Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Spyware Writers Play Cat-and-Mouse with Rootkit Detectors

    By
    Ryan Naraine
    -
    March 21, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Security researchers have detected the first sign of a cat-and-mouse game between spyware writers and vendors touting new Windows rootkit detection technologies.

      Just weeks after Finnish anti-virus specialist F-Secure Corp. launched a free beta of its new BlackLight Rootkit Elimination Technology, the company admitted that spyware writers were using a known trick to successfully avoid detection.

      “This trick depends on identifying [the] BlackLight process and not hiding from it at all,” F-Secure said in an advisory.

      According to the advisory, the spyware manufacturer that released the Trojan even included a taunt in a marketing message that the Trojan was “Hidden from by F-Secure BlackLight Rootkit Elimination Technology.”

      The company immediately recommended a workaround, urging beta testers to rename the “fsbl.exe” file to something that doesnt contain “fsbl” on its path.

      “This is a good thing to do with any rootkit scanner,” F-Secure said, adding that any beta tester using the BlackLight technology should rename the binary into something random before running it.

      /zimages/1/28571.gifRead more here about F-Secures work fighting worms.

      Robert Hensing, an incident response specialist for Microsoft Corp., confirmed that malicious hackers using a very popular rootkit program were defeating the detection technologies.

      Hensing, who declined an eWEEK.com request for comment, posted a detailed summary of the problem on his Weblog, warning that the freely available RootkitRevealer program released by Sysinternals Freeware was being tricked by HackerDefender, one of the more notorious rootkit programs.

      /zimages/1/28571.gifClick here to read eWEEK.com columnist Larry Seltzers view on the threat of rootkits.

      According to definitions posted by Computer Associates, Hacker Defender is a Trojan creation tool that can also be used to wrap existing Trojans to make them harder to detect.

      “Weve started to get cases where RootkitRevealer, having been downloaded by the customer, is not detecting any hidden files, folders [and] registry entries on the customers machine; yet our own rootkit tools we supply with our IR toolkit come back with hidden files, folders etc.,” Hensing said.

      Noting that the Sysinternals RootkitRevealer worked very similar to Microsofts own Strider GhostBuster Rootkit Detection prototype tool, Hensing said there were discrepancies in the scans run by the two programs because of the way the rogue rootkit was avoiding detection.

      “We decided to investigate and collected some specimens, and it turns out that RootkitReveal is rather easy to defeat if youre using the Hacker Defender rootkit,” Hensing said, providing a detailed explanation of the malicious end-around.

      Hensing said the Hacker Defender rootkit is “by far the most popular in the wild rootkit with the biggest installed user base,” and warned that the latest signs point to something bigger than a cat-and-mouse game.

      /zimages/1/28571.gifClick here to read about how hacking tools can help IT managers stay ahead of hackers.

      “This is just another great example of the arms race we are locked in with the miscreants. Some call it a cat-and-mouse game, but thats far too innocent; I personally am at war with the miscreants, and this is my arms race,” Hensing said.

      He encouraged users to download and run the RootkitRevealer tool but urged that the .exe be renamed to something unique. He said the file name should be random and long to serve as a workaround.

      “Youll have much better success [with a renamed file] until the miscreants counter this move and fire back with something more technically advanced,” Hensing added.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×