|
|
|
Shadow Walker Pushes Envelope for Stealth Rootkits
By: Ryan Naraine
2005-07-28
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
Shadow Walker Pushes Envelope for Stealth Rootkits (
Page 1 of 2 ) A pair of researchers take the stage at the Black Hat Briefings to show off a prototype rootkit that uses memory subversion techniques.LAS VEGAS—Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.
Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.
The proof-of-concept, dubbed Shadow Walker, is a modification of Butlers FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.
With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.
"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.
Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.s Strider Ghostbuster, F-Secure Corp.s BlackLight and Sysinternals Freewares RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
 A cat-and-mouse game is going on between spyware writers and new Windows rootkit detection technologies. Click here to read more.
However, Sparks and Butler argue that Shadow Walker will "raise the bar" for rootkit detectors with a memory hook engine that subverts the kernel memory to hide the proof-of-concept driver. "An in-memory rootkit could be installed from a kernel exploit to avoid disk detection," Sparks added.
Acknowledging that the Shadow Walker prototype could best be described as an "offensive rootkit," the researchers displayed a easy installation of the rootkit driver that used the memory hook engine to hide the code and avoid any noticeable impact on the overall system performance.
"A good rootkit needs to hide its own code and also hide the changes it makes," Sparks said. "We are demonstrating that a rootkit is capable of transparently controlling the contents of memory viewed by applications and kernel drivers. It exploits features of the architecture [with] minimal performance impact. … The users will never notice a performance change."
By opting for virtual memory subversion, Sparks said Shadow Walker is capable of hooking in-memory security scanners that rely on the integrity of the memory view it collects.
The University of Connecticut detects a rootkit on one of its servers, nearly two years after the stealth program was placed there. Click here to read more.
"If we can control a scanners memory reads, we can fool signature scanners and make a known rootkit, virus or worms code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code," she added.
"The code will execute but scanners will receive incorrect information."
Next Page: Response to Shadow Walker: "Scary."
|
|
�������x}kw⸲Z�4ݓ}bMx$iE�; فub�['M�f'oUa 93IJRUT*~ ogOD�0�pE1>=zg{HR}g���M#�rJ��8AZ#:,t�}w5�k9k9�ru���z��>��;|�9|vĠ��ڒ15G㠦ߙ�=+�mD}�F��\�3�Ѣe��fb�^P+$ȁ_
̢�%yHCRp�DRงB@Te�G$oaX}䛿S=2p��6B�!|H�F(B(?�C�s�=z'�f�w�gB(�ʇ�f�GikiC2��hj9�TA`Uƞfo�=��Z.�9�1rx&м[�
*YrD�ƑIj@sd"�LJ^`:p,#��G^A]ݱ��&\.ϑRF�ip4Ԭ=kS��źcG
5�G(&�$gtj��?�ǽ?(Q If��a�(�Ń�gO?L�G` lǦ"�G�_|��4v9S8$Sz3��wqjrHU&�1�C �Tw<-0�;D=:p,�yÙ[~i 푪J�jP8*V�#hr7mù-Ӟ>9n^w&oZBYQB{>ʑ��Ko�-%4�T\O;i\v>Ƀ
��9A6���|'k�L�R*��rX<$ȇ¤�T�0l9�3P�;%J`�#X@v�Ina�>E�4dEQ
�,q)?[Zu"uuY6f0R*C�A/],YȏwNytqӾlvnsMV�Y3��a
O�V�}k!�
�/x���Q�.�ںa#U�IɽGf9}jq�>�OHN,7{M9�0io,Yn]H.)ż�l,>JAe����7
J�3a "�����:s�P;L}ڒA(���oӘj�
�9B���ԼNR�49�Vˡ��蟱"W�m�4�@r1f+6B̄H )F7jaOM
XR�U��>I"A_fT]ϧKB�!"xN3ˌ!ȅ�Q.%u�.�Ć�> j�zb8?N|Ź!�rYY4'*taeAUi3Û���n�ϱGV$ݫe.ZnC�8^%g�5F
i�e4?$!�VG5MGR>M&%_=ڇ�p[�Qnl�2X��jXvR7PZA^݇` i
�vڄzh��OaN'fۉ9~��4$�AC66^lzK�4}l���>#h��p;p|g�k�͇v9S�a �{>�0���sB}S�D�5�
�l"a�v|�Sc м`y�&na13&0B?�Fdx7t
4�,/��G`^@Z8`�$8ʼl��E�8�ѵO�>ȁ{0'`sD;ʹiǀxԘ�ڀ��;r)Ea3�C7�У��H.B$(ZȻ�B�!A�l~���[$p�Xx�l+��+~'ADBJi?i�Jl�׀Ri sgR顴vn�S,BV-KᗄPf%e2m̈́(VAN��l�(0��Vn)DL(^HIRЙn!@�9zѧl�)�?ΖU�kͲZ�^ӛA'~.L\_K�(Y�&���&ۂxeyʠ�eiLGi�="��
IPצ�(ؘKe�zdxY��6"�&C
7v#쳧�k�]0�)\T51)Kb
ԂZװYϺe; �L��
�4��
�TlvCax5�^z'�As,t]OX�Zt�G����p6h=JeH��;~L&��[BUJ�3/F �
��_�ǂ�K e*9t55{~s;_�vO[tِzүpMVp���`=9Je!6�C�{jiV�㎍WJH.,Z`!?R(1gIҏ7 &^PGm��d��9-0cY}6aDm"k(
ER"�=
�G4UD85�[.AE)��4$qx�??4X.0*�y�.K>Fm�`+z\sg�It�оFhʰm�h8`ZzqF�$s~P('x>�7 �dj>G$o+:|�#P�M�~H.R��Ϗ9(gd�%d��)>�GHR-��zjeE)UJ�6{}|S??#e�dԌR�p;!<�_q˻cM/?Qk��O��~^�L}6݂�/�r͘�,�|rqZM��[v�O`��sR au5 :���?V��
R��y-0&�E�R�m`�Ճ{3�\PSןlf��
�"8&�ԦS�O+q�5�`EY=>�ynR)Hɘ=qV�Y=��O7jAU�[�Mޭ�l�F���'F�� ����vo�c�(0f�4Ӥ-R�x�sֹe=VN~RkEB�ZG
�?cqe�@۵`L �؇^c}/kJrP-*5m7k"X쵿�C�b�QX��h^{rWo鸛��y@<�sEUK �b&�T~��\yY�R�glg^a/o�20/wOžzPB�p��a�dXo Z۶A�)Tb1�Ji�R"'wi�ŏ�[o(UrVՋG>P*�~גy`*W�TH�z$ :,��xџ2XD+(++e-2�۹i�m.E�)��4˷�ʨK�+["X.DД�wϨ��3d�Rb���kQh-Bwyr�`��1W?�4$Nb�VpDc?Ԁ�h)k2?0RiʊZ=P$XԪ�EI>NM���3�h˃Q�aߍC��uR曹G\\Whg�Do4�kF��#Sj$N�Ry_UA R;qG;a>&ra��{���S@�Gt�}�O.';-˅J�vQ�*�s>Pp�X9�kǻBl�I3Tg!,<~Je�%{
yr2���#�QhZ��a�v�OT+�ˬ�2 c�C7�Wvva�j(1A E D@'n}߱oU�Zcq#�5a�9)e:w~�u�;?ܴCRT1i'6._�� �=J~JU;wXY� G߫%aυ%|�Vq�ïR!)��|ptٔ��-b8s!�,Uރ�
�`i0Bnx{D(c�̿�{9sg8ګFپ ]6�y��x0Z�G�9NgpDmp/E4} y,}y<}_exH+��BYGg%\VIg9#$ubSP݅�{_[r3
0(y!DN2�7��[?$E�:[7dl��#N M=�W"ȶv
Gr�1p�
'B~�(
�4�iQE%m9rt~J<:&� X�sgk�
?{c1��_c`0
��:<�%宅�MJnL|k3ul't2�D(ySaG{��Ȋ̅S.r!���:�'c,n��P2Q^;pG¤s�écfO�]+���Uk@<� bX��IKwvz,+Y\�hdQ�Wɞg�o
!Ok O=p�Բ�dz&}s?�4h�g�`zcGʹ=39a
d|I �;�n��o7܍nL \�L ?#A��;"J��<%N->[4�
2�]CnC�*Z1qE0pH�a ? W^L7⎍zkQy}�|x�8��̈́3S7��p&/U�%~e�l�ƚk�s,BI�'̼V�&�v
�Zqk+"@wыK�m1j-�]�M&t�{4]a72Ϩ�љFM/Ua.Z/z
G⟬_p��[9uw[]rax6<�dM�q[ߤ�?^�OWco{eq<�u
0,~jo�b;R6G"1vmB�%�{pD�d Hn΅�D�\ǩhD}E�P� RY#L;sU)`Yp=fyN:A
{P6NX�1ajhEςr�@>sCgu�32Pq�<9ѹ�)
��+M]60Y(^��|�h�{2N~nNӊ8�,*���1J2W1IJp��x�D*dII_�I$BK��y��g�bI�phK�)&���/k� LwQXZqpn*V
ԫ�}?q�m�M7�y��/�od�k>P�%�`@ #AA_��~4V>�%N��*)n o�)r/yXf=TTLk.U� S!笞sTS59Lj#ߌKt8�HNֶ%�ԤC��*���3ɹ!a�F����oI�3
9C8��eI-dӷJt>H"�pe7 eHJm-�S�sڴ1ˋr54Dz�s
JgZ (�p�� !pYF�L/Esf�q�}�&d0 $�&[C$�vZ|�b!PHmP߲V\W
�I-ougtf��Cm|;6]�(�L�@jƄ5&8��[.
�l\}Jj
)??;?\7V[91mfH(R:3��W0�N`& x9!�Yߴ涬RUGY�La;ڝM4����k:qX>/�rx~:�$�0 $xC!
#��%�bǓ&�<�Ƿݒ���xpS�,?ń`H���mi�5Fh0C"uA1R
����S�5 6+D�UJƫ`E"Dҗ:
-"@È^1�e�ۛ?'�pӓ9|W8<;�aкj>RT~3W/�`B�C�R�>KC[�^SL�f;#!��AP�1ŮΆ>4�ty�@4�I��:ӓ�aH،f7{m3�_Y}]
]w�Awe};Lww _�Sj�M}X1Qs�6'9wa?&wsC7Gq
=t
qy0��S &L�ؼ/D-�zfS��3A
�Nn
`ZQû6f��lF>n=]fìƆsY~��|Zwx/]�V���/+"�aHZ$c�A6^5�6�&^l*Α�K:]
'3vxyCD
NQ͔npf87ʝCҟ;t;t;t;t^CRP_ġӣH�9�[;t-�X%f�[J46IYk�BʫzdC<#W_[囹spOs6qJ5̊]�Ie!V7¶lm_߬nn?\^}}o鍩�Jm{hM1fIWq-
F[
m!c0ś<���%x� BYޚ�lo{}��m\v�]�(험�צQ?ppe5c �@%!�5���cq�5_އA
ȾH�g:�Of�I�4{+�� �a->���W|mgQ
��W�}|!];G�T�yFA�"�@�"�
�hW�}m/"b(o46�{t4�a-j^��d 6'\���@8W<�� ��WWw(^��gl~lFu;Do9#_)=%} GU)!K�$A.W�e͝,�7Ls�Work"�)^}BB/��'1x�LS=TP!Jgggu��NL�b6.{�M�G�P|N�r��V���S(�M-n|i��Ȫ[٭�t!�۬R�P3۫LLn4|p�Fln�J�i��f%1�Ċ0a/I�iqnrGK�W�&e<�L-~}ai B��n����.'j� z�towwv�{���4�17�(O{8.Yƥn4.>|lqY|W�aY@{+1�I�͠�1Yl3�Ћ��d�
!D=�qt�uL{1!eãE�^aO��,[��~V�xsڦLv��m`��qȴ}4Ґ4�p'�u[>2_)}/2�aS�0tqGD)^}�fSx]�f4}�P�S�u&߯C[zOω>X#?�KH)PG!�R@~2'����c~
j~`�_<9?W%d܊�?O
p��ڧG"@;il<���,Ʈ��O-z��~��z8\kJ9/0�ͨ("n?mL�E+t��^qY��wPVi��
;&*�>d� �;
;//g�*Dz'q'thnj!J\�OZ�js�+I#C!5{��id$ƽ⢒t�yϹgL���l�ʰ:_�%Z���aY�o�[-W3r�d! `B�o,"EhvyIݱp�D]�bɠÓ�
��/�l&vf-�&6�95�1E!�^;�r1&Kjx Z)�(%�>%nsZk�Q�Y�1���6ZߑZ,rzw(k1 �.{ȑZ}�r\P� <ík�CqNEl/}sYX:Rga�cnTRr
Y30��߇
Rt5mHϜPF�X,g+G� JŘ�&�|c�@H��A�l;�s=jF]M�b_(mԮ,H�5%h�@JN���{{i/)1�~H++6&KY;Lm>̉��Hۡ[57ATJ{=�yJMh>#Ծ3=ǎ_x9~$:����%g{3��&Yqc[RJB湐vn~D�uv�7H1�tF4[Mm�@&(8uKuSe�?R)!o$**W"Y l���)�rM5��l?`�hîX_Ō�R>dF+5m��NW2h=`�@>��p#�S C7R�YVmI�.�{|�>a蕡yOx�R,?ۣQw!kb��^ҾO;q~ܒ.4b ,��,�tLG`߄�o XTp�:{ba\S[�dF��d�>���pXLґ
��m;A=~IrDLRO�a4�#Y��
`qbLh$}�~:bH]�SW�d""@Ո��ޓ�_�bA�9lt[^뺋��V�<3E}m"��g�y;&q�f}täu��ot@�䄭!'vQ]Q
k�4A�]1u�{�O�\o|I7O��
>�BY��s4acoZepP(b�#}~����6L-F
DN"c�*4FJ["�}ɹ�eMN[fBE<
li
X�f��a��ng�\3!xH�b!Ř!�&"��[S"&|
q(��㥶N�AN1JOs\-uC@e#D�q�zy��ù4?p��HM*b%�tC\T�P�*@H��>Q�|XP8����&pH0�Vjja
�X`5�A9w�;5xp�Ƨ�X<6q�Oe~qkt2���21�g{R.ɞàZP�Ylby�,gA~r\�@Ԕ0�+__?' .ycI�� �^yNtxP\� �㯛2�}��
=܇>RXX_1ԻPU*R$4�|/��]PO#V0Fzk�y}��fYU�"mn VH2+�^@0��w44ܽA#��_�Ч�v#�Xo3̋и:BN;פAN[-t=n_ڝKr:Pג�_ǣl5NIiuuݾꧦ�+1F;�:>ϵ]&E`4�e�jE)SS9�,j6�W#\grxixɁ>+azh,vqLg|;_C)Qe3ʋ,
Q�~0`a_�1o4nWͦV\k)h?gt,5]r��ZO-�6^���V
�CptYmn8~�(�hO�uIt.[zhRVn�<#(�('
LQށNF9rzouy�hle@Si�}>?d'(W:����gڗ�0v?vs/Peu9?π�]"c~.��/�E�|E�}/>���/2��ϋ�D�3(?@?2/"�2c~/A~.3�2c:0N;:��_?2
_e�.�w3�2/(O_23*�>g�9~7P~U�{7MF77�\$)c�F5p~J�8�gK�"}�)�P��P�(�i;�ZmU�\�~�y/�{'sg#�IW�KI0�ntEճ[D3co%:@b}a/ �c|2�y&+(�78%#G.Э-'ވm]=b!Iy�=0?%MuG,�1ٹWߕ\*ܼ�}:HէXE)9s8�W0GfY k��eכ�QGЬ�g�]#=D~(�s �e&oS?��`bEy@' @9b\�حࡠχ]OO#~ી�O��W�x=Cme��mG'ޝGfj2"T_r�'Y��%P/��I6y}wevnA}u.T�<
&\aˣn(+�@J�~��@o64�{�FY)W8=~u�^
eb�Vd,m��q8 j9q�Yu8��%�� ~xY�&@Y8'}p)N7a4�5�-B9}54]NW�n8nm
Dǝ�Ԍn�@R#9w:TR*я;5��V=""CQL`F�UV
rJ.'�Ai�0�X\����^9Q(Nwo*K0fy�=!�J1
=tc֭dO1�BH" ё7FMdW1f�dy7s�@%p8cKx;P�@�KR1�s1@mN*q0*j:`%Q<8So�opKX6>&mʠaC�a,�sv[z0
�|N�35�4>p"��^��F�`ˋiBЗ��t4w[ .x���E�F�� �t6��;`91�s�4�q]7~98e3 Ӯc�ꐞs^A{t �1-�XthcоhuR%:O�Aa�X�[NƄ⫿2aP�^MD8k9p<�yMh
�ůD|݆N,gjH�h1
0'�~�_0^~�뚅˳Lm(b
]eCݎ;S䗆'Ձ�m'�"Pl=](M1ƚ �K�2B�L�r�$Ҵ�}dl0/3�./DDl���K:=aM{ i!u\ po�sҝ`&<+ ?6>K�=
�94Id�`F:��`88N�
�$R/�Z�b9?���"ㅰx!�j�K,��g
Mc�*5�S��l)y'�ir�};�[�|An[Qؗ�E@1a%_!lz>Z��6w.
?�!#R.ඁe"=`S
�sm#gTt�r!���̃NNM�o��_�܅iL�UhHl[��:�ύk�e[� |kc'p�g!
����nԱSw
�`7@3>ƛ�rd{Ko�3kQcD%�cHPWFϗݜ�_��)0-[|s=&=��3�h
��M-I�S`i�oA^nTV?~��r@b]T�n'`��wDl
.3��./Y$
Ta.*e;1K,P`\3�"gw6G]�8�X�G�x
kY�oc3gz��Ϸ;���<�v;�s�K_2ұy��D��cV|Jr}P/)���OtLg�sZ�%n���H�ʶ�"�A�,�{��QFb�F\9N�R5,ck-�-<�P0��_A^:?c9Vqٶ�7GL}մ�Qa[���W�n
ۊU�y˷�X�7�me�C�BP1W)v$п�9V0�|6,�l�p/>�:燸[
0tczw^>W
�ɤ{)̅Fda��gZ.2?g'�Q\�F$�30(�y��lH�K91��m='0X�1'(���R�(t�& '�Ɣ
ϰO"�- xs+2�)��,�ǝ�)��elw9��++�4cdX$�,E"�)u1�GN���=��`=>gvG{'�z1�w�~X0�~v19�&Y >�鄥6�s�3a?�M`2M�Z=�/<�ȳ�(`�,��Lv"V�KjMΡmbMqQ!>eS1�'@n0\|?H
d9[\K^م5�vw�%�3^��|�,/�A-r*r*]x�_D4;Nb�biR!2D!v�xVYpIIs��KoyqΧ˦�VPf�- QslA0��}Ul_~HVzv`ïo�7S�g�
|
Network Security & Hardware 
