Spurred on by the ongoing cat-and-mouse game between malicious hackers and existing anti-rootkit scanners, a pair of security researchers have teamed up on a new tool that promises a solution to the threat from stealthy malware.
The new tool, called RAIDE (Rootkit Analysis Identification Elimination), is the brainchild of Peter Silberman, a college student known for his reverse-engineering skills, and Jamie Butler, chief technology officer at Komuku, a College Park, Md.-based company that specializes in rootkit detection.
The duo introduced RAIDE at the Black Hat Europe 2006 Briefings in Amsterdam and plan to roll out a commercial version with features that go beyond finding and removing rootkits that serve as a hiding place for spyware and other pieces of malware.
Rootkits are used to modify the flow of the kernel to hide the presence of an attack or compromise on a machine. It gives a hacker remote user access to a compromised system while avoiding detection from anti-virus scanners.
In an interview with eWEEK, Silberman said RAIDE offers several unique features that cannot be found in other anti-rootkit tools.
“[It] can take care of things like API hook detection and restoration and the restoration of hidden processes to make them visible again. Instead of having the user run multiple tools to do different things, RAIDE combines everything. That was one of the design goals,” Silberman said.
Existing anti-rootkit scanners like BlackLight and RootkitRevealer look for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit, but Silberman said weaknesses in that approach have been proven.
In a research paper that accompanied the release of RAIDE, Silberman said the rootkit world has moved away from implementing system hooks to hide their presence.
“RAIDE offers the user an extended suite of features for hidden processes since most common users are going to at some point get owned by some rootkit hiding processes,” he stressed, adding that the new tool will offer easy removal features such as restoring the process so the process can be closed or removing the hook hiding the process.
He said processes hidden by rootkits can be made visible by “relinking” them. For example, the widely used FU rootkit hides processes using a method called DKOM (Direct Kernel Object Manipulation), but Silberman said RAIDE reverses this method to make the process visible again.
“Steps like that will help the users anti-virus software pick and remove the file actually causing the problem,” he explained.
Silberman, who did security research stints at vulnerability assessment firms iDefense and HBGary, said RAIDE was designed to thwart application-specific attacks by ensuring using encrypted memory segments to communicate results back and forth.
RAIDE can also be used by advanced customers and security researchers to retrieve a dump of hidden processes and imported DLLs for analysis.
Butler, who served as architect and technical director during the development of RAIDE, said he is impressed with the finished product.
“I think the tool is very promising. I especially like its ability to relink hidden processes that were hidden using DKOM attacks. There are also some clever hook restoration techniques,” he said in an interview.
“Currently it is not user friendly, but if it was outfitted with a GUI or network communication and reporting it would be a nice tool,” said Butler.