Re: VM Rootkits: The Next Big Threat? (PC Magazine)

Technophobe wrote:

> PC Magazine - SubVirt, a proof-of-concept virtual machine
> rootkit created by MS Research and the University of Michigan,
> pushes the envelope for hiding malware. Will this new threat
> strike from below?

http://www.eecs.umich.edu/~pmchen/papers/king06.pdf

What this will mean is the increased use of boot-from-CD scanning
methods. This will require a new feature for AV software - easy to
use, seemless updating of a boot-from-CD-R image when desired by the
user. Either that, or (as I always advocate) scanning the drive as a
slave on a trusted and capable system.

Only Windows XP is mentioned here. Still waiting to hear about Win-98
root kits.

-------------
[43] S. Sparks and J. Butler. Shadow Walker: Raising The
Bar For Windows Rootkit Detection. Phrack, 11(63),
August 2005. (http://www.phrack.org/show.php?p=63&a=8)

"even the most sophisticated Windows kernel rootkits, like FU, possess
an inherent flaw. They subvert essentially all of the operating
system's subsystems with one exception: memory management. Kernel
rootkits can control the execution path of kernel code, alter kernel
data, and fake system call return values, but they have not (yet)
demonstrated the capability to 'hook' or fake the contents of memory
seen by other running applications. In other words, public kernel
rootkits are sitting ducks for in memory signature scans. Only now
are security companies beginning to think of implementing memory
signature scans."

(I thought that many AV software performed memory scans - ?)

"Now imagine a rootkit that makes no effort to change its superficial
appearance, yet is capable of fundamentally altering a detectors view
of an arbitrary region of memory. When the detector attempts to read
any region of memory modified by the rootkit, it sees a 'normal',
unaltered view of memory. Only the rootkit sees the true, altered view
of memory. Such a rootkit is clearly capable of compromising all of
the primary detection methodologies to varying degrees. The
implications to misuse detection are obvious. A scanner attempts to
read the memory for the loaded rootkit driver looking for a code
signature and the rootkit simply returns a random, 'fake' view of
memory (i.e. which does not include its own code) to the scanner.
There are also implications for integrity validation approaches to
detection. In these cases, the rootkit returns the unaltered view of
memory to all processes other than itself. The integrity checker sees
the unaltered code, finds a matching CRC or hash, and (erroneously)
assumes that all is well. Finally, any anomaly detection methods
which rely upon identifying deviant structural characteristics will be
fooled since they will receive a 'normal' view of the code. An example
of this might be a scanner like VICE which attempts to heuristically
identify inline function hooks by the presence of a direct jump at the
beginning of the function body."
---------------

Virus Guy wrote:

> Only Windows XP is mentioned here. Still waiting to hear about Win-98
> root kits.

?? Win98 does not have a "root". Although, there were ways for MS to
hide the contents of directories (desktop.ini).

"Offbreed" <offbreed_106@hotmail.com> wrote in message news:rfCdnUDmXq6q9InZRVn-vA@scnresearch.com...
> Virus Guy wrote:
>
> > Only Windows XP is mentioned here. Still waiting to hear about Win-98
> > root kits.
>
> ?? Win98 does not have a "root". Although, there were ways for MS to
> hide the contents of directories (desktop.ini).

Whether or not there is a "root" no longer matters. The "root" in rootkit
is only an historical remnant. A malware rootkit is a trojan or trojaned
program, or set of programs, that interact intimately with some system
hardware. Such close relationships with hardware allow the OS to be
subverted. Usually, this subversion takes the form of stealth.

Originally, they were trojan backdoored unix binary executables offering
remote root access to the attacker that installed them. Then sniffers and
stealth capability were added. Now the term applies to *nix loadable
modules and NT filter drivers too, especially if they work to subvert the
system in some way.

Jake Dodd wrote:
> "Offbreed" <offbreed_106@hotmail.com> wrote in message news:rfCdnUDmXq6q9InZRVn-vA@scnresearch.com...
>> Virus Guy wrote:
>>
>>> Only Windows XP is mentioned here. Still waiting to hear about Win-98
>>> root kits.
>> ?? Win98 does not have a "root". Although, there were ways for MS to
>> hide the contents of directories (desktop.ini).
>
> Whether or not there is a "root" no longer matters. The "root" in rootkit
> is only an historical remnant. A malware rootkit is a trojan or trojaned
> program, or set of programs, that interact intimately with some system
> hardware. Such close relationships with hardware allow the OS to be
> subverted. Usually, this subversion takes the form of stealth.
>
> Originally, they were trojan backdoored unix binary executables offering
> remote root access to the attacker that installed them. Then sniffers and
> stealth capability were added. Now the term applies to *nix loadable
> modules and NT filter drivers too, especially if they work to subvert the
> system in some way.

well, i certainly disagree
(http://anti-virus-rants.blogspot.co...ootkits_20.html)...

and i don't understand why people think technical terminology should be
as malleable as conversational english...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

"kurt wismer" <kurtw@sympatico.ca> wrote in message news:8NdRf.2780$ng.113676@news20.bellglobal.com...
> Jake Dodd wrote:
> > "Offbreed" <offbreed_106@hotmail.com> wrote in message news:rfCdnUDmXq6q9InZRVn-vA@scnresearch.com...
> >> Virus Guy wrote:
> >>
> >>> Only Windows XP is mentioned here. Still waiting to hear about Win-98
> >>> root kits.
> >> ?? Win98 does not have a "root". Although, there were ways for MS to
> >> hide the contents of directories (desktop.ini).
> >
> > Whether or not there is a "root" no longer matters. The "root" in rootkit
> > is only an historical remnant. A malware rootkit is a trojan or trojaned
> > program, or set of programs, that interact intimately with some system
> > hardware. Such close relationships with hardware allow the OS to be
> > subverted. Usually, this subversion takes the form of stealth.
> >
> > Originally, they were trojan backdoored unix binary executables offering
> > remote root access to the attacker that installed them. Then sniffers and
> > stealth capability were added. Now the term applies to *nix loadable
> > modules and NT filter drivers too, especially if they work to subvert the
> > system in some way.
>
> well, i certainly disagree
> (http://anti-virus-rants.blogspot.co...ootkits_20.html)...

Nice rant, but I don't really see where you disagree with what I wrote. Think
of what having root really means to the machine in question. Someone having
root can install programs that intimately interact with the system hardware
rather than using the OS as intermediary. Because of this, such programs can
subvert the OS so that all utilities that get information from or about hardware
while using the OS as intermediary become untrustworthy.

In the case of this "new threat", the entire OS is elevated to a VM while the
actual hardware and the so-called "rootkit" act as the platform for it. Now
the OS only "knows" what the rootkit tells it.

> and i don't understand why people think technical terminology should be
> as malleable as conversational english...

A rootkit wasn't really a technical term, it was like the "bag of tricks" that
Felix the cat used when in a fix. Why write programs interactively through
a shell on a rooted machine when, with a little advance preparation, you
could have a kit ready.

Jake Dodd wrote:
> "kurt wismer" <kurtw@sympatico.ca> wrote in message news:8NdRf.2780$ng.113676@news20.bellglobal.com...
>> Jake Dodd wrote:
[snip]
>>> Whether or not there is a "root" no longer matters. The "root" in rootkit
>>> is only an historical remnant. A malware rootkit is a trojan or trojaned
>>> program, or set of programs, that interact intimately with some system
>>> hardware. Such close relationships with hardware allow the OS to be
>>> subverted. Usually, this subversion takes the form of stealth.
>>>
>>> Originally, they were trojan backdoored unix binary executables offering
>>> remote root access to the attacker that installed them. Then sniffers and
>>> stealth capability were added. Now the term applies to *nix loadable
>>> modules and NT filter drivers too, especially if they work to subvert the
>>> system in some way.
>> well, i certainly disagree
>> (http://anti-virus-rants.blogspot.co...ootkits_20.html)...
>
> Nice rant, but I don't really see where you disagree with what I wrote. Think
> of what having root really means to the machine in question. Someone having
> root can install programs that intimately interact with the system hardware
> rather than using the OS as intermediary. Because of this, such programs can
> subvert the OS so that all utilities that get information from or about hardware
> while using the OS as intermediary become untrustworthy.

the disagreement comes in because subverting the os and
gaining/maintaining root are not the same thing... similar perhaps, but
not the same... rootkits are penetration technology which may happen to
subvert the os in a very particular way...

[snip]
>> and i don't understand why people think technical terminology should be
>> as malleable as conversational english...
>
> A rootkit wasn't really a technical term, it was like the "bag of tricks" that
> Felix the cat used when in a fix.

??? you're right, *a* rootkit wasn't a technical term (it was an
instance of malware), *rootkit* was... a word or combination of words
with a well defined meaning in a technical context...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

"kurt wismer" <kurtw@sympatico.ca> wrote in message news:ffsRf.1264$fy1.130843@news20.bellglobal.com...

> ... rootkits are penetration technology which may happen to
> subvert the os in a very particular way...

"Penetration technology"? Rootkits are and were nothing of the sort.
Penetration happens "before" the rootkit is used. The "penetration
technology" is the exploit (or other means of getting root) acting as
the 'thin edge of the wedge' to get the door open, and the rootkit is
the ol' salesman-foot-in-the-door to maintain access or whatever
else realizes the attacker's desires.

Jake Dodd wrote:
> "kurt wismer" <kurtw@sympatico.ca> wrote in message news:ffsRf.1264$fy1.130843@news20.bellglobal.com...
>
>> ... rootkits are penetration technology which may happen to
>> subvert the os in a very particular way...
>
> "Penetration technology"? Rootkits are and were nothing of the sort.
> Penetration happens "before" the rootkit is used.

why do people have so much trouble with the concept of indirect attacks?

the rootkit is installed on machine A in order to compromise machine B
by means of sniffing network traffic for useful information like
passwords... it also provided a platform from which to run attacks from
(attacks like password cracking or privilege escalation) without
compromising the identity/location of the attacker...

> The "penetration
> technology" is the exploit (or other means of getting root) acting as
> the 'thin edge of the wedge' to get the door open, and the rootkit is
> the ol' salesman-foot-in-the-door to maintain access or whatever
> else realizes the attacker's desires.

you need credentials on a system before you can escalate those
privileges by means of exploit...

virtually all classical rootkits had a sniffer to grab credentials for
other machines out of network traffic or directly from the keyboard and
a back door to allow subsequent access to the compromised machine in
order to get the sniffer's logs and to attempt further attacks on other
machines...

it's not always the case that you make a surgical strike on just the
machine that interests you, sometimes that's not appropriate or even
immediately possible...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

"kurt wismer" <kurtw@sympatico.ca> wrote in message news8URf.8638$ng.383304@news20.bellglobal.com...
> Jake Dodd wrote:
> > "kurt wismer" <kurtw@sympatico.ca> wrote in message news:ffsRf.1264$fy1.130843@news20.bellglobal.com...
> >
> >> ... rootkits are penetration technology which may happen to
> >> subvert the os in a very particular way...
> >
> > "Penetration technology"? Rootkits are and were nothing of the sort.
> > Penetration happens "before" the rootkit is used.
>
> why do people have so much trouble with the concept of indirect attacks?

Why do you assume that they do?

> the rootkit is installed on machine A in order to compromise machine B
> by means of sniffing network traffic for useful information like
> passwords... it also provided a platform from which to run attacks from
> (attacks like password cracking or privilege escalation) without
> compromising the identity/location of the attacker...

....or to hide programs or processes that leak information out or alter
data within the subverted system.

Why do you assume that attackers 'only' or 'always' want to attack
more machines?

Just as program branches can have leaf functions, the actual target
of an attacker may be the leaf target. Selective data diddling or
some other activity may be the end desire of the attacker. If the
subversive program, to work properly, needed to be installed by
a root privileged user, then the attacker has installed a rootkit.

> > The "penetration
> > technology" is the exploit (or other means of getting root) acting as
> > the 'thin edge of the wedge' to get the door open, and the rootkit is
> > the ol' salesman-foot-in-the-door to maintain access or whatever
> > else realizes the attacker's desires.
>
> you need credentials on a system before you can escalate those
> privileges by means of exploit...

Nobody has suggested that a rootkit needs to be installed by someone
without actual credentials.

> virtually all classical rootkits had a sniffer to grab credentials for
> other machines out of network traffic or directly from the keyboard and
> a back door to allow subsequent access to the compromised machine in
> order to get the sniffer's logs and to attempt further attacks on other
> machines...

Appeal to numbers. Every bird I've ever seen was able to fly, so all
birds must fly - in fact the very defining feature of birds must be that
they fly. Fallacy.

> it's not always the case that you make a surgical strike on just the
> machine that interests you, sometimes that's not appropriate or even
> immediately possible...

That doesn't mean that the occasional surgical strike target isn't just as
rootkitted.

Jake Dodd wrote:
> "kurt wismer" <kurtw@sympatico.ca> wrote in message news8URf.8638$ng.383304@news20.bellglobal.com...
>> Jake Dodd wrote:
>>> "kurt wismer" <kurtw@sympatico.ca> wrote in message news:ffsRf.1264$fy1.130843@news20.bellglobal.com...
>>>
>>>> ... rootkits are penetration technology which may happen to
>>>> subvert the os in a very particular way...
>>> "Penetration technology"? Rootkits are and were nothing of the sort.
>>> Penetration happens "before" the rootkit is used.
>> why do people have so much trouble with the concept of indirect attacks?
>
> Why do you assume that they do?

saying that rootkits aren't penetration tools because penetration
happens before the rootkit is used assumes that which is not in
evidence... it is in fact possible to use the rootkit prior to
penetrating a system you aren't authorized to use...

>> the rootkit is installed on machine A in order to compromise machine B
>> by means of sniffing network traffic for useful information like
>> passwords... it also provided a platform from which to run attacks from
>> (attacks like password cracking or privilege escalation) without
>> compromising the identity/location of the attacker...
>
> ...or to hide programs or processes that leak information out or alter
> data within the subverted system.

stealth (as that is properly called) is an adaptation, it has always
been an adaptation, and the implication of it being an adaptation is
that it serves at best a supporting role...

> Why do you assume that attackers 'only' or 'always' want to attack
> more machines?

i don't, but that's the particular problem rootkits were made to address...

[snip]
>>> The "penetration
>>> technology" is the exploit (or other means of getting root) acting as
>>> the 'thin edge of the wedge' to get the door open, and the rootkit is
>>> the ol' salesman-foot-in-the-door to maintain access or whatever
>>> else realizes the attacker's desires.
>> you need credentials on a system before you can escalate those
>> privileges by means of exploit...
>
> Nobody has suggested that a rootkit needs to be installed by someone
> without actual credentials.

whoosh... the rootkit gets you the credentials... there are any number
of ways the initial rootkit could have been installed... it could be
installed on a low security system that you have legitimate rights on
and that other people also use...

>> virtually all classical rootkits had a sniffer to grab credentials for
>> other machines out of network traffic or directly from the keyboard and
>> a back door to allow subsequent access to the compromised machine in
>> order to get the sniffer's logs and to attempt further attacks on other
>> machines...
>
> Appeal to numbers. Every bird I've ever seen was able to fly, so all
> birds must fly - in fact the very defining feature of birds must be that
> they fly. Fallacy.

then perhaps the fact that the first usage of the term in usenet was in
a penetration context... or that both f-secure and the anti-spyware
coalition agree that rootkits were originally for gaining root?

maybe that the goal of the original rootkit was to allow an attacker to
run a sniffer to retrieve credentials for other systems, as discussed
here
(http://www.cs.wright.edu/people/fac...ion/obrien.html)...

>> it's not always the case that you make a surgical strike on just the
>> machine that interests you, sometimes that's not appropriate or even
>> immediately possible...
>
> That doesn't mean that the occasional surgical strike target isn't just as
> rootkitted.

if you've gotten to your destination there's no need for a rootkit when
a more conventional backdoor will do...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"