Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Shadow Walker Pushes Envelope for Stealth Rootkits

    By
    Ryan Naraine
    -
    July 28, 2005
    Share
    Facebook
    Twitter
    Linkedin

      LAS VEGAS—Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

      Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must “completely revamp” existing rootkit detection technologies.

      The proof-of-concept, dubbed Shadow Walker, is a modification of Butlers FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.

      With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

      “This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology,” said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.

      Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.s Strider Ghostbuster, F-Secure Corp.s BlackLight and Sysinternals Freewares RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

      /zimages/1/28571.gifA cat-and-mouse game is going on between spyware writers and new Windows rootkit detection technologies. Click here to read more.

      However, Sparks and Butler argue that Shadow Walker will “raise the bar” for rootkit detectors with a memory hook engine that subverts the kernel memory to hide the proof-of-concept driver. “An in-memory rootkit could be installed from a kernel exploit to avoid disk detection,” Sparks added.

      Acknowledging that the Shadow Walker prototype could best be described as an “offensive rootkit,” the researchers displayed a easy installation of the rootkit driver that used the memory hook engine to hide the code and avoid any noticeable impact on the overall system performance.

      “A good rootkit needs to hide its own code and also hide the changes it makes,” Sparks said. “We are demonstrating that a rootkit is capable of transparently controlling the contents of memory viewed by applications and kernel drivers. It exploits features of the architecture [with] minimal performance impact. … The users will never notice a performance change.”

      By opting for virtual memory subversion, Sparks said Shadow Walker is capable of hooking in-memory security scanners that rely on the integrity of the memory view it collects.

      /zimages/1/28571.gifThe University of Connecticut detects a rootkit on one of its servers, nearly two years after the stealth program was placed there. Click here to read more.

      “If we can control a scanners memory reads, we can fool signature scanners and make a known rootkit, virus or worms code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code,” she added.

      “The code will execute but scanners will receive incorrect information.”

      Next Page: Response to Shadow Walker: “Scary.”

      Page 2

      Internet security practitioners in attendance described the Shadow Walker prototype as “scary.”

      “These guys are here showing us that we havent even scratched the surface where rootkits are concerned. You can use this technique for all kinds of dangerous things without the victim ever knowing,” said Sunil Daya, a senior security engineer with an IT services firm.

      “The kernel rootkits we know about today are very powerful and sophisticated, but this takes it to a different level. It shows how far behind we are,” Daya said, moments after listening to the presentation.

      Another attendee, who declined to be identified, said he was pleased that the research work done by Sparks and Butler was publicly discussed. “These are real-world threats that we have to be prepared for. Whats to say the spyware guys arent already doing this?”

      Sparks recommended that anti-virus vendors rethink the way rootkit scans are conducted and said the best solution to detecting a program like Shadow Walker would be a hardware memory scanner with access to read physical memory.

      The new research comes at a time when security researchers are discovering rootkit-like features in common spyware programs. Using rootkit techniques, sophisticated spyware coders are able to gain administrative access to compromised machines to run stealthy updates to the software or reinstall spyware programs after a user deletes them.

      Microsofts long-term plans for its Windows AntiSpyware application include the integration of rootkit detection technology from its Strider Ghostbuster research project.

      /zimages/1/28571.gifRootkit detection is coming to Windows AntiSpyware. Click here to read more.

      Strider Ghostbuster is a prototype developed the software makers Cybersecurity and Systems Management Research Group to provides a straightforward way to detect Windows rootkits by comparing scan results between a clean system and one that may potentially be compromised.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×