Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Rutkowska: Anti-Virus Software Is Ineffective



 By: Ryan Naraine
2006-10-26
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Rutkowska: Anti-Virus Software Is Ineffective
  2. ' Rootkit Threats '
  3. ' Vista '
  4. ' Scanners and Tools '

Rate This Article:
Poor Best
Rutkowska: Anti-Virus Software Is Ineffective
( Page 1 of 4 )

Q&A: Stealth malware researcher Joanna Rutkowska discusses her interest in computer security, the threat from rootkits and why the world is not ready for virtual machine technology.

Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMDs SVM/Pacifica virtualization technology to create "100 percent undetectable malware."

In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.

For the benefit of readers who may not have heard about you, can you introduce yourself?

Im a security researcher focusing on stealth technology and system compromise detection. This includes topics like kernel rootkits, stealth malware and covert network communications. I currently work for COSEINC, a Singapore-based IT security company. I live in Warsaw, Poland.

Resource Library:

At what age did you get your first computer? Can you describe it?

I think I was 11 when the first computer appeared at my home. It was the PC AT-286, 2MB of RAM and 40MB of hard disk, and it ran with blazing speed of about 16 MHz, if I remember correctly. Actually, that was a high-end machine in those days (beginning of 1990s). However, because of the poor graphics capabilities (Hercules card), I couldnt run most of the games on that computer, so, very quickly, I started my adventures with programming, first with BASIC.

What prompted your interest in computer security?

I have always been interested in how things work. So, when I started programming, I naturally became interested in how the operating system worked. I started learning x86 assembler (on MS-DOS back in those days) and got involved in virus research. Then, for a few years, I broke off from security, focusing on stuff like math and Artificial Intelligence. Then I became interested in networking, Linux and system programming and that eventually brought me back into security, this time focusing on exploit development for Linux x86 and then Win32.

After some time, I gravitated toward the what-to-do-after-successful-exploitation field (kernel backdoors, rootkits, covert channels, etc.) and how to defend against it. But I must say that I have always considered exploit-writing as a very sophisticated art, and I have always had lots of respect for people who could create reliable, "offset-independent" exploits. Theyre very aesthetically pleasing.

On your primary machine, what OS is running? What kinds of security software are you using?

On my primary machine, I run Windows XP x64. I dont use any anti-virus products to secure any of my machines. The reason—I just dont like their approach, which is to block only known malware. Needless to say, I also dont believe in all those AI-based Host Intrusion Detection Systems to stop the unknown attack vectors. So, I just try to be careful when surfing, use NoScript, never open suspicious e-mails or PowerPoint/PDF documents…

Of course, Im still aware that its not enough, as somebody can embed a very reliable and "silent" zero-day exploit for my .TXT editor in some README file. Or that they can find a bug in my Wi-Fi driver. Or an attacker can inject an exploit for my browser after setting up a man-in-the-middle attack in a hotspot at the airport.

So, from time to time, I might run some custom tools of mine to check the integrity of my system or start Wireshark to see what my traffic looks like. In other words, Im not very satisfied with the existing commercial solutions, because I know how easy it is to create malware to bypass them all.

When/how was the first time you heard about rootkits?

As I said before, I was first focusing on exploit development and then started thinking about what to do after we got "the shell." Of course, I was not the first one thinking about this, so I quickly came across various Linux-based rootkits, like Knark or Adore. I think that was at the end of the 1990s. Then I started thinking about how to generically detect those kinds of malware.

Next Page: Rootkit threats.





  Reader Comments: Rutkowska: Anti-Virus Software Is Ineffective
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8s;iW1E%uȶ\֔ey,Uyc# IlS$|rbbq3 %RUs]D d"3H$?{$ G3L{B1(ٟ9ЧGLzIjû@{R(%GFgP+N-w5 E]0eNFNv@\}@^sFd>B`OS{SMuɔiPل͙ؗ6}^~b .hѶ ⌳IlG5tyGѢ%yHCRpDRงB@TeG$,oqX|؁P=,2r3͛6B!|HJT%h!1Qes_{/ !X]~j4LߵC2hj9N`QƞdnڭcŰ A#c9p<v5#J3q򿻓'Mjb'ӤRcfH(ÑcPWw,ǃT* TjQ3cmfZ35-3@ؾQ̀ ݢq/#!ʿ$fŭ0)̳X#vRB'lǦ" 'm_j| 4v9s8$sz3 wj%NXEo~cnh! ;E7rؗCY֌aF-S4uHUZ+R^(Տ_Eiνoĩq3Voo>ֿ(TU-e*G,;ڎжD^ԢZvN{ـ\>/.ɣ N |'k[LZ.JX<%ȇ Tj`q%pKT/H-]jGz[zOaF`%pfQB>}}uɠ}r~|i!|g9̠T PAfPKe+ԩZuܜ<_st.O{7}rֻ&OvY3a ɗV Cp=['^=:$~}Yz>540V+%%+2O6PE$Y)|н Ć> bO|ಖyx>jY]6'tauIUis[RށؓY5x>%e~ S/3G#вnZ Zc1uc2,ՎJPPW GUL F̶-a[e)u5}ŭ>:mNQm51l;4}t>჆$>hhƋMriOMrӇtu@>+GݺzLn=Wԇ9ȩu0C m|&6ld$4(sw[LLσ I#ˋ0P 2/?6a9N@tmSx}MrA=39ڝfZȴc@LdlٚM܏63uBB13 =gƠ'_u˙.'˗јSQrRҋsMwd50egYA3'|(@]4>+WUPÃ"`"+42[m̞w(Vf;\X䞅ʁZ¿Jʳ"#P3>ťp(mtfй+>q^v.iz ei֕[I%ͺ{ց$l Ұ.R.Y![r5k^ )/Q|u$"XRvӱò=cM2&7uеۡcc96s?)\TBZȔe8jAjR+J}sf8 , J;? )mT.mT^GgΧމyд "w=: 7S-`cg@>`3ǟGRlC28c"R+mne@ͤP)X[*^|({-'`#z.#NWɅc=\SEeI-ip!fd>n '[arShfh:6-=͝lRF_a֚iofJPTIO9&_G5 k*Q +gXsMt]Q[# XZ1L=`_mpfZ FR."f~~i~R`d[s6/ ˿}udN`'\sW["LJm#Μi-L,*I-b],* O1kM8vهE>'{E;= 7a/)gpI,_ta@C^h#SL@ΧrERŸ ~(hbAZp3E oabIt?a1C>z_=2dB4]enu^ɚ>lv''Dv=j scG~O n: BR$Rq {259p\SemimN7OE) ZxhU̐,2B|jb"-Y1ui&!l|l'[e7M"3pTa7n-* ~2s bT 7$J\SGQ>N<͠1p Fu<1{H҇JS-b tqi#NoZTRXUʅz7Ϣ C.{E5 veN6qab;?ͥg7gkX?";j>kRaJ%2¸_vF^IўAb0halJwѺ\C8f'SIl'YV&Uq]t3Mc>րh k0>0Riʊ +> 2&ZQRjϢs{@&LpZ]Qd:)nQ==յћn@h#&w}CAU 9w>*%U-vWAlj%wWGkQ@JڃR> GYdI.|akJZWn8Jg$,$P Yx[!6E!,8{ ^?KXXD>DQkf ߉8x Ŋ +6/׌м~>A%BQ`nо(&w,$\auv>g {ͶRo~gQV Mtp~H*ۦ>]VsO0fi^3.y01v 0޿0 Їߤi|D`u޷pC-tΪ2e'[x!K r#F16bd+]=/aoZ5ð ]a區U{A+t[;K'5?wD.:m)ޠw%< rDpBj]t_(d0 srn]g#6b ` xѤȂ<"̔F<$]wFMT!PR2.5g ^|&֒}UYr!sdQhlϽ( Bf/3۟b!|FgG<ևA(5 +JGvWa{k D-bcaHFrI'zRG>gu3_f Rt<~Ur;Hעo)MJ!}J_cNf4~ P=8,rh%縵vi]a~2)}CmN9˙~DҼ" Í76w JEާ5p!ASB9kթ-ݱi'>fax!w-0q؁B;DHa2SEa~=m1겨u]$L<1GтN)tJȓ(F=)I"8IUF4A2uIH?Md4XPW HقZ'59ܻ8 /.t6V"'X;[ .VH0_Ӹ\btNZD XY+oxt7>CTդ g껰Ϋ؁R>Cp0S`0#!9+|)}~XU׫۽lH@{q?Kl8N*tb9,_Aݾneټܱ?jwh{操~{Oj9Л3Lpj `ֳs;[Q rЧx"64lyWy#K] ?8JnLcBWT@m6,qx\=K<, g6!=rŠ}MZ砆qWO$U e>x>HАݙ-p溟8#M[wfؓ9_'oc$Ǿv/ݻw~Zؖ[q*A#wCG<L>?Fdc:M"I^QԼګEdE)I}ۋG#S~`q8-<ctH_`@L6CGfKmm3{zi-82{KN7Kx="~O 'LwUv@r@pSx~=m쳷ez%nQZhr;Do*Ưj OKt1ڮ/=اHkYXdbQWفgo ? '|ȞF8^j[cxxg!,d9a}3G0[ɱ-Ι2HB%[euw+[S'gSc;/HF#%g&ϖȱmG @|Ր;a6r*|b \<e W^M·⎭zgQ$|[q$[+/' g|o#&꿛n kN7&/6o).i{\nax{7d\ڊ}fK~~ v/LViyǏo&gnǣR.}Joف)}29?Ͼv5 CDI}ĸHǔ,"5 AFyQ`B Z`nvJ"<.0-,:Pl?/HXF7_ꞎFGipJ (4,{i4bIKWVo 8_4eGA" M~lj3sAy!yOiSrI_(xkw拀ԫϣKX6u@=CdCGuoN/Ote)E#OQĜVgCph ]nމdB1Yu$e >e^1 ߱Y?&N:e mn'1_c;Lq ]Yl51|KgjBD2Pq <:> )/ +M]1( Ip=zgQ2S?gYUlI _p[';-%eY{2O9H|lvŹuu^ۃHaV:QQVTqΦlZ!Ӷ /HvuH:c3;';NN)Oa4 ȯ/k LwI5X^pa(V Ыથp5Q9 zw"bd 'PBbRAitBBM]E R}qt谎rr@F=0*d^{sٮWk*R.K]' xqwwww\V 5繞X_3E8Ӿz jHWc%L&ϼEFf]9 kR^fkYf υ-ta $j2ϕkE2k,"KPėscs 0W*p͖e|нK2$z vkNeumFu w:DurK\<86* p9jmK'!Vq ZNs-}gނ#ڼ%/];#t[px}КA:ՓkX[QEK ;K/XIX߂mQcB< ĺu-9S-[j?Rmu`&@h}Ye2ID9jK#Kk;,ە[!߽X߽X߽X߽X߸ZQoۋ~+u1צK ^B+nxsI!g BX?!/@ aLg9l;#7Pc1tq*o,6vPln ZWqeZZPhX ךOD3* I3~^H+eEF?,xT&ݥeNXl KqìfoۿP}f^w1V^s:S2Uc Bq/d\ 4;8q/!&Ȥ#>ybuIɸ)x)1pS/[^{q'H|u+A<{nDp^W z]kN9-0*2n?7E\x&-6%8Ibb!LT#|.dHAw^Y TeQO^t ]EC*m`$04>RPy!Fvˏ{Kb+nbI7{$qhk+J%ޥAQ)ꎈJ-9"@Ÿ *$WV./> 1k=(B,Tw<&6Ë/-IyoYK6qNfAfQȢi\1rV ueb?=G/ttAk-c"]Nc 2(WsƌyFSj9.椷 G]!DSt/HU9 &u0Z`Wnh1*]洹a:kbdc;XyVy ;{6vn&f(m'hzBRKo^6<͊NDnpdi}ȓP}ʳf-* ;,Ot%}Nč*"8FOlSaZ~ ~r1s*1kj~bT*#73нGVjjJ PĹ1g"aXE\w  sP=ӂ"Z}2֑: RrY-kmͳIp\<K5kxܥ3 sF%0Y>GN$(cX ~==]b'p@ eˡWqUc\oZFBX4Qqe0޻K{YV^]C96Yln S:s^aci7t 16)t|HI -gw~1~"js{=C_aeYMYqc[VjBƹva|Duv7H)kfMPZ]Z5?~u9`VǘMZ@ OmzZ&F6#ZMik8a4ƿJpo2zS,TZ~K"?{hx~3l@ "6r?"I:N~NPԓG)׀gxBW7˽}D['鍀Crhb#3FP0\'Mչ E{0h_ (4x!(G 'lI<ʊ0W=g:|e>u`wA^& -l  \Q-r9G}8z}_ƈ\faD9p=Sѥ-.Șh MQ VHxD~3&giBE< ,i  YC) Q?ēS3#Hb1Ř!c>^´ukfĄA|GP2A@>:WLQZj*!b3wأ4ϓ/ }jYv߀$)FK1tQ:..x*@J>S|6XP؟?pk2'H0Zjn`:xPOc 7Sa|LofQи/nF3 33lf;. l9 :jT 1&F}%nK ṇRyL ]ǒ 4B1h^\{n?㯛6sq`h),f|_1ԻPSr$4k|:,!dW`NJRN-/|.OOXYݬ(_w-4W )WTx 4r#cvFCT(ޚx@| LBz،\S;>bւgrֻ&-rvnuj]E,a[+|Sw{OzW:L{0calB_n2/*v(P]mf)L{=\h^Dpɂw]%;8/{'Q~\l(E_VCTĨЫSe0L[NOMԖC|@VՉt.3]rZO-6Ak_m>4rUN>+Mo )n}>e; Mj^+Q_m];^d?d _Nme^{@vx,>3#y'<95;s~3Ȁ]1>]w}} v3e2OSsxoo2c|/A~.32cz^F{z_?2 _eԿ>3 2ox?}OS{S~~2wod  M%:Iʘ}+CZWpz~;9x_53\}U Pg>CU >_`ekWtsͿg_3̭L:W'BX\Jzp+*W^gi5viAm {} yW V`˼7(gG6+E.Э-'ވm]=b!Iy=0?%Mu{1پWߕ\~SnE+tjq&R2#s"q6G#aN@A0s4FUyDc#h .Ñp[x剹?|K2xwi0>ۓ{o\pmঠϻL^-aીOW]}ExvY몮,5WlNAmϋ}>Y;yУx߇ߊD+,x e%Hi1\=<ʹ}zVjf4>x|fOvHu1jo|(O4q< 9sYu8% ~H-MԳpNRدhعkjZrt5pÅzsn ?MCꖉ$ s#RRՒRJZVrG?%Hd6=8 "2fDQe jro9 Z)˥*D`{F((R h[iRoh ypC>fJ-@ P1=:1Wh\ V,6of!3^8ռD<gu~o2P e +7 J,5{3Ы\ęC_ pov1R  `-kD҃yhp䣿 t85ri;Ìs,e܁zՈq623kw^f$jAkx.,x(\Jq}zlY8=ۚ9l؆"u ]ݸ3EK~xR Hn2, r]+#%0qncOYt->x*8" "kH "s{B|%i{JP%n3!-?vMhum}EtN[a>$Xm)׹b,3u'sE5>~PƄ!نIPMP"qm$!3oW%>QcБ_kk!tZwkdY9Hr&zU h$.7=j"6: gK“JrJ帘cw[/AI)H[aʹě]qי4OJm{X|@ăx!$K/<>,D*9"[o %P@EikA/?Hgwd&%}YQ & ]aьU$4yHRàO[=$sDs݅ ߠ^+yJ>? T|- 5{\6LDRg }F0~N:]jV0N6? `nwfښ ˎƌQYɶz SO~j]O(Coݒ\k<>aiЀΧ^p穎TU|J6A1^<&;z>K̯+"U`g#~"3V[œA6h4M(Dْ0F=-Hÿˍt/Asl+ 6-  `⎈mee֘9DR*,D&f , ~sf㿝9Qh~0r,^Gx kok3gz Ϸ;<v7s#+_wg[$v/-Ǭ yvJ^S.u 7tleb @J >ۉnFTtC %`GYU`Z+v_8utvKѪ v7"60ޏqYPRـ9&@ 6:p3z ШpKUDs~N5u|Ua=vksMΜ φŀd_qxN|L/Xثl g)C2^#s!oYX&7ęV //O CׅѰ0 L{,lyEG%RrNCa 0F :ebr]̀z3 cJ\gGۂ~+2GS<"Y4.'L_tx .^s {ej xٚջHR#.Y|Ђ!gn耵]1nBO .&DW6K54Ƙb>Y{& W{څGSy6:|/X>ˣŬ"D0Ȯ'%''R"la,9r3 ⻆Ej F.t1R04(`yjSSQ2$Y! *`gGq~vXvQ%6įoڝOz,,Mo['_>^JaA e鑢%!Oi B"E+w:=\OzC%ȕ/2F#xoUAFCQ+j5Nbi|ۊX#iQgrYORե{l' uE^8%ܖmJHQ&s)# MW\e\(Mj392>dv=̭Mӝo3a-d4džIkckj`g{n&