Computer users in the Western world had better adjust to the fact that excellent software is coming from China and will initially be available only in Chinese. That's the situation with IceSword, a program I wrote about on May 31 and June 7. IceSword is a remarkably effective tool against "rootkits," virus-type programs that can evade detection by ordinary antivirus products. IceSword is available only in a Chinese-language version. Using several search engines, I was able to find dozens of comments about the program in Chinese-language sites, but not a single mention in English.
The one exception was the site of Hacker Defender, a rootkit package that's sold in a basic version for 20 euros (about $25 USD) and "silver" and "gold" versions for up to 450 euros. The package's author, who calls himself "holy_father," has written on his site that currently the only antirootkit tool that can detect Hacker Defender (HxDef) is IceSword. He called it "such a nice tool, [a] real challenge," adding, "One of my priorities this summer [will be] to beat IceSword."
The author of IceSword is a Chinese programmer who goes by "pjf_" in online postings. I was finally able to track down pjf_ and interview him through an intermediary. (After discovering an e-mail address pjf_ once used in a discussion forum, I sent a message requesting his full name, but my communication went unanswered.)
The following interview was conducted for me in Chinese by Ming Jin, a researcher who works with eEye Digital Security, based in southern California. I had the responses translated into English by Zhen Wang, a professional translator in Beijing.
IceSword's Strengths and Weaknesses
Q: How could a rootkit bypass IceSword?
PJF_: For the newly released version 1.10, it's not
known that a rootkit can bypass IceSword. In theory, a
rootkit could bypass IceSword, but it has got to get
into IceSword's kernel. However, this is not easily done in a short period of coding/programming.
While programming IceSword, I thought of a way a rootkit
might bypass it and how to deal with this. However, for
IceSword's stability, I didn't add such functionality.
IceSword will be upgraded as new rootkits are released.
Actually, it is more reasonable that a rootkit could
break IceSword, not just bypass it. Yet, attempting to do so
could make a rootkit visible to IceSword. An easier
way would be to analyze IceSword completely, and cut
down its linking between the kernel and the user interface.
This could be done in a new version [of a rootkit].
Detecting Hacker Defender
Q: How does IceSword detect Hacker Defender? (By
enumerating services, and finding hidden ones, I
would guess.)
PJF_: Hacker Defender is a strong rootkit, and the Gold
and Silver Hacker Defender packages are more potent.
Many antirootkit programs, such as Rootkit Revealer and
BlackLight, can't detect Hacker Defender. (Such
statements can be found on the Web site of the
author of Hacker Defender.) I haven't got the Gold and Silver packages. But on the author's home page, it
is stated that Hacker Defender cannot evade IceSword. And IceSword is continually improving.
Regarding the public version of HxDef, IceSword can
detect all the hidden stuff, such as files, register
maps, processes, services, and so on. My
techniques can detect such a rootkit and quarantine and
clean it. In addition, a tool called Ishelp in
IceSword version 1.10 is also very helpful in detecting rootkits.
Comparing IceSword with Other Antirootkit Programs
Q: Is IceSword better than Rootkit Revealer or BlackLight?
PJF_: I think that the user is in a position to make such a judgment.
In my opinion and after many tests, IceSword looked more stable in many cases.
However, each software program has its own unique features and
strengths. Some rootkit writers have their own comments and they are in a
better position in making judgments.
Other Features of IceSword
Q: Does IceSword do anything else?
PJF_: IceSword also does a pretty good job of breaking the protection of a
potent rootkit over processes, files, and register maps. For example, if a
rootkit uses a filter driver to disable writing and deleting files,
IceSword can detect this and clean it up.
I've developed a new version, which has such features as a firewall,
file protection, and driver monitoring. Not all of this is written using
publicly documented Microsoft code. This version cannot be released before
it has been thoroughly tested on multiple platforms.
F-Secure Responds Regarding BlackLight
I asked F-Secure, the publisher of BlackLight, and SysInternals.com,
the publisher of Rootkit
Revealer, for their reaction to pjf_'s assertion that IceSword can detect
rootkits that their products cannot.
"We have heard of the IceSword tool and have no doubt that it is a capable
rootkit detector," says Mikael Albrecht, product manager for F-Secure, which is
headquartered in Helsinki, Finland.
"The question about what antirootkit tool is the best is
hard to answer. We agree with pjf_'s point that rootkit detectors are
different and are focused on different use cases and users. It is, in addition
to that, worth noting that the Windows rootkit scene is new and rapidly
developing.
"Rootkit detection is a cat-and-mouse game. Sometimes the rootkit
authors are ahead, sometimes the antirootkit authors. We can at the moment
detect all rootkit samples that we have access to, but that may change as soon
as a new, more advanced rootkit is published. We will naturally respond with
improved detection when that happens. There are still no signs that this race
will slow down. This makes it even harder to name the best antirootkit tool.
...
"Rootkit technology is not a big problem at the moment. The
number of affected systems is a small fraction compared to the number of
virus infections. We must, however, be prepared to handle virus outbreaks that
install rootkit technology in a large number of systems. It is important that
the security industry has got technology that is mature enough when it
happens. Every cycle with improved rootkits and antirootkit tools gives us
better ability to handle situations like that."
SysInternals.com did not respond to my
request for comment.
Conclusion
IceSword has a Windows Explorer-like interface but displays hidden processes and
resources that Windows Explorer would never show. It isn't a
"click-here-to-delete-rootkits" product but a sophisticated discovery tool that
can protect against sinister rootkits if used before they infect a machine.
IceSword's documentation is entirely in Chinese, but that wouldn't necessarily
stop dedicated IT administrators from downloading the software and trying it on
a test Windows PC. I encourage security professionals to look into this further
and let me know what you learn.
IceSword is downloadable from Xfocus.net, a Chinese security site, in compressed
RAR format at
Xfocus.net/tools/200505/1032.html.
Update as of 2005-11-15: An English-language version of the program is now available for download from the following Web page:
http://xfocus.net/tools/200509/1085.html