LAS VEGAS—Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.
Jamie Butler, director of engineering at HBGary Inc., and Sherri Sparks, a PhD student at the University of Central Florida, demonstrated the technique at the Black Hat Briefings here with a chilling warning that anti-virus scanners must “completely revamp” existing rootkit detection technologies.
The proof-of-concept, dubbed Shadow Walker, is a modification of Butlers FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.
With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.
“This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology,” said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.
Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.s Strider Ghostbuster, F-Secure Corp.s BlackLight and Sysinternals Freewares RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
However, Sparks and Butler argue that Shadow Walker will “raise the bar” for rootkit detectors with a memory hook engine that subverts the kernel memory to hide the proof-of-concept driver. “An in-memory rootkit could be installed from a kernel exploit to avoid disk detection,” Sparks added.
Acknowledging that the Shadow Walker prototype could best be described as an “offensive rootkit,” the researchers displayed a easy installation of the rootkit driver that used the memory hook engine to hide the code and avoid any noticeable impact on the overall system performance.
“A good rootkit needs to hide its own code and also hide the changes it makes,” Sparks said. “We are demonstrating that a rootkit is capable of transparently controlling the contents of memory viewed by applications and kernel drivers. It exploits features of the architecture [with] minimal performance impact. … The users will never notice a performance change.”
By opting for virtual memory subversion, Sparks said Shadow Walker is capable of hooking in-memory security scanners that rely on the integrity of the memory view it collects.
“If we can control a scanners memory reads, we can fool signature scanners and make a known rootkit, virus or worms code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code,” she added.
“The code will execute but scanners will receive incorrect information.”
Next Page: Response to Shadow Walker: “Scary.”
Page 2
Internet security practitioners in attendance described the Shadow Walker prototype as “scary.”
“These guys are here showing us that we havent even scratched the surface where rootkits are concerned. You can use this technique for all kinds of dangerous things without the victim ever knowing,” said Sunil Daya, a senior security engineer with an IT services firm.
“The kernel rootkits we know about today are very powerful and sophisticated, but this takes it to a different level. It shows how far behind we are,” Daya said, moments after listening to the presentation.
Another attendee, who declined to be identified, said he was pleased that the research work done by Sparks and Butler was publicly discussed. “These are real-world threats that we have to be prepared for. Whats to say the spyware guys arent already doing this?”
Sparks recommended that anti-virus vendors rethink the way rootkit scans are conducted and said the best solution to detecting a program like Shadow Walker would be a hardware memory scanner with access to read physical memory.
The new research comes at a time when security researchers are discovering rootkit-like features in common spyware programs. Using rootkit techniques, sophisticated spyware coders are able to gain administrative access to compromised machines to run stealthy updates to the software or reinstall spyware programs after a user deletes them.
Microsofts long-term plans for its Windows AntiSpyware application include the integration of rootkit detection technology from its Strider Ghostbuster research project.
Strider Ghostbuster is a prototype developed the software makers Cybersecurity and Systems Management Research Group to provides a straightforward way to detect Windows rootkits by comparing scan results between a clean system and one that may potentially be compromised.
