Whitepaper: The Benefit of Continuous Data Protection Data volume continues to grow at nearly 40% to 50% each year, making back up of mission critical data very difficult. For any organization looking to manage data growth, improve reliability, and speed data recovery, continuous data protection provides the avenue to address the challenges in a method that will improve overall data protection without weighing down IT with costly solutions. Register Now to Download. Whitepaper: Breaking Through the Dissimilar Hardware Restore Challenge This paper discusses recovery to virtual computer environments, hardware migration strategies, hardware repurposing for optimal resource utilization, meeting recovery time objectives, and increasing disaster tolerance. Register Now to Download. Whitepaper: Converging System and Data Protection From resilience against threats to efficient restoration of normal operations, Symantec can help keep your business up, running, and growing—no matter what happens. Register Now to Download. Webcast: Symantec Brings Disk-based Data Protection and Advanced System Recovery Together Symantec Backup Exec™ and Symantec LiveState Recovery™ allow rapid and easy backup and recovery of virtually any Windows data and Windows system. Join us for an informative Webcast to learn how to: Create backups and restore to specific system recovery points Maintain data availability and minimize server downtime Eliminate backup windows, improving increased system reliability Dramatically minimize downtime by rapidly recovering entire systems to dissimilar hardware platforms or even to virtual environments Register Now to Watch.

Related Articles •'Rootkit' Author Beaten, For Now •Can We Restore Reliability to E-Mail? •Readers Debate Election Fraud Allegations

- ITSMWatch Newsletter - email:

IT Focus Wireless in the Enterprise Wireless technology continues to make great inroads into networks. But IT pros still must contend with a number of issues such as security, access and integration. Ready? Set. Go! Mobile Workers Never Looked So Thin The Incredible Hidden Wireless Connection

Product Watch •Reflex IPS - Inline Intrusion Prevention Appliances •SANmelody - Converts PC Servers Into Expansion Disk Servers •Identity Management Suite / VPAS - Fingerprint-Based Authentication Tools and Technologies •File2Pack SFX - File Packing Program •PDW Portfolio Enterprise - Resource Allocation Analysis more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update CrossNodes Networking Practically Networked HTML Enterprise Storage Forum Text Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet Text E-Security Planet HTML Virtual Dr. Text

Demo: Improving Project Management with IBM Rational Software Configuration Management Tools

New Tools May Beat Rootkits
June 7, 2005
By Brian Livingston

I wrote in this space last week that IceSword, a new antivirus tool by a Chinese security research group, had gained the respect of even some hackers.

Specifically, I quoted the author of Hacker Defender, a so-called rootkit program, who said on his site, "One of my priorities this summer [will be] to beat IceSword." He called it "such a nice tool, [a] real challenge."

IceSword became available only last month as a free download from Xfocus.net, a computer security site in China. Unfortunately for my English-speaking readers, the site is written entirely in Chinese, and IceSword comes only in a Chinese version. The group's English-language site, Xfocus.org, says nothing about IceSword as of yet.

I believe we'll be hearing more about this tool in the months to come, however. More and more virus authors are writing rootkits, which can successfully hide from typical antivirus scans. So the need for antirootkit programs such as IceSword will only grow.

The State Of Rootkit Detection

To learn more about IceSword, I spoke with Drew Copley, a senior research engineer for eEye Digital Security in Aliso Viejo, Calif., south of Los Angeles. Copley is not only familiar with the Chinese group's work, he'll be a speaker at the XCON conference in Beijing, China, which is being sponsored by Xfocus on August 18 through 20.

"Xfocus is a cutting-edge security group, similar to the CCC [Chaos Computer Club] of Germany," Copley says. "At this time, I do believe Xfocus is a leader among all of the groups, and this is why I am honored to be speaking there."

Regarding IceSword, Copley says because of its newness the program is little-known by security researchers in the U.S. Based on what he's discovered so far, the techniques IceSword uses may be novel but they can eventually be copied by rootkit authors to make their rogue programs invisible once again, Copley indicates.

"Now that they know how IceSword works, they could do that," he says. "It's always a case of who gets there first."

The Race To Add Antirootkit Code

"There," in this case, is a Windows API [application programming interface] that IceSword hooks into when it runs. If IceSword hooks this API first, rootkits can't hide from it. Unfortunately, rootkit authors could start hooking this API when their spyware is initially installed. This means the rootkits would "get there first" and frustrate diagnostic tools such as IceSword.

Security researchers around the world, however, are rapidly creating defenses. Some programs can already detect rootkits such as Hacker Defender and Morphine, a related program. Morphine is an encryption routine developed by Hacker Defender's author. It cloaks viruses so they don't match any signatures currently used by antivirus programs.

eEye's own Blink vulnerability prevention program, Copley says, can detect the current version of the rootkit "because Hacker Defender injects itself into every process and uses some exploit techniques common to malware."

A new version of Blink will have "a generic detection mechanism for any file that is using Morphine as a file-obscuring shell," he said. "I know that Kaspersky handles Morphine successfully, too." Kaspersky Lab is a respected antivirus firm based in Moscow, Russia.

Virus authors increasingly include code that hunts for "antivirus signatures." This allow them to disable or evade specific antivirus software that a PC may be running.

As a result, Copley says, antivirus programs must add cloaking mechanisms of their own to hide from viruses. "Something like polymorphism could be good," he suggested. A polymorphic program encrypts itself differently every time it's installed, thereby avoiding detection by signature scans.

A Well-Built Program That's Hard To Grok

Another security researcher, who asked that neither he nor his company be identified by name, said the copy of IceSword he's examined is designed carefully to avoid giving up its secrets too easily.

"It has a lot of techniques built in to prevent you from reverse engineering it," this researcher says.

"IceSword is more of an advanced tool," he continues. "It doesn't have a button you can click to detect rootkits. You have to read through the [PC's] files yourself.

"The program's really well built, but the documentation's all in Chinese," he notes. Researchers in the U.S. are using machine translations to get a rough idea of how the program works until native Chinese speakers in the West can give IceSword a thorough technical examination.

The program sports a user interface similar to a file explorer. The difference is that IceSword shows files and running processes that are invisible to ordinary file-handling programs. In that respect, "It looks fairly similar to F-Secure Blacklight and Rootkit Revealer," this researcher says. Both of those programs attempt to detect rootkits that may already be silently running on a PC.

White Hats Love It, Hackers Hate It

Whatever the good guys think of IceSword, we know how the developer of at least one rootkit feels about it. Hacker Defender's author, who uses the handle "holy_father," said in a June 3 posting reacting to my column on IceSword, "It is [a] great challenge to crack it," adding, "I've never seen [a] better tool."

That's enough of an endorsement for people like me to hope that IceSword comes out in an English-language version as soon as possible.

The Chinese version of IceSword, which is downloadable in a compressed RAR format for those interested in trying it, is at Xfocus.net/tools/200505/1032.html.