What is a Rootkit?  Source
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. 

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention. 

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot. 

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries. 

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration. 

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer. 

 

Download Sophos Anti-Rootkit - another free rootkit scanning tool Sophos Anti-Rootkit is a free tool for removing rootkits and cleaning up any malicious files. Rootkits are programs designed to conceal the presence of an application on a computer by hiding processes, files, configuration information, network traffic or other observable information from a user. * Sophos Anti-Rootkit runs on Windows NT/2000/XP/2003 computers. For system requirements details, see the Sophos Anti-Rootkit user manual. Both Windows graphical user interface (GUI) and command line versions are available. * Sophos Anti-Rootkit can be run on a computer that has an anti-virus product currently installed on it. Sophos Anti-Rootkit will not run in Windows Safe mode. This applies to both the graphical user interface (GUI) version and the command line version of Sophos Anti-Rootkit. You must restart your computer in normal mode, and then run Sophos Anti-Rootkit.

Dangers of Rootkits     Iain Thomson, vnunet.com 05 Jul 2005

Security experts at Microsoft today warned of the danger posed by internet rootkits which are increasingly being used by hackers in preference to traditional malware such as Trojans.

A rootkit is a specially formulated piece of malware that gives a hacker full administrator rights to an infected PC, allowing them to change and copy data at will.

They are typically embedded in web pages from where they can be downloaded by unwitting surfers through improperly patched browsers. Security researchers have identified a rootkit being spread through AOL's popular instant messaging client and AOL chat rooms. Bundled within the previously identified W32/Sdbot-ADD worm, the lockx.exe rootkit file is installed when users click on the file link within the IM window.

"In our top 10 of malicious software, traditional worm viruses only take two out of the top 10 spots," said Mario Juarez, product manager for Microsoft's Security Business and Technology unit. But rootkits are a growing problem. What is particularly worrying is how hard they are to get rid of; 57 per cent of reported duplicate deletions (where the same machine has to be cleaned twice) come from rootkit re-infection."

Rootkits are typically used by spyware manufacturers, since they are designed to be difficult to spot yet give the hacker high levels of control over infected PCs.

Security firm F-Secure warned in May that the popular hacking program RBot was using rootkits, and Juarez warned they are becoming much more popular.

Recently, Golden Hacker Defender was released and sells online for 450 euros. The product includes a feature for capturing Windows log-in information and an updatable "anti-detection engine" that can detect and evade rootkit detection programs from several vendors.

_________________________________________ 

Microsoft's Concern over Rootkits

Feb. 17, 2005 IDG NEWS SERVICE

Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or "rootkits," that are almost impossible to detect using current security products and could pose a serious risk to corporations and individuals.

The researchers discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco this week. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system-monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group.

The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed, typically without the owner's knowledge, either by a virus or after a successful hack of the computer's defenses, they said. Once installed, many rootkits run quietly in the background but can sometimes be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs.

However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio.

In particular, some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools, said Danseglio.

"You can install a program on your hard drive and play around with it. You know it's there, but no matter how hard you try to look for it, you won't see it," he said. "Potentially, one could write a malicious bot that could not be detected at all."

The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, said Dillard

One rootkit, called Hacker Defender, released about a year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP Port 135 to communicate with the outside world without interrupting other applications that use that port, he said.

The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion-detection sensors and antispyware products, the researchers said. In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said.

There are few strategies for detecting kernel rootkits on an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself.

It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer and then compare the profile of the clean operating system to the infected system, according to Dillard and Danseglio.

Microsoft researchers have developed a tool called Strider GhostBuster that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate that a kernel rootkit is running, according to a paper published by Microsoft Research.

The only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.

Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said. "These people are smart. They're very smart," he said.

_________________________________

Rootkit Detection Coming to Windows Defender By Ryan Naraine July 18, 2005:

Microsoft plans to integrate rootkit detection technology from its Strider Ghostbuster research project into future versions of the Windows Defender application, Ziff Davis Internet News has learned. Strider Ghostbuster, a prototype tool developed by Microsoft Corp.'s Cybersecurity and Systems Management Research Group, provides a straightforward way to detect Windows rootkits by comparing scan results between a clean system and one that may potentially be compromised. Details of Microsoft's plans remain scarce, but sources say the company has grown increasingly worried about the threat from stealth rootkits.

Free Tool for some rootkit detection:

Microsoft has already added rootkit-detection to its free malicious software removal tool.

The malware remover is capable of detecting four child variants of Hacker Defender (Win32/Hackdef), one of the more notorious rootkit programs.

_______________________________________________

Interesting Anatomy of a Root-Kit Hack

By Cameron Sturdevant   March 21, 2005 

Last November, an eWEEK reader who is an IT executive at a large organization was notified by his company's help desk that the company's Microsoft Corp. Exchange e-mail servers had gone offline.

Further investigation revealed that the Temp directory of the Exchange servers—along with other crucial directories and files—was suddenly missing. The result was 500GB of unavailable e-mail data.

The problem affected dozens of users and took nearly four days to solve. The entire help desk team was pulled from daily support tasks and pressed into a server-by-server, desktop-by-desktop recovery effort. By the end of the ordeal, it was determined that nearly 40 data center servers had been affected, many of which had to be rebuilt from scratch.

The problem? The machines had been infected by a user-level rootkit.

During an exclusive interview with eWEEK Labs last month, the IT executive described the attack and the step-by-step recovery efforts his company undertook. eWEEK Labs agreed not to name the IT executive or his organization.

Rootkits are widely known in the Unix and Linux community, but they are a fairly new problem in the Windows operating system world.

Indeed, at last month's RSA Conference in San Francisco , a workshop focused on the emerging threat rootkits are posing to Windows. User-level root-kit hacks like the one described here are bad enough, but when it comes to a server infected with a kernel-level hack, "Nuke it from space" was the advice provided by the Microsoft employees leading the session.

The user-level rootkit that felled the IT executive's servers was tailored for French language use, and that's how it evaded detection by a widely deployed anti-virus tool used at the exec's company. The executive suspects that an administrative assistant given to wide-ranging Internet use was the weak link that enabled the root-kit infection once the rootkit was inside the network.

A forensic examination of Machine Zero revealed a keystroke logger with extensive records dating back several months.

Before this was discovered, however, a PC support technician responding to the administrative assistant's report of a desktop slowdown committed a grave error—one that allowed the rootkit to spread from the user's desktop to the servers. Unable to gain access to the system using the regular administrator account, the technician decided to use the domain administrator account to gain access to the PC. At this point, the rootkit was off to the races.

Almost instantaneously, the password grabber that was part of the rootkit used the domain administrator account to infect servers on the local network. The effect was devastating to the IT executive's organization in more ways than one: E-mail was knocked offline in order for the hijacked servers to act as illicit distribution points for the "Bennifer" bomb "Gigli"—dubbed into French.

To recover from the infection, the IT executive first had the central network staff poison the DNS (Domain Name System) tables, cutting off the rootkit's default connections to the outside world—in this case, several sites in France and two major American universities that, unbeknown to network managers, housed infected systems that were acting as robot controllers.

The wily rootkit didn't make recovery easy, though.

"We tried booting from ERD Commander [a utility from Winternals Software LP] to change the local password, but the rootkit [later known as 'SpartaDoor' and by Symantec Corp. as 'trojan.backdoor'] checked the box preventing the user from changing the password," the IT executive said. "We missed that trick, costing us a lot of time."

_______________________________________________

AOL Instant Messenger now used in Rootkit Attacks

There is a growing use of Instant Messaging to attack and spread dangerous security threats. Besides virus, Trojan or Worm attacks, the latest Rootkit threat is now being used within AOL and other instant messages.

Rootkits can be installed and hidden so that they are extremely undetectable. A threat installed at the root level of the computer operating system is a dangerous backdoor that can provide hackers with remote control of the system, complete access to your login accounts, hard drive, monitor and steal your account information and data, alter operating system files and hide from detection. The rootkit can shut down anti-virus software, alter the users' search page, run CPU usage to 100 percent and automatically download unwanted Spyware programs.

Because users must actively click on the file link to install the rootkit, security experts urge instant messenger users to never click on links or execute files presented in instant messages - even if they “supposedly” come from a friend. A compromised system account can automatically pass these threats along to the other users on one’s Buddy List. Thus, all your friends will now receive the threat message supposedly coming from you.  You just can't be sure if a message is legit or not and these new threats are too dangerous to take a guess.

Instant Messenging, emails, chat rooms, web pages, file-sharing peer-to-peer networks can all become vehicles for rootkit and other threats. Downloading files and clicking on links to open files or web sites are quick avenues to serious trouble. It is just not safe to trust the source when you cannot verify who you are communicating with.

Experts have seen a 20-fold increase in the appearance of worms and viruses on IM clients over last year, and eWeek.com also reported last month that instant messaging systems have become an increasingly favored target for attackers, with nearly 75 new IM viruses reported in August and September.

Bundled within the previously identified W32/Sdbot-ADD worm, the lockx.exe rootkit file is installed when users click on the file link within the IM window. It has been programmed to connect to an IRC (Inter Relay Chat) server to listen for commands from a remote attacker.

_________________________________________________

Instant Message buffer overflows are a recipe for disaster 

"We've already seen documentation for some serious code-execution vulnerabilities in IM applications. If you put it all together, you'll see we're not that far away from an automated IM attack where infections don't require the user to click on anything," Wells said.

"The attackers will start looking for exploits within the IM itself. Now we're seeing the IM clients become more than just a text chat tool. AIM now has the ability to load an image on top of the buddy list and play music without a click. All the messaging clients today are bundling a lot of different applications like VOIP, file transfer, image sharing, Internet radio. Those add-ins all have their own security concerns," Wells said in an interview.  http://www.eweek.com/article2/0,1895,1880026,00.asp

"When you bundle third-party functionality into the program, you expand the client footprint, but you're also in inheriting all the security problems," he added.

Arbor Networks' Nazario said there has been detailed research work done to show that an automated IM worm could spread over IM rapidly. "In the worst case scenario, research has shown that all vulnerable clients online at a time could get infected in a matter of seconds."

_________________________________

AV Firms Say New Trojan Uses Sony DRM Rootkit

By Paul F. Roberts   November 10, 2005  http://www.eweek.com/article

Anti-virus firms are warning computer users about a new malicious program that attempts to hide on victims' computers by taking advantage of maligned DRM (digital rights management) technology from Sony BMG.

Symantec Corp., Sophos PLC and Bit Defender, all issued alerts about Trojan horse programs that can become completely invisible on Windows systems with the Sony DRM technology installed.

The program, which goes by the name "Backdoor.IRC.Snyd.A" and "Backdoor.Ryknos," was discovered on Wednesday and is considered a low threat.

However, the appearance of malicious software that takes advantage of a cloaking feature in technology developed by Sony by UK firm First 4 Internet Ltd. makes good on the dire predictions of security researchers, who speculated that hackers could use the "rootkit" style DRM technology to hide their own malicious programs.

Sony's second 'rootkit' DRM patch doesn't hush critics. Sony did not respond to requests for comment in time for this article.

Sony's rights management technology—called "sterile burning"—were shipped on CDs by around 20 Sony BMG artists along with a custom media player that must be used to play and make a limited number of copies of the CD on a Windows PC.

Using code written by First 4 Internet, the DRM technology manipulates the Windows core processing center, or "kernel," to make it almost totally undetectable on Windows systems and nearly impossible to remove without fouling Windows, much like malicious programs known as "rootkits."

Sony's efforts to hide the anti-piracy programs erupted into a controversy last week, after Windows expert Mark Russinovich discovered the cloaked software on his own computer and published a detailed analysis of it on his blog at Sysinternals.com.

Russinovich's analysis of First 4 Internet's code showed that the rootkit programs hid any file with a name that began with the characters $sys$, rather than looking for and hiding the specific files used by the media player for copyright enforcement.

At the time, he speculated that others who gained access to Windows systems with the sterile burning technology on it could also hide their programs simply by assigning them names that began with $sys$.

The new Trojan program does just that, copying itself from an e-mail attachment to a file called $sys$drv.exe, according to the BitDefender Web site.

The Trojan program has remote control "bot" features that allow the infected system to be controlled by a remote attacker using IRC (Internet Relay Chat) communications, Symantec Corp. said in a statement.

Sophos researchers have received a number of copies of the program attached to e-mails from what is believed to be a spam campaign, said Graham Cluley, a senior technology consultant at Sophos.

The e-mail messages were mainly sent to business e-mail addresses and claimed to be from Total Business Monthly, a UK business periodical.

"It didn't require Einstein to do this," Cluley said. "They're just exploiting the vulnerability that Sony introduced with its copy protection."

Faced with mounting criticism of its DRM technology, Sony BMG quickly released a software patch to disable it. The company also posted instructions for obtaining a program that could re-move the DRM technology altogether.  However, it is unclear how many copies of the sterile burning technology have been installed, and users who have installed it would have a hard time finding it on Windows without advanced knowledge of the operating systems and diagnostic tools, Russinovich and others have noted.

Consumers in California filed a class action lawsuit on Nov. 1 to stop Sony from distributing the CDs, and seeking monetary damages for consumers who already purchased CDs with the sterile burning technology on it, according to a published report.

Security companies are taking different approaches in dealing with the DRM feature. Symantec has labeled the First 4 Internet DRM features a "security risk" and points customers to a software update on Sony BMG's Web site to remove the stealth features.

Earlier in the week, Computer Associates International Inc. said that their security programs would label the First 4 Internet programs a "rootkit." Sophos will release an update Thursday that will detect the First 4 Internet program and allow users to disable it and the Sony media player, Cluley said.

"I think people would rather lose out on listening to Celine Dion on their PC than have the security vulnerability," Cluley said.

________________________________________________

Microsoft Corp. will start deleting the rootkit component of the controversial DRM scheme used by Sony BMG Music Entertainment.

Nov 12, 2005 http://www.eweek.com/article2/0,1895,1886198,00.asp

The software giant's Windows Defender application will be updated to add a detection and removal signature for the rootkit features used in the XCP digital rights management technology. According to Jason Garms, group product manager in Microsoft's Anti-Malware Technology Team, the rootkit removal signature will be pushed out at Windows users through the anti-spyware application's weekly signature update process. Detection and removal of the XCP rootkit will also appear in Windows Defender, the next version of Windows Defender when that makeover ships.

"We also plan to include this signature in the December monthly update to the malicious software removal tool [and] it will also be included in the signature set for the online scanner on Windows Live Safety Center," Garms announced in an blog entry. Garms said an analysis of the XCP software that ships on about 20 Sony BMG Music CDs led to the determination that zapping rootkit would protect Windows users. "We are concerned about any malware and its impact on our customers' machines. Rootkits have a clearly negative impact on not only the security, but also the reliability and performance of their systems," Garms added.

Sony has suspended the “rootkit” DRM technology.

_________________________________________________

'Shadow Walker ' Pushes Envelope for Stealth Rootkits

July 28, 2005  By  Ryan Naraine  

http://www.eweek.com/article2/0,1895,1841266,00.asp

LAS VEGAS —Just when anti-virus vendors think they have a bead on the threat from stealth rootkits, along comes word that a pair of researchers have discovered a new way to hide malicious programs.

With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.

"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks , who is renowned for her work around offensive/defensive malicious code technologies.

Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

However, Sparks and Butler argue that Shadow Walker will "raise the bar" for rootkit detectors with a memory hook engine that subverts the kernel memory to hide the proof-of-concept driver. "An in-memory rootkit could be installed from a kernel exploit to avoid disk detection," Sparks added.

By opting for virtual memory subversion, Sparks said Shadow Walker is capable of hooking in-memory security scanners that rely on the integrity of the memory view it collects.

"If we can control a scanner's memory reads, we can fool signature scanners and make a known rootkit, virus or worm's code immune to in-memory signature scans. We can fool integrity checkers and other heuristic scanners which rely upon their ability to detect modifications to the code," she added.

"The code will execute but scanners will receive incorrect information."

"The kernel rootkits we know about today are very powerful and sophisticated, but this takes it to a different level. It shows how far behind we are," Daya said, moments after listening to the presentation.

Another attendee, who declined to be identified, said he was pleased that the research work done by Sparks and Butler was publicly discussed. "These are real-world threats that we have to be prepared for. What's to say the spyware guys aren't already doing this?"

Sparks recommended that anti-virus vendors rethink the way rootkit scans are conducted and said the best solution to detecting a program like Shadow Walker would be a hardware memory scanner with access to read physical memory.

______________________________

UConn Finds Rootkit in Hacked Server 

By Ryan Naraine   June 27, 2005 http://www.eweek.com/article2/0,1895,1831892,00.asp

The University of Connecticut has detected a rootkit on one of its servers, almost two years after the stealth program was placed there by malicious hackers.

The rootkit was found on a server that contains names, social security numbers, dates of birth, phone numbers and addresses for most of the university's 72,000 students, staff and faculty, university officials confirmed Monday.

"Although there is no evidence indicating that this personal data was accessed or extracted, [we are] contacting everyone whose identity may have been put at risk," UConn said in a notice posted online.

The rootkit was first placed on the server during a system compromise on October 26, 2003, but was only detected one week ago, on June 20.

UConn said the attack took advantage of an insecure service for which no vendor patch was available, but stressed that an analysis of the computer showed that that the original compromise was incomplete.

Part of the original October attack involved the installation of a "back door" to allow the hacker to remotely control the hijacked server, but the installation failed, the school said.

"The nature of the compromise indicates that the server was breached during a broad attack on the Internet, and was not the target of a directed attack. Therefore, the attacker most likely had no knowledge of the kind of data on the server," it added.

Microsoft Hardens Vista Against Kernel-Mode Malware

January 24, 2006  http://www.eweek.com/print_article2/0,1217,a=169896,00.asp

With the threat from kernel-mode rootkits on the rise, Microsoft plans to make a significant policy change to block uncertified drivers from loading on x64 versions of Windows Vista, the next OS to come after XP.

Starting with Windows Vista and Windows Server (Longhorn), kernel-mode software must have a digital signature to load on x64-based computer systems.

The decision to block unsigned drivers from loading is a direct attempt to restrict the spread of powerful rootkits that intercept the native API in kernel-mode and directly manipulate Windows data structures.

A Microsoft spokesperson said the far-reaching policy change was part of the company's SDL (Security Development Lifecycle), the mandatory software creation process used by Redmond engineers to bake security into all Internet-facing products.

"By requiring digital signatures on all kernel mode software running Windows Vista on x64-based computer systems, this allows the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package helping limit the impact of kernel malware on customers' systems," she said 

A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer. The technology has been used heavily in malicious spyware programs and in identity theft schemes.

In one case, researchers discovered a spyware program called Apropos using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes.

The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process.

When the files and registry keys have been hidden, no user-mode process is allowed to access them.

With the new Vista policy change, Microsoft's mission is to block untrusted drivers from loading unless legitimate software publishers obtain a PIC (Publisher Identity Certificate) from Microsoft.

Microsoft will give away the PIC for free, but software publishers are required to purchase a VeriSign Class 3 Commercial Software Publisher Certificate.

The change effectively means that:

Users who are not administrators cannot install unsigned device drivers.

Drivers must be signed for devices that stream protected content. This includes audio drivers that use PUMA (Protected User Mode Audio) and PAP (Protected Audio Path), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands.

Unsigned kernel-mode software will not load and will not run on x64-based systems. To optimize the performance of driver verification at boot time, boot-driver binaries must have an embedded PIC (Publisher Identity Certificate) in addition to the signed .cat file for the package.

Microsoft also noted that the policy change will help diagnose system crashes better.

When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers' software was running on the system at the time of the error.

Software publishers can then use the information provided by Microsoft to find and fix problems in their software, the company said in a white paper announcing the change.

Taking on rootkits with hardware

Joris Evers, Special to ZDNet  December 14, 2005 
 http://www.zdnet.com.au/insight/hardware/soa/Taking_on_rootkits_with_hardware

Word that Intel is taking on rootkits came as a surprise to some last week. But researchers at the chip giant have been working on security technologies for several years.

What's more, Intel's labs aren't just looking to protect computers against rootkits, Travis Schluessler, a security architect at the chipmaker, told ZDNet Australia sister site CNET News.com. The Santa Clara , California , company hopes it can also help stave off the more familiar threat of worms and viruses.

The surprise may partly be because Intel is primarily a hardware company. Security for PCs and servers has traditionally been provided by software, sold by companies such as Symantec, McAfee, Trend Micro and a slew of smaller players.

But traditional security providers have trouble keeping up with increasingly sophisticated threats. Rootkits -- propelled into the mainstream by the Sony BMG copy protection debacle -- is one example of a threat that many security software vendors are grappling with.

Intel is working on a combination of hardware and software to help protect computers, Schluessler said. He and other researchers in the chipmaker's Communications Technology Lab have devised a way to stifle sophisticated attacks by monitoring the operating system and critical applications run on a computer.

Right now the project, named System Integrity Services, is very much in development. Schluessler talked about how the hardware-based approach works and how it could help keep pests off home PCs.

Q: What made Intel get involved?
Schluessler: Well, the PC faces quite a few interesting threats. One of the things that Intel has been looking at evolving into is this model we call "platformisation." This is really an ability to make the components of the system into more than the sum of their parts. We're working on this technology we call "System Integrity Services," which is an example of this platformisation.

Why do you believe Intel can help fight worms, viruses and rootkits?
Schluessler: A lot of the problems that worms and viruses are exploiting today are problems in the memory of programs: A lot of attackers will go and exploit vulnerabilities in memory.

One of the limitations of security software running on the CPU (central processing unit) is that as soon as an attacker gains root-level privileges, such as via rootkit, then that level of privilege gives them the ability to compromise any software running on that system. What Intel can provide is platform hardware and firmware that is much more difficult to compromise, because it is separated from the primary OS (operating system) and CPU.

One of the problem spaces that our System Integrity Services is good at is detecting changes to protected programs or detecting when a protected program is stopped by something like a virus, worm or rootkit.  You mention the problem that rootkits specifically pose, and I guess that goes beyond the threat that worms and viruses pose to a system?
Schluessler: Yes and no. The problem space is somewhat similar. Rootkits, in today's vernacular, tend to describe payloads that are trying to hide themselves from users. One of the problem spaces that our System Integrity Services is good at is detecting changes to protected programs, or detecting when a protected program is stopped by something like a virus, worm or rootkit.

Can you describe in a nutshell what kind of technology Intel is working on? Is this hardware or software?
Schluessler: We're working on a technology we call System Integrity Services, which is a platform technology that is based on both hardware and firmware. We would add some hardware to the platform to provide an isolated execution environment, where we can run some firmware that is not tied to the host operating system and CPU.

This allows us to raise the bar as far as to what an attacker would need to do in order to compromise that isolated execution environment.

Where do you envision this technology being used?
Schluessler: It can be used in PCs, both at home and in the office -- anywhere where we would want to detect the infiltration of a payload that a worm or a virus could carry. It would have value there.

This is very much complementary to the existing software solutions, like antivirus software. This technology is focused at detecting problems that we would not necessarily have an antivirus signature for. We can also use this technology to protect our security agents -- like antivirus software or a firewall -- from being shut down by these attackers.

Will this technology -- you mentioned it includes hardware and firmware, which is software -- would this need anything else to run, like a client on the desktop?
Schluessler: No. It really needs just cooperation from the programs that we want to protect.
What does that mean?
Schluessler: We'd need to make sure that the contents of the prograWindows Defender they run in memory do not get changed.

In order to do that, we have to know what the initial good state of the program is. (It's) similar in concept to what driver signatures do. We need to make sure that the program, in its good state, is what is actually loaded into memory and that it stays that way.

Security threats like rootkits, viruses and worms seem to get more sophisticated by the week. Can your technology protect against future threats, or will it need some kind of an updating mechanism?
Schluessler: This is exactly one of the things we've designed this technology to do -- to detect problems that we don't know about yet, what we call in the industry day-zero worms and viruses. Those worms and viruses that come out, and we don't know what they look like.

This technology is simply looking for changes to protected programs. It could be any kind of change -- any kind of worm payload or virus payload or rootkit. As long as it changes one of those protected programs or stops one of the security agents that we're monitoring, we can detect it, regardless of what the actual signature is.

Like any technology, this is not the Holy Grail. It has limitations.  You keep mentioning protected programs. Would this protect any application on my PC, or just the operating systems or critical applications?
Schluessler: We would want to use it to protect critical applications on the PC. Like any technology, this is not the Holy Grail. It has limitations. It can be used to protect certain programs. But this isolated execution environment is limited in its view of what the operating system and such is actually doing. It can't view all of the complexities of the OS, like most of your security agents that are already running over there. It is very much complementary to those security agents.

For example, what applications do you see it protecting?
Schluessler: You could use it to protect things like antivirus software or your firewall. Many of today's worms and viruses...will go in and shut down your security agents in order to execute their payload, because the security agents are effective at stopping that. What this System Integrity Services technology can do, is it can actually detect when that occurs, so we can help protect those security agents.

If you're monitoring the system -- it sounds like that's what you're doing with this technology -- is that going to slow down my computer at all?
Schluessler: Since we're running the checking-off in this isolated execution environment -- we call it a security presence -- it would not impact the MIPS (million instructions per second, or the the number of operations that a computer can perform in one second) available on your CPU. It does use some of your memory bandwidth.

Could you explain that?
Schluessler: It won't use cycles that your host processor needs for other things. It won't slow down the processing necessarily on your CPU, but it does use some of the bandwidth going to your memory. It has to look at the memory that your program is running in.

How will this impact potential legitimate uses of, for example, rootkit-type technology? If I am an enterprise, and I use rootkit-type technology to maybe hide some security software from my employees on their desktops, how would your technology impact that? Would it stifle that kind of thing?
Schluessler: Not at all. We're only going to detect changes that we don't want to happen. If you define within your system that you want to allow certain types of changes to happen, by all means, the System Integrity Services will allow that kind of change.

What you're telling me sounds a little bit similar to what Microsoft was talking about a couple of years back. Something they called "Palladium" and then "Next Generation Secure Computing Base." Is this similar?
Schluessler: I am not an expert on that technology, so I can't contrast it.

When do you think your technology might be ready?
Schluessler: As a researcher, I don't have visibility into Intel's product plans, but the prototype is up and running and we have demonstrated that it works in protecting device drivers and things like that -- against things as advanced as kernel debuggers.

Could you explain a bit more what that prototype looks like? Is it actual functioning hardware, or is it a little plastic thing that doesn't do anything?
Schluessler: It is actually functioning hardware. We have a security presence in the form of an Intel Xscale processor that is able to monitor protected programs running on the host.

VM (Virtual Machine) Rootkits: The Next Big Threat?

March 10, 2006  By  Ryan Naraine http://www.eweek.com/article2/0,1895,1936666,00.asp

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK.

The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild of Microsoft's Cybersecurity and Systems Management Research Group, the Redmond , Wash. , unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.

Today, anti-rootkit clean-up tools compare registry and file system API discrepancies to check for the presence of user-mode or kernel-mode rootkits, but this tactic is useless if the rootkit stores malware in a place that cannot be scanned.

"We used our proof-of concept [rootkits] to subvert Windows XP and Linux target systems and implemented four example malicious services," the researchers wrote in a technical paper describing the attack scenario.

"[We] assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits," said the paper, which is co-written by researchers from the University of Michigan .

A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way.

"[T]he side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders," the researchers said.

"If the defender's security service occupies a lower layer than the malware, then that security service should be able to detect, contain and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution."

The group said the SubVirt project implemented VM-based rootkits on two platforms—Linux/VMWare and Windows/VirtualPC—and was able to write malicious services without detection.

The paper describes how easy it is to get the VM-based malware on a target system.

For example, a code execution flaw could be exploited to gain root or administrator rights to manipulate the system boot sequence.

Once the rootkit is installed, it can use a separate attack operating system to deploy malware that is invisible from the perspective of the target operating system.

"Any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection," the researchers said.

The group used the prototype rootkits to develop four malicious services—a phishing Web server, a keystroke logger, a service that scans the target file system for sensitive information and a defense countermeasure to defeat existing VM-detection systems.

The researchers also used the VM-based rootkits to control the way the target reboots. It could also be used to emulate system shutdowns and system sleep states.

While the prototype rootkits are theoretically offensive in nature, the researchers also discussed ways to defend against malicious use of VM:

1. Hardware chip-based protection

The group suggests that hardware detection is one way to gain control over the lower layer to detect VM-based rootkits, pointing out that chip makers Intel and AMD have proposed hardware that can be used to develop and deploy low-layer security software that would run beneath a VM-based rootkit.

2. A Secure Bootup Medium

Another defense technique the researchers proposed is to boot from a safe medium such as a CD-ROM, USB drive or network boot server to gain control below the rootkit.

3. A secure VMM

A virtual machine monitor can also be used to gain control of a system before the operating system boots. It can also be used to retain control as the system runs and to add a check to stop a VM-based rootkit from modifying the boot sequence.

Ziff Davis Media eSeminars invite: Learn how to proactively shield your organizations against threats at all tiers of the network, Symantec will show you how, live on March 21 at 4 p.m. ET. Sponsored by Symantec.

"We believe the VM-based rootkits are a viable and likely threat," the research team said. "Virtual-machine monitors are available from both the open-source community and commercial vendors ... On today's x86 systems, [VM-based rootkits] are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a rootkit."

The threat is so real, the group said, that during the creation of SubVirt, one of the authors accidentally used a machine that had been infected by the proof-of-concept rootkit without realizing that he was using a compromised system.

'Vitriol' Virtual Machine Rootkit to Demo at MS BlueHat Hacker Summit  

By Ryan Naraine October 17, 2006 http://www.eweek.com/article2/0,1895,2032661,00.asp

Updated: Microsoft's twice-yearly BlueHat summit will kick off with a demo of a virtualization-based rootkit that can be used to defeat the company's PatchGuard technology.

Microsoft's twice-yearly BlueHat hacker summit, running Oct. 19-20, will kick off later this week with a demo of a virtual machine rootkit that can potentially be used to defeat the controversial PatchGuard technology.

Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsoft's Redmond , Wash. , campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intel's VT-x virtualization extension.

Zovi, an expert on exploitation techniques, 802.11 wireless attacks and operating system kernel security, will demo the rootkit at the conference, to which select members of the hacking community are invited to brainstorm security issues with Microsoft employees and executives.

The Vitriol presentation is an expansion of a talk given by Zovi (here as a PDF) at the Black Hat Briefings in Las Vegas in August, and will include a technical explanation of how Intel's VT-x extensions can allow malicious hackers to install a "rootkit hypervisor" that invisibly runs the original operating system in a virtual machine.

Zovi plans to demonstrate how the Vitriol rootkit can migrate a running operating system into a hardware virtual machine on the fly and install itself as a rootkit hypervisor. The malicious code becomes inaccessible to the operating system, maintaining stealth and controlling access to the malware.

Zovi, in a blog entry, claimed that hypervisors can also be used to bypass PatchGuard on 64-bit systems, but Stephen Toulouse, a security program manager for Microsoft, explained that PatchGuard prevents modification of the data tables and is not meant to detect hypervisors.

"In this case, there is nothing [from Zovi] to indicate the attack is even trying to modify the kernel itself, and I confirmed with Matasano that's true," Toulouse said in an e-mail sent to eWEEK. "Vitriol doesn't 'defeat' kernel patch protection," he added.

In response, Zovi cited "confusion" around how or whether hypervisors can bypass PatchGuard and stressed that Vitriol is not an attack against [a weakness in] PatchGuard itself. "[It] is more a demonstration of how a hypervisor controls the entire universe in which an operating system runs and can mislead or lie to any operating system running inside it, thus defeating security defenses running on the guest VM," he explained.

Microsoft officials declined to comment on the BlueHat schedule. According to sources familiar with the company's plans, BlueHat v4 will feature a roster of well-known white hat researchers specializing in OS kernel hardening, database security and application threat modeling.

The source said the company is looking for "new faces" to talk at the two-day event. Researchers who made presentations at BlueHat v3 in March 2006 are being invited back as attendees.

At the Spring 2006 sessions, the roster of presenters included database security experts David Litchfield and Alexander Kornbrust, Web applications security researcher Caleb Sima, Metasploit founder HD Moore and reverse engineering guru Halvar Flake.

Moore , Flake and Kornbrust said they will not be attending the sessions this week.

Zovi's virtual machine rootkit presentation comes on the heels of a Black Hat demo by stealth malware researcher Joanna Rutkowska of Blue Pill, new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems.

Rutkowska's Blue Pill prototype uses Advanced Micro Devices' SVM/Pacifica virtualization technology to create an ultrathin hypervisor that takes complete control of the underlying operating system.

Rutkowska, who also showed off a way to defeat the device driver signing requirement in Windows Vista, told eWEEK she has never been invited to speak at Microsoft's BlueHat.

Microsoft's own Cybersecurity and Systems Management Research Group has also created a proof-of-concept rootkit called SubVirt that exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Rootkit Flood -  Smarter Hackers Pose Growing Security Threats

April 17, 2006  By  Matt Hines  http://www.eweek.com/article2/0,1895,1949650,00.asp

Based on a new study released by software maker McAfee's Avert Labs group, the technology used to cloak many different forms of malware, especially rootkits, is becoming increasingly complex and harder to detect. McAfee said its research indicates that the use of so-called "stealth technologies" has jumped by over 600 percent during the last three years. The number of rootkit attacks being reported to McAfee's labs was up by 700 percent during the first quarter of 2006, compared with the same period in 2005.

A rootkit is used to modify the flow of a software program's kernel to hide the presence of an attack on a machine. It gives a hacker remote user access to the compromised system while avoiding detection from anti-virus scanners.

"The growth has been extraordinary and the use of rootkits that we are seeing is far more complex than any examples we've seen in previous years; the stealth aspect of these attacks is making them very hard to find," said Stuart McClure, senior vice president of global threats at McAfee, in Santa Clara, Calif. "These technologies are so deeply embedded that even if you are able to remove them, you often destabilize a system quickly, and cleaning these things out remains enormously challenging," McClure said.

Another aspect of the growing problem is that rootkits are increasingly being written to attack systems running on Microsoft's Windows operating system. While rootkits previously troubled more Linux and Unix-based systems, McAfee said Windows-oriented rootkits increased by a staggering 2,300 percent between 2001 and 2005. According to the research, that trend is spurred by both the desire to break into Microsoft's proprietary software, and the fact that a larger number of machines run Windows, meaning more are available for attack.

McAfee contends that one of the primary drivers of the expanded proliferation and complexity of rootkits is growing collaboration among virus writers, including the misuse of materials published on resource Web sites dedicated to helping people fight the programs. Since some of these sites, such as Rootkit.com, contain hundreds of lines of rootkit code, and may be doing more harm than good, McClure said. "The threats are constantly evolving; someone figures something out and within minutes it's being distributed. The malware writers are getting much smarter and faster at sharing information and realizing the profit in this," he said. "Rootkit.com and the others come off as wanting to educate the industry, but the problem is that posts on those Web sites are dropped directly into malware. These good guys are trying to regulate the information, but, unfortunately, it's being misused."

Kaspersky, based in Woburn , Mass. , said it identified specific three proof-of-concept attacks being tested out by hackers, at least one of which could pose a challenging risk to network defenders. The program reportedly locates itself in a computer's boot sector and gains control of the device prior to the launch of its operating system. Because the attack is introduced in this manner, Kaspersky said, the program is able to modify many operating system functions. While most anti-virus applications scan a computer's boot sector, the security company warned that it still be "extremely difficult" to detect any interception or substitution of system functions by the program.

Rootkits used by Music Company and by Gaming Industry  
Spying on Users: Getting to the 'Rootkit' of the Matter 
By Brian Prince February 7, 2007  Source

Sony drew the ire of many in 2005 when the record company employed rootkit technology in the name of copyright protection. The company included software on music CDs that, if played on a computer, would install itself without the user's consent and would restrict the number of times the audio files could be copied. Critics charged the software also created security gaps that could allow hackers entry into a system. The company recently entered into a settlement over the matter with the Federal Trade Commission, which charged that the company had secretly embedded the potentially damaging software. 

Although Sony no longer uses the software, its attempt to use rootkit technology in the name of business signals that it is not just hackers who have an interest in using the technology. 

Another company, video game maker Blizzard Entertainment, had customers crying foul when it was discovered the gaming company was using software known as the "Warden" to prevent cheating in the online role-playing game "World of Warcraft," McGraw said. 

The software, intended to check players' computer memory for third-party programs that allow players to cheat, is mentioned in the service and end-user license agreement and does not gather personal information about players. But critics have called it spyware and said the software indiscriminately reads data from all open windows during game play. 

http://www.sysinternals.com/utilities/rootkitrevealer.html