ܹ,BZKEןkR(E34 i[2)?m9oX@/@שS a4tBm4mҌ& 9B:ºkN49,蟙$m4@r5XSl؅ ROǯ4| ~^,-|y"brݢHPs>Χ+foF"> wfRB(pȀqb&TRe1\aU<:~uwެujմ޹/~iYwδui_wN9^g0hNj$шf%",$긤ժt }JJGe4Th 32ud8԰1n҉âx~]QAE{G|NMk1ouI=DC#ɠ:ڴ{\ZV34!!&mЀ 'p'bdxAb& ahi5 ZLH#AтMtT:n]`2Zw9ܻ-L&wzt` VGPC_!]7$(Vr`{>Ys9nزc@|j. J':r-Ea3C.O)))?]HPw9DJ B!B0H`P,쎄J9mW*lJe wJSvn2V{TKh!+K@fsfd(7i2klƺńx򍜘=b`&Qea*0pRx5Qn-`oʑ5utDބdb,aCtH{la [T'$:'4$a.*dyJ0s{"7,kQχ L+f(A\_XH;i<͹qf3;_Aa"tLeB#{f=6:{mQH08-wys3t7Nm~|YFhIO3_hy>g~>厬m[_4@~T&](\uΩIJ&k:HY3j-ysDrm ֖Os1r@@SjS͸T3Q2C+9Eۋ)i sX-8G4W- 'ٲZbY6~%fcP+úZjt ~Vd7Bɶ/Xaa1E]QYJKHD@CR)ҵ ҚaY^`(! "x ӡEO#mͼ*`G5: ,_&TYiW;AzESZ2ej-[`B]PeܠQ@0%X PQ[ b|kuꟸPCߵɇx~ou3$0TN(e!\o N) >Cװ DؙZWS{<`m1Jx>hx# d\6Ğ?x8[0,Y^/V꺰/]5!@0mE"CaiNR} IJ^z`׽YAʫ&-JjE)jB4i/#Y X6Tĵm>0}uD(mCZ!=Y@'@&"Yc'ѠVĒ8qyPzP* SWD.ʯ]9UF=3 $h@S4e2f-4_\0-xSJD%x\Rj'3nssQ*Jw+ )R;Oz^*k 5ǩUUR;*Z 7;Aq{ 8r'}y0ͼ_oŹ1ftQi am^J`s||ujN8clGc>eLFrlxTal(JzhCFrI6S07O*G3%+nrƒ4 ]#@$7zj"]r@ XQ0q[kOM?rBg%:!pwC+:2,npw]0XAG50qH&{+E68S"uW:KjSZ+::jnM/=WG$*X_ N d45}M*FW{boY څHBf:GdLC+`NT:w=܁c:P?H(Tg`MśH]ac6U{z@nR)Z,'W'vh\> }&no=!]Er0dZKp|]avKreH˷bgfr)ߦI39旉)/hy2檦URd,4Ω,6f ĮiϺV&e1g'}QApaqgX7n| UI?s4лM{ls Gq3`s"豥mBtb#5Z*lγ>AqHlww('WaiJEVK`zցDZ% c].g/|]՘{4GʈkxG`dY JhUm{\ cg2|]/$*RQv+Ձ5΀LdV֪EzXz,)uzd &RrME7uȋ­7:6Pg&#I(OU?2:i3RʵRM()CoED\OK9 ^uL lZKq@Kkp= -wz(̖ K%4e%3E/쎹-9BXB`'d1s<œo =$Ԅ7xpLaVf.n߃B'7ƒ"'!MgN'JUVpcM1}'>J п"}QLQWɪO@T ~1tc1μYm!@Ϣs4}ֿJg^!2a^=G #WAw_ab>"a&`WO{Zi\/0C~EͻR~GQ^9go, HŤ}vjv/J׼6zv9F72SH#U9k_^/~/^vtx`' }}{yru4+$E}|hq0MF 1S 3^6Q}F  Vq_v9`\Rh5c-ͅHg“S&amD}8cZgu3_f Rt2DtDp,})Fy*}y:}?7~OW+0waAbQkF+=mNH‐I NA~p_"Ġ#9n1~xAZd\eԉ9%2 \ ?m[ħ{, /䎉F=:dSNQ([wiQE-e9rtJ9S"\+06H P6,OҼe=lI1 iK"ih$bbVFZodpվܞ4<5ޥ]ƙWxvIv綱<:RpDD2ð{Ҿ&B}XyKw8Ť3DJ^KkhVˮM^<~xZR̅0OC]9$EQ,гOFMbc cE˙)vR6S漊 efoPw [gY.t0w#9dcޓd=fc\ SvjQ7f]Z9X 1#6q= pv#({A\BfZTrc]O}4]mYv<^xXN\D1eH5i_~&_ |0$?L-@N fP _>&q>p]Qz AC~gM}\0?yt;[Me'  CN_I}i^wo7-Ufᆎy J~l/t>D(jE_c[{c9VȪ̅S.R؋O'G'3~`qx-:?`tH_wz`@L6#Gځ;W-3x;Y8f׍[rǿfcf0ZW}E" b44 ]ekwB!R{go+-]Kĵ"v%KT7/e L^՛@" b]_BI{Oz[6N ԦW1_3YŸ6A!{zc]UA FU hCl 8g #@*yd\][w5%pRx65y( h4RwV`8lv4W -~@k§!qZ/II$|+؊woO_O_[{kE|;̕-u\w5;9p_B_bJi{\nEaQn(^ hތ}"t(u™KC&sˁUm]ѹ\).ĨP+JCZ_3kO1D`1tBq [O*bN?ݡu&OJPU%,Dt`q[vt$|Z0no_Pt<^c7?OO)4-aM&&BON 3| EY,`LT KCFCURzF8?n[4^TOg}6#&Kd>[} j3NT++^Nj' kЉm"EŴR0%q^,c (&.0m[SroVft2ACBB@ `[M? uU &$s)+# =z)MɕF(!ک "[@HZu^iOgd#?^kE2YL S%lɉ/%mKǮkVMDܬ-|Zwh&yJO ;XIa- c%.^SQw -^qڪؖb SMtSm^Q+ =b ?r^-s,Xc=ۉ6 Z\D ޚߚ\nw.尿gx$kؽ5t ŧ*As%q}V$yo涩9_A[bں薜#u(;0HIhwɬrTFrTbHߜ}%ʱmavbx^^^^o܋U(m{b?h_td nɝkmih\o $ Ag qֶ%,;B*QqV]"_ڇ9ʱ ?ͱy v]Mk(CAt3LgBko[A?6n.#w x/F@0wT|*x9Cܱd` v\}6BGɹfs=ݶ6WH^$4ȸ}2^8mvLƜxn{MZ9a z'&8AS3X/ʹ^m Zߦ<ώm_ma}*L*"Z~mĬӹ{GWr%{Zn}-R;d NMe;kygHj:!uNJD:`ѿE3VL9w<Yv(A=|n)98\!Oу%^&=_}l |Ms-ZTXT҉!c[+x6_f~R!gI] 0>1CY^UߑVR*jZ?";/9v"Af|s%'¼wP[}1W-vgq/]A/Ԯ,4EhgkH{wi ~Jkޱ&ˠ;/>rJgD ]%AJ%@EP]ןayZ`.=WXYrVk ͬj-%Vd]%F Rd3} 纣;~  @$Ĥ}MG*_Dx}#rU fӭ=0pEU5YfDk9m'엞&׈; 0~h*3>W<00t+PγjNT]OpY}XC3 èL_VHI+R[YS_D_-idKZ`25+ St4#?*)ځU^Ϟi4:~8l@)"6 ?LJi:Nu~NP!&p X3'&Έ௥oXV{+$νOg-M2uFf!&) `N[NC{A.;7pع cy] ^<s]\H h}Ph:qt~ANzloa s x7t\$l.clo?c7,>O1[>BZp4pJ_of@i(% cDRw/sO0ឩRHSVdL4"&(qTik$SG߀$)FK tQ:.x*@J>S|??­!hRfJs# x_𖫅fNÙ A=EP.OOM\2Ͻy?]_&gʁAVpRt=:rtԬ)ʁ*|{c`  cR[7geiC^~|LR ] 4Bq0hQxn?oX12{x/G@Ka1 J])IdR|:RJ|+R0cUΖ+_SP?w^7emK=M镬B*%^͂Ȅq~;w.@0>6#&LwnG}uuI]w:dxprݽvsѿ#K֚E_gԝǓdze{9\>|is2f6xteA.۽Sr3\h^DqɃw]d;</{ҝ'Q~^;ٙK,fyP`/ǭcWǤ'̀&7bSwй IShE&5/ʶ//r޿ry 7?is}?=rpSi' ? sC9޿[hw7ZӜпnN?ӽyݠz7y_ٮ{y>^=^?{92zx!9?y7x=xy{3 ?9s w3~}?}?/WW9qr_\?997x!=!@97yorڿi&s$C#g+\8=J缯Z9Rȫ_y{K˳ xϪ Xi9ZeUB9W~y>&{#sg+I4]a芋-5n ǤZuvF^_A5Ru$X2M&!#(R^>Ȧc˼_VRRw;]Sڤ\z.{]7[O'ikz(#s<2g)h{U26#{":fƨ*|,y|8SNt<1 }^B8 vt{zMtKn\ x[+ %>  #rӚ޴\v<2kSյ֚ ~3b 5y':+?FP[ԙqޢD;FEk@[Nx j܌3&X :'ﯻÏi7\_/FWY̛%¦>Na3^*B8D#`1zI?y0v}]3tcFMb7CF#=vqo.(Ȱ-!iKղVJZ8qO+F"k8= O1Q5YUdN*jUQ)&K3BAyG^@#غ̷|Q'C7":i0Vo1BDO"Oө:fSkW2&dy3K9Raw8coRkx;r$I,YDP&`) ؞.^-M!"YAr{IW3hېMX%clŢh*b."5 l$=vj;LmށzG}dȱx*Ү]^x[9a^ۺkAс(Ymw0o1`GL!oЮ\)Vcʕ.Sܟ?B뼗a2w;͌/ _X ($L{pŮ,}9N]]TnãǍGXȸ[[+ |@sxSaJ:psz26 Ѩip[UDgnns~tu|Ua=qǤ9mo@ =[?܋;}\m91V`=sƫӳ- ɴ{-̅2 !I^xyu~ҕ^)I&acQd+$*)ؐW k`LbV@P1,,oԟÌ'TS*ϝn<\eg~C%:~0>~0?rX9>Ŝe7,sȽoz`Z^]x Ϭ10YdWTZ*bJى[IpRMΡmb/pR!*acL 1L\7,.7ӷv!{Zu_1,*ˋ}P ×yx ^ŧ$FS`x@tW.r=+R ?aep|3~܍W,9ڽCRI>Pv<:vtD a^b[qO}{><\ѿN⿱qS)*h,=P$Di' AHecڧ˷x_޿`(X[Ehś|'`bhPjyTVKŽGv36HZ\֓RvFًᷞfSزM*d.%r R۬W ųiS}.^&N㇅ wɅ&l>)vmb-6C-[{36&