Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Rutkowska: Anti-Virus Software Is Ineffective



 By: Ryan Naraine
2006-10-26
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Rutkowska: Anti-Virus Software Is Ineffective
  2. ' Rootkit Threats '
  3. ' Vista '
  4. ' Scanners and Tools '

Rate This Article:
Poor Best
Rutkowska: Anti-Virus Software Is Ineffective
( Page 1 of 4 )

Q&A: Stealth malware researcher Joanna Rutkowska discusses her interest in computer security, the threat from rootkits and why the world is not ready for virtual machine technology.

Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMDs SVM/Pacifica virtualization technology to create "100 percent undetectable malware."

In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.

For the benefit of readers who may not have heard about you, can you introduce yourself?

Im a security researcher focusing on stealth technology and system compromise detection. This includes topics like kernel rootkits, stealth malware and covert network communications. I currently work for COSEINC, a Singapore-based IT security company. I live in Warsaw, Poland.

Resource Library:

At what age did you get your first computer? Can you describe it?

I think I was 11 when the first computer appeared at my home. It was the PC AT-286, 2MB of RAM and 40MB of hard disk, and it ran with blazing speed of about 16 MHz, if I remember correctly. Actually, that was a high-end machine in those days (beginning of 1990s). However, because of the poor graphics capabilities (Hercules card), I couldnt run most of the games on that computer, so, very quickly, I started my adventures with programming, first with BASIC.

What prompted your interest in computer security?

I have always been interested in how things work. So, when I started programming, I naturally became interested in how the operating system worked. I started learning x86 assembler (on MS-DOS back in those days) and got involved in virus research. Then, for a few years, I broke off from security, focusing on stuff like math and Artificial Intelligence. Then I became interested in networking, Linux and system programming and that eventually brought me back into security, this time focusing on exploit development for Linux x86 and then Win32.

After some time, I gravitated toward the what-to-do-after-successful-exploitation field (kernel backdoors, rootkits, covert channels, etc.) and how to defend against it. But I must say that I have always considered exploit-writing as a very sophisticated art, and I have always had lots of respect for people who could create reliable, "offset-independent" exploits. Theyre very aesthetically pleasing.

On your primary machine, what OS is running? What kinds of security software are you using?

On my primary machine, I run Windows XP x64. I dont use any anti-virus products to secure any of my machines. The reason—I just dont like their approach, which is to block only known malware. Needless to say, I also dont believe in all those AI-based Host Intrusion Detection Systems to stop the unknown attack vectors. So, I just try to be careful when surfing, use NoScript, never open suspicious e-mails or PowerPoint/PDF documents…

Of course, Im still aware that its not enough, as somebody can embed a very reliable and "silent" zero-day exploit for my .TXT editor in some README file. Or that they can find a bug in my Wi-Fi driver. Or an attacker can inject an exploit for my browser after setting up a man-in-the-middle attack in a hotspot at the airport.

So, from time to time, I might run some custom tools of mine to check the integrity of my system or start Wireshark to see what my traffic looks like. In other words, Im not very satisfied with the existing commercial solutions, because I know how easy it is to create malware to bypass them all.

When/how was the first time you heard about rootkits?

As I said before, I was first focusing on exploit development and then started thinking about what to do after we got "the shell." Of course, I was not the first one thinking about this, so I quickly came across various Linux-based rootkits, like Knark or Adore. I think that was at the end of the 1990s. Then I started thinking about how to generically detect those kinds of malware.

Next Page: Rootkit threats.





  Reader Comments: Rutkowska: Anti-Virus Software Is Ineffective
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r8s;iW1E%uȶ\֔ey,Uyc# IlS$|rbbq3 %RUs]D d"3H$?{$ G3L{B1(ٟ9ЧGLzIjû@{R(%GFgP+N-w5 E]0eNFNv@\}@^sFd>B`OS{SMuɔiPل͙ؗ6}^~b .hѶ ⌳IlG5tyGѢ%yHCRpDRงB@TeG$,oqX|؁P=,2r3͛6B!|HJT%h!1Qes_{/ !X]~j4LߵC2hj9N`QƞdnڭcŰ A#c9p<v5#J3q򿻓'Mjb'ӤRcfH(ÑcPWw,ǃT* TjQ3cmfZ35-3@ؾQ̀ ݢq/#!ʿ$fŭ0)̳X#vRB'lǦ" 'm_j| 4v9s8$sz3 wj%NXEo~cnh! ;E7rؗCY֌aF-S4uHUZ+R^(Տ_Eiνoĩq3Voo>ֿ(TU-e*G,;ڎжD^ԢZvN{ـ\>/.ɣ N |'k[LZ.JX<%ȇ Tj`q%pKT/H-]jGz[zOaF`%pfQB>}}uɠ}r~|i!|g9̠T PAfPKe+ԩZuܜ<_st.O{7}rֻ&OvY3a ɗV Cp=['^=:$~}Yz>540V+%%+2O6PE$Y)|н Ć> bO|ಖyx>jY]6'tauIUis[RށؓY5x>%e~ S/3G#вnZ Zc1uc2,ՎJPPW GUL F̶-a[e)u5}ŭ>:mNQm51l;4}t>჆$>hhƋMriOMrӇtu@>+GݺzLn=Wԇ9ȩu0C m|&6ld$4(sw[LLσ I#ˋ0P 2/?6a9N@tmSx}MrA=39ڝfZȴc@LdlٚM܏63uBB13 =gƠ'_u˙.'˗јSQrRҋsMwd50egYA3'|(@]4>+WUPÃ"`"+42[m̞w(Vf;\X䞅ʁZ¿Jʳ"#P3>ťp(mtfй+>q^v.iz ei֕[I%ͺ{ց$l Ұ.R.Y![r5k^ )/Q|u$"XRvӱò=cM2&7uеۡcc96s?)\TBZȔe8jAjR+J}sf8 , J;? )mT.mT^GgΧމyд "w=: 7S-`cg@>`3ǟGRlC28c"R+mne@ͤP)X[*^|({-'`#z.#NWɅc=\SEeI-ip!fd>n '[arShfh:6-=͝lRF_a֚iofJPTIO9&_G5 k*Q +gXsMt]Q[# XZ1L=`_mpfZ FR."f~~i~R`d[s6/ ˿}udN`'\sW["LJm#Μi-L,*I-b],* O1kM8vهE>'{E;= 7a/)gpI,_ta@C^h#SL@ΧrERŸ ~(hbAZp3E oabIt?a1C>z_=2dB4]enu^ɚ>lv''Dv=j scG~O n: BR$Rq {259p\SemimN7OE) ZxhU̐,2B|jb"-Y1ui&!l|l'[e7M"3pTa7n-* ~2s bT 7$J\SGQ>N<͠1p Fu<1{H҇JS-b tqi#NoZTRXUʅz7Ϣ C.{E5 veN6qab;?ͥg7gkX?";j>kRaJ%2¸_vF^IўAb0halJwѺ\C8f'SIl'YV&Uq]t3Mc>րh k0>0Riʊ +> 2&ZQRjϢs{@&LpZ]Qd:)nQ==յћn@h#&w}CAU 9w>*%U-vWAlj%wWGkQ@JڃR> GYdI.|akJZWn8Jg$,$P Yx[!6E!,8{ ^?KXXD>DQkf ߉8x Ŋ +6/׌м~>A%BQ`nо(&w,$\auv>g {ͶRo~gQV Mtp~H*ۦ>]VsO0fi^3.y01v 0޿0 Їߤi|D`u޷pC-tΪ2e'[x!K r#F16bd+]=/aoZ5ð ]a區U{A+t[;K'5?wD.:m)ޠw%< rDpBj]t_(d0 srn]g#6b ` xѤȂ<"̔F<$]wFMT!PR2.5g ^|&֒}UYr!sdQhlϽ( Bf/3۟b!|FgG<ևA(5 +JGvWa{k D-bcaHFrI'zRG>gu3_f Rt<~Ur;Hעo)MJ!}J_cNf4~ P=8,rh%縵vi]a~2)}CmN9˙~DҼ" Í76w JEާ5p!ASB9kթ-ݱi'>fax!w-0q؁B;DHa2SEa~=m1겨u]$L<1GтN)tJȓ(F=)I"8IUF4A2uIH?Md4XPW HقZ'59ܻ8 /.t6V"'X;[ .VH0_Ӹ\btNZD XY+oxt7>CTդ g껰Ϋ؁R>Cp0S`0#!9+|)}~XU׫۽lH@{q?Kl8N*tb9,_Aݾneټܱ?jwh{操~{Oj9Л3Lpj `ֳs;[Q rЧx"64lyWy#K] ?8JnLcBWT@m6,qx\=K<, g6!=rŠ}MZ砆qWO$U e>x>HАݙ-p溟8#M[wfؓ9_'oc$Ǿv/ݻw~Zؖ[q*A#wCG<L>?Fdc:M"I^QԼګEdE)I}ۋG#S~`q8-<ctH_`@L6CGfKmm3{zi-82{KN7Kx="~O 'LwUv@r@pSx~=m쳷ez%nQZhr;Do*Ưj OKt1ڮ/=اHkYXdbQWفgo ? '|ȞF8^j[cxxg!,d9a}3G0[ɱ-Ι2HB%[euw+[S'gSc;/HF#%g&ϖȱmG @|Ր;a6r*|b \<e W^M·⎭zgQ$|[q$[+/' g|o#&꿛n kN7&/6o).i{\nax{7d\ڊ}fK~~ v/LViyǏo&gnǣR.}Joف)}29?Ͼv5 CDI}ĸHǔ,"5 AFyQ`B Z`nvJ"<.0-,:Pl?/HXF7_ꞎFGipJ (4,{i4bIKWVo 8_4eGA" M~lj3sAy!yOiSrI_(xkw拀ԫϣKX6u@=CdCGuoN/Ote)E#OQĜVgCph ]nމdB1Yu$e >e^jcBSpov5&!?YYЕuYʖQ,ν4p[ & Mt1.3pebPGP;Ίأw%Z?s}UŖdQauÊwR[jY*󔣉K7*v!oWH\_W q=VnAa%`nkElHΦ5y{tJޞbxlA,0O0fQ/yמY2h ZN ZۏWhYnޠwx?!Ȯ@-FL}%$(~FP@U{9 77o9_C' KC”h9G{i_ %[eN k2d\l6@ [OXᄀ9u`k3|<GJLXHW'J8,Yy<XĦZOc K3hΝco C?a5?}r闺U0أte^e-'I24b'ʹŵZ ђ,ÑBuų Ta* q<0PCm{ oa)+Gc ]=G?DA@,>~VxrzV9'F#V@ǵ(ьJC gĭ!n1J=Cz˟!^tIw'y{DdbbG4;R\0[o0q_n]1ΔLǘj?܋a ?3~ /jH?I5?2OXzD2E ^i@ p  {?@=^i _JO*[=ꕂvךSN|l:n){AJmoM?^~Eq {@R(X5X* R]ĆWVc3cYxݪByDWi.Be4e9Lt#'Ʈ,!/B^]’XM=1Ir1+ڊbIwi@jaT #blRK!'p. I)BˋCZ ʢKIbKfRlǛiaESYYh:!cbB]Y-OQ/ ]ZX,:~xq;\!1c}TA9-Qj5݋RUBI?ZJ>A1t<+9mnbfƆX50z^3jmlz^CΞM` J.қa(O`H'*t=jh DFŤJ fvZZ#X(+J >ƌo +^Vb"WmMw6B}ΜWD B r 9/RRmF 96z_ayZ^Oa.=WXYrVkӴxfVؖmmq.]F Rd 3}$皭٦v lh@$}Ǥ}MG*%_]Gx}#rU1f=0pE)kwtSֿ$|͈Vs%.N/<O `DgLW<0՘0t+PʲjNT]OpYVH o[ɺexxS鐯J"֌r[jrxY4{.5tMx/ )<]Сܛ ꁢߒg4ߌ Pm¼ϴHbSx!@Gd.$1qj5`G: roEVIz# ,Ő?ZEDx! I}n@~hu.e }d!?:s&2`#o+EM푰. ^< Q! CO-dwOcY-=q٥O@к|ɧtC{)B|1[GB(WTbΑf`Nh|"1";'ph\`srt@KK*2&Bs879|_LY}nOKZ&G6@@P0H73n#bxL1f0mݚ1;mLOcZ|"{X#&3( 9Fe_aZ]7 tQR]ΰ*^ T- !L)%n47p>9署[,af4:`X E.[q{4+۠5L90 0YK7`C'[B@ g>򽉑0us{r3RC´vxT+mB<䱤Pl <'מO릧u;,g0Cx9Z _W .Ԕj> MZ E>gٕa)豢g _oSwV7+ek =M蕴B^Șp~;&_Ч6#&TouuuI]ۤrݹtz}ѻ#K֊_ԝes9,|j5dЗLJy22 gn)sC9,jO6#\]dqxixɎ(ah,.64It(%lGyїU1*oLl+=vfS+.t7Пxu3KL8FySꁠM/GcW۠\Js@1@C|o_Ow5CJe[?eߟS[{9})ഝޟ9ˠ{?5;wNsi{_'\fw2k~g ?/2lfOf,@n}@n}7.g7? Dޟg[.fK ^~e+ W33  c_3'ߧ 7{dwɹN2!xʐ.Np3ޗs ~)W@_dկ{'sg+I4^a(芊g-U兗fZk Ǹjuvņ^_BBU$X2M*!#(78%Y}MJ 4tk 7b[yXH{R}tEOI>t+i@Lw<ߔ[nNJ>s\ȜHd3,FD5QU#X5½p'eybAR-}#]~̬((G.v:)n7WpK|*SG0U75i@mŭhg?>/ydֺ+ #BAfп~%s"i_'OxVf}4;(bi3Q +5ýEYRw80׀z#O3mC// >O>^wkҾl] Z=5쓥= }ςoDV)pF F,RK|c ,>0vZ{h~34]Mo4pƜď{vP3ebIHTTRя{_5M = G1QTY)ȅ[V r 0X s>emګ.91C=4аY-}?"z5|L@NL6"W1 ͛YȌNE5//{_۱ B R1 1@ͽe^*q0*j>box q9ܛ|L:AÆoj/XbKZ;c`\';=5gjy }dy0\9Khw]V=ȾwF=Ch6%'x-7:\A>&jˬ hJ/.ӡxCKQ,Vk 50=_ou–'"F;V!#˯`ػ l>`]X5SǬkBDxaw./ ]C_ND]ZGKGJ Ǝ$z 0qy 0r['SrC˧%NAf2Ş_ m޳Ro/TùLH 䏝cӄ2v~[7|9VX"e Vi u EݩcE\cͅx{p1a`a?&jTF\gȌUOt$,ZY{N6 )4Mϫ΢R;j9.KPRJVr.f~\g;ufn ӧR۞,`'/2^;' π 8>eC[gI2T~{F=*P=eZPO:=Dl3%Yz'Io=Gmk_Ve ;CLA>X읙fc约1cbV!qdfӧZ-[$@O"OCZ24`)yc<znG}޴.H|nHHU֧f2{M{:o90kn>7Q$Lyx Cr:`+슧p ?dtE#b[p!@>pE5f2QTD Q)Ybd휙omrxgsg_(LBe6٠^|:y-EOfuݍ2JW" 7]!Kb 1+Cc]R>ŔK ]'[٧3й?-{wy/v",/{ QFbVW9NRjãÍ ,ck-ԭ}6` <Щ0DM.vjw܌1uF54-vѩߵS3pݼ"vyXA\g~3'5ȱya1 g{y6W=?5zl58a:=YʐLW\DI qK.-ua4,Lb9"[^QI(`vX33}"@a)5zdn~3 f<˜4W6QĶqy4ʱLˉ>)zE´Bd'KWܱ0_^٢#"|f`*HeS1#'@n0\|װH d9[H^م53\j9೐|,/A-r*r*]xD4;Nb‚Ӟ_yfOȅv1,#6xŠN?|^k/o?YYr χ<|Xyx(.3JF2M|pIwşqS),h,=R$Di; AHcZɂxY޿`(XECh⍿c0145]h(jE&I#;ov[b$- U.IPvᷮ g۲M) d.%rR⊫ EiQm&'^ƇN wm&l2)v}ml-c6C-{0@n&