Earthweb
Images Research Events Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
Search EarthWeb Network

internet.commerce
Be a Commerce Partner
Corporate Gifts
Car Donations
Computer Deals
Car Insurance
Cheap Plasma TVs
Cheap Plane Tickets
Budget Web Hosting
Phone Systems
PDA Phones & Cases
Auto Insurance Quote
Cheap Cameras
Mortgage Refinancing
Search Web Hosting
(none)

IT Management : Columns : Executive Tech: New Tools May Beat Rootkits

Symantec Data Management Solutions
Whitepaper: The Benefit of Continuous Data Protection
Data volume continues to grow at nearly 40% to 50% each year, making back up of mission critical data very difficult. For any organization looking to manage data growth, improve reliability, and speed data recovery, continuous data protection provides the avenue to address the challenges in a method that will improve overall data protection without weighing down IT with costly solutions.
Register Now to Download.
Whitepaper: Breaking Through the Dissimilar Hardware Restore Challenge
This paper discusses recovery to virtual computer environments, hardware migration strategies, hardware repurposing for optimal resource utilization, meeting recovery time objectives, and increasing disaster tolerance.
Register Now to Download.
Whitepaper: Converging System and Data Protection
From resilience against threats to efficient restoration of normal operations, Symantec can help keep your business up, running, and growing—no matter what happens.
Register Now to Download.
Webcast: Symantec Brings Disk-based Data Protection and Advanced System Recovery Together
Symantec Backup Exec™ and Symantec LiveState Recovery™ allow rapid and easy backup and recovery of virtually any Windows data and Windows system.
Join us for an informative Webcast to learn how to:
  • Create backups and restore to specific system recovery points
  • Maintain data availability and minimize server downtime
  • Eliminate backup windows, improving increased system reliability
  • Dramatically minimize downtime by rapidly recovering entire systems to dissimilar hardware platforms or even to virtual environments
Register Now to Watch.

Related Articles
'Rootkit' Author Beaten, For Now
Can We Restore Reliability to E-Mail?
Readers Debate Election Fraud Allegations
- ITSMWatch Newsletter -
email:
IT Focus
Wireless in the Enterprise

Wireless technology continues to make great inroads into networks. But IT pros still must contend with a number of issues such as security, access and integration.

Ready? Set. Go!

Mobile Workers Never Looked So Thin

The Incredible Hidden Wireless Connection

Product Watch
Reflex IPS - Inline Intrusion Prevention Appliances
SANmelody - Converts PC Servers Into Expansion Disk Servers
Identity Management Suite / VPAS - Fingerprint-Based Authentication Tools and Technologies
File2Pack SFX - File Packing Program
PDW Portfolio Enterprise - Resource Allocation Analysis

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Demo: Improving Project Management with IBM Rational Software Configuration Management Tools

New Tools May Beat Rootkits
June 7, 2005
By Brian Livingston

Brian Livingston I wrote in this space last week that IceSword, a new antivirus tool by a Chinese security research group, had gained the respect of even some hackers.

Specifically, I quoted the author of Hacker Defender, a so-called rootkit program, who said on his site, "One of my priorities this summer [will be] to beat IceSword." He called it "such a nice tool, [a] real challenge."

IceSword became available only last month as a free download from Xfocus.net, a computer security site in China. Unfortunately for my English-speaking readers, the site is written entirely in Chinese, and IceSword comes only in a Chinese version. The group's English-language site, Xfocus.org, says nothing about IceSword as of yet.

I believe we'll be hearing more about this tool in the months to come, however. More and more virus authors are writing rootkits, which can successfully hide from typical antivirus scans. So the need for antirootkit programs such as IceSword will only grow.

The State Of Rootkit Detection

To learn more about IceSword, I spoke with Drew Copley, a senior research engineer for eEye Digital Security in Aliso Viejo, Calif., south of Los Angeles. Copley is not only familiar with the Chinese group's work, he'll be a speaker at the XCON conference in Beijing, China, which is being sponsored by Xfocus on August 18 through 20.

"Xfocus is a cutting-edge security group, similar to the CCC [Chaos Computer Club] of Germany," Copley says. "At this time, I do believe Xfocus is a leader among all of the groups, and this is why I am honored to be speaking there."

Regarding IceSword, Copley says because of its newness the program is little-known by security researchers in the U.S. Based on what he's discovered so far, the techniques IceSword uses may be novel but they can eventually be copied by rootkit authors to make their rogue programs invisible once again, Copley indicates.

"Now that they know how IceSword works, they could do that," he says. "It's always a case of who gets there first."

The Race To Add Antirootkit Code

"There," in this case, is a Windows API [application programming interface] that IceSword hooks into when it runs. If IceSword hooks this API first, rootkits can't hide from it. Unfortunately, rootkit authors could start hooking this API when their spyware is initially installed. This means the rootkits would "get there first" and frustrate diagnostic tools such as IceSword.

Security researchers around the world, however, are rapidly creating defenses. Some programs can already detect rootkits such as Hacker Defender and Morphine, a related program. Morphine is an encryption routine developed by Hacker Defender's author. It cloaks viruses so they don't match any signatures currently used by antivirus programs.

eEye's own Blink vulnerability prevention program, Copley says, can detect the current version of the rootkit "because Hacker Defender injects itself into every process and uses some exploit techniques common to malware."

A new version of Blink will have "a generic detection mechanism for any file that is using Morphine as a file-obscuring shell," he said. "I know that Kaspersky handles Morphine successfully, too." Kaspersky Lab is a respected antivirus firm based in Moscow, Russia.

Virus authors increasingly include code that hunts for "antivirus signatures." This allow them to disable or evade specific antivirus software that a PC may be running.

As a result, Copley says, antivirus programs must add cloaking mechanisms of their own to hide from viruses. "Something like polymorphism could be good," he suggested. A polymorphic program encrypts itself differently every time it's installed, thereby avoiding detection by signature scans.

A Well-Built Program That's Hard To Grok

Another security researcher, who asked that neither he nor his company be identified by name, said the copy of IceSword he's examined is designed carefully to avoid giving up its secrets too easily.

"It has a lot of techniques built in to prevent you from reverse engineering it," this researcher says.

"IceSword is more of an advanced tool," he continues. "It doesn't have a button you can click to detect rootkits. You have to read through the [PC's] files yourself.

"The program's really well built, but the documentation's all in Chinese," he notes. Researchers in the U.S. are using machine translations to get a rough idea of how the program works until native Chinese speakers in the West can give IceSword a thorough technical examination.

The program sports a user interface similar to a file explorer. The difference is that IceSword shows files and running processes that are invisible to ordinary file-handling programs. In that respect, "It looks fairly similar to F-Secure Blacklight and Rootkit Revealer," this researcher says. Both of those programs attempt to detect rootkits that may already be silently running on a PC.

White Hats Love It, Hackers Hate It

Whatever the good guys think of IceSword, we know how the developer of at least one rootkit feels about it. Hacker Defender's author, who uses the handle "holy_father," said in a June 3 posting reacting to my column on IceSword, "It is [a] great challenge to crack it," adding, "I've never seen [a] better tool."

That's enough of an endorsement for people like me to hope that IceSword comes out in an English-language version as soon as possible.

The Chinese version of IceSword, which is downloadable in a compressed RAR format for those interested in trying it, is at Xfocus.net/tools/200505/1032.html.

Brian Livingston is the editor of WindowsSecrets.com and the coauthor of "Windows Me Secrets" and nine other books. To subscribe free and receive Executive Tech via e-mail, visit our signup page. Send story ideas to him via his contact page.


Executive Tech Archives


JupiterWeb networks:

Graphics.com

Search JupiterWeb:

Jupitermedia Corporation has three divisions:
JupiterResearch


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Jupitermedia Corporate Info | Newsletters | Tech Jobs | E-mail Offers