Spyware Writers Play Cat-and-Mouse with Rootkit Detectors

Researchers have flagged the first sign of a cat-and-mouse game between spyware writers and new Windows rootkit detection technologies; Microsoft incident response specialist says he's "at war with the miscreants."

Security researchers have detected the first sign of a cat-and-mouse game between spyware writers and vendors touting new Windows rootkit detection technologies.

Just weeks after Finnish anti-virus specialist F-Secure Corp. launched a free beta of its new BlackLight Rootkit Elimination Technology, the company admitted that spyware writers were using a known trick to successfully avoid detection.

"This trick depends on identifying [the] BlackLight process and not hiding from it at all," F-Secure said in an advisory.

According to the advisory, the spyware manufacturer that released the Trojan even included a taunt in a marketing message that the Trojan was "Hidden from by F-Secure BlackLight Rootkit Elimination Technology."

The company immediately recommended a workaround, urging beta testers to rename the "fsbl.exe" file to something that doesnt contain "fsbl" on its path.

"This is a good thing to do with any rootkit scanner," F-Secure said, adding that any beta tester using the BlackLight technology should rename the binary into something random before running it.

/zimages/1/28571.gifRead more here about F-Secures work fighting worms.

Robert Hensing, an incident response specialist for Microsoft Corp., confirmed that malicious hackers using a very popular rootkit program were defeating the detection technologies.

Hensing, who declined an eWEEK.com request for comment, posted a detailed summary of the problem on his Weblog, warning that the freely available RootkitRevealer program released by Sysinternals Freeware was being tricked by HackerDefender, one of the more notorious rootkit programs.

/zimages/1/28571.gifClick here to read eWEEK.com columnist Larry Seltzers view on the threat of rootkits.

According to definitions posted by Computer Associates, Hacker Defender is a Trojan creation tool that can also be used to wrap existing Trojans to make them harder to detect.

"Weve started to get cases where RootkitRevealer, having been downloaded by the customer, is not detecting any hidden files, folders [and] registry entries on the customers machine; yet our own rootkit tools we supply with our IR toolkit come back with hidden files, folders etc.," Hensing said.

Noting that the Sysinternals RootkitRevealer worked very similar to Microsofts own Strider GhostBuster Rootkit Detection prototype tool, Hensing said there were discrepancies in the scans run by the two programs because of the way the rogue rootkit was avoiding detection.

"We decided to investigate and collected some specimens, and it turns out that RootkitReveal is rather easy to defeat if youre using the Hacker Defender rootkit," Hensing said, providing a detailed explanation of the malicious end-around.

Hensing said the Hacker Defender rootkit is "by far the most popular in the wild rootkit with the biggest installed user base," and warned that the latest signs point to something bigger than a cat-and-mouse game.

/zimages/1/28571.gifClick here to read about how hacking tools can help IT managers stay ahead of hackers.

"This is just another great example of the arms race we are locked in with the miscreants. Some call it a cat-and-mouse game, but thats far too innocent; I personally am at war with the miscreants, and this is my arms race," Hensing said.

He encouraged users to download and run the RootkitRevealer tool but urged that the .exe be renamed to something unique. He said the file name should be random and long to serve as a workaround.

"Youll have much better success [with a renamed file] until the miscreants counter this move and fire back with something more technically advanced," Hensing added.

/zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.