Security researchers have detected the first sign of a cat-and-mouse game between spyware writers and vendors touting new Windows rootkit detection technologies.
Just weeks after Finnish anti-virus specialist F-Secure Corp. launched a free beta of its new BlackLight Rootkit Elimination Technology, the company admitted that spyware writers were using a known trick to successfully avoid detection.
“This trick depends on identifying [the] BlackLight process and not hiding from it at all,” F-Secure said in an advisory.
According to the advisory, the spyware manufacturer that released the Trojan even included a taunt in a marketing message that the Trojan was “Hidden from by F-Secure BlackLight Rootkit Elimination Technology.”
The company immediately recommended a workaround, urging beta testers to rename the “fsbl.exe” file to something that doesnt contain “fsbl” on its path.
“This is a good thing to do with any rootkit scanner,” F-Secure said, adding that any beta tester using the BlackLight technology should rename the binary into something random before running it.
Robert Hensing, an incident response specialist for Microsoft Corp., confirmed that malicious hackers using a very popular rootkit program were defeating the detection technologies.
Hensing, who declined an eWEEK.com request for comment, posted a detailed summary of the problem on his Weblog, warning that the freely available RootkitRevealer program released by Sysinternals Freeware was being tricked by HackerDefender, one of the more notorious rootkit programs.
According to definitions posted by Computer Associates, Hacker Defender is a Trojan creation tool that can also be used to wrap existing Trojans to make them harder to detect.
“Weve started to get cases where RootkitRevealer, having been downloaded by the customer, is not detecting any hidden files, folders [and] registry entries on the customers machine; yet our own rootkit tools we supply with our IR toolkit come back with hidden files, folders etc.,” Hensing said.
Noting that the Sysinternals RootkitRevealer worked very similar to Microsofts own Strider GhostBuster Rootkit Detection prototype tool, Hensing said there were discrepancies in the scans run by the two programs because of the way the rogue rootkit was avoiding detection.
“We decided to investigate and collected some specimens, and it turns out that RootkitReveal is rather easy to defeat if youre using the Hacker Defender rootkit,” Hensing said, providing a detailed explanation of the malicious end-around.
Hensing said the Hacker Defender rootkit is “by far the most popular in the wild rootkit with the biggest installed user base,” and warned that the latest signs point to something bigger than a cat-and-mouse game.
“This is just another great example of the arms race we are locked in with the miscreants. Some call it a cat-and-mouse game, but thats far too innocent; I personally am at war with the miscreants, and this is my arms race,” Hensing said.
He encouraged users to download and run the RootkitRevealer tool but urged that the .exe be renamed to something unique. He said the file name should be random and long to serve as a workaround.
“Youll have much better success [with a renamed file] until the miscreants counter this move and fire back with something more technically advanced,” Hensing added.
