Shadow Walker Pushes Envelope for Stealth Rootkits

A pair of researchers take the stage at the Black Hat Briefings to show off a prototype rootkit that uses memory subversion techniques.

LAS VEGAS—Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must "completely revamp" existing rootkit detection technologies.

The proof-of-concept, dubbed Shadow Walker, is a modification of Butlers FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.s Strider Ghostbuster, F-Secure Corp.s BlackLight and Sysinternals Freewares RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

/zimages/1/28571.gifA cat-and-mouse game is going on between spyware writers and new Windows rootkit detection technologies. Click here to read more.

However, Sparks and Butler argue that Shadow Walker will "raise the bar" for rootkit detectors with a memory hook engine that subverts the kernel memory to hide the proof-of-concept driver. "An in-memory rootkit could be installed from a kernel exploit to avoid disk detection," Sparks added.

Acknowledging that the Shadow Walker prototype could best be described as an "offensive rootkit," the researchers displayed a easy installation of the rootkit driver that used the memory hook engine to hide the code and avoid any noticeable impact on the overall system performance.

"A good rootkit needs to hide its own code and also hide the changes it makes," Sparks said. "We are demonstrating that a rootkit is capable of transparently controlling the contents of memory viewed by applications and kernel drivers. It exploits features of the architecture [with] minimal performance impact. … The users will never notice a performance change."

By opting for virtual memory subversion, Sparks said Shadow Walker is capable of hooking in-memory security scanners that rely on the integrity of the memory view it collects.

/zimages/1/28571.gifThe University of Connecticut detects a rootkit on one of its servers, nearly two years after the stealth program was placed there. Click here to read more.

"If we can control a scanners memory reads, we can fool signature scanners and make a known rootkit, virus or worms code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code," she added.

"The code will execute but scanners will receive incorrect information."

Next Page: Response to Shadow Walker: "Scary."