Scanners and Tools
Have you tested the rootkit scanners/security tools out there today? Is there one you would recommend as reliable? As I said earlier, Im not very impressed with existing anti-virus solutions, especially for the Windows platform. They all concentrate on finding "the bad" instead of verifying that system is in a "good" shape.Similarly, we see that most of the rootkit scanners implement various hacks to detect hidden objects, like hidden processes, forgetting that its possible to create a powerful stealth malware without even creating a process. Theres no need to hide anything. I actually demonstrated a "stealth-by-design" malware almost a year ago. The solution that I would love to have would be based on integrity checking of all the system components, starting from filesystem (digitally signed files), through verifying that all code sections in memory havent been modified (something I partly implemented in my SVV scanner) and finally checking all the possible "dynamic hooking places" in kernel data sections. The latter is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system. In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger). Type II malware can be thought of as a malware which doesnt modify any code sections in memory, just data sections (thus its so difficult to detect). Needless to say, Type II malware does exist in the wild. Unfortunately, even if we create an integrity-based scanner and made it 100 percent complete and we identify all those dynamic hooking places used by Type II malware, there would still be malware which we wont be able to detect. This is something I call a Type III malware, and Blue Pill is an example of it. The whole point about Blue Pill is that it does not introduce even a single byte modification into kernel, or other processes memory. So, no matter how sophisticated (complete) our integrity checker is, we would never detect it. We can only count on detecting some side effects, like network communication or trying to detect the presence of a hypervisor using a timing analysis. Both of those things could be effectively prevented in practice, by using strong covert channels and other tricks. But still, its better in my opinion to have a good integrity-based scanner, even if its not capable of detecting Type III malware, rather than having a classic anti-virus product which only tries to find the known "bad things." Why should we be worried about stealth malware? Do you see this as a big trend going forward? Stealth malware is a way to silently subvert the operating system, so that it cant be trusted anymore. And the point here is that, in an ideal situation (from a malware authors point of view), nobody is able to tell whether the system has been compromised or not. Personally, I think its mostly irrelevant to discuss whether this going to be a big trend or not. Its not about whether 100 companies or 100,000 companies are going to be infected next year using targeted, sophisticated attacks using "Stealth by Design" malware (i.e. one which does not create extra system objects) of Type II or Type III. Its about whether we would be aware of those infections at all. We already know its possible to create such a malware, so we need to do something about it. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
So, we can see very sophisticated technology employed by anti-virus products to handle various .exe-packers and decide whether the .exe file in question is "good" or "bad."