Rootkits Are Top Of Mind, Bottom Of Pile, Only They Really Aren’t

Dave G. | June 3rd, 2008 | Filed Under: Industry Punditry

Reading various media outlets and blogs recently, it seems that we are losing the war on rootkits. Why do I say that? First of all, for those of you who utilize or manage x86 based systems, security researchers are going to be presenting on rootkits that take advantage of System Management Mode. Cisco guy, don’t feel ignored, cause rootkits are a-comin’ your way too. Core is going to presenting on Cisco rootkits at Blackhat. Of course, attackers breaking into your network and installing rootkits on your Cisco’s would be terrible, but why would they bother when they can just sell you some heavily discounted pre-pwned Cisco gear.

Good news though, AV-Tests.org has just concluded that a small percentage of the tools out there catch most of the existing rootkits and were even able to remove them! From the conclusions section:

Tests of the active rootkit detection and cleaning features of anti-malware products are rather time consuming and require a lot of resources to perform. However, programmers and testers should dedicate more attention to these features, as most AV tools still perform poorly in this area. Without proper anti-rootkit features a protection program may give the user the wrong impression about the status of his PC.

To try and shed some light on this, Matasano convened a Blanel Of Experts, who for no reason what-so-ever I will call:

Misanthropic Researcher A well-known security researcher who knows a thing or two about rootkits. Why You Care: He has written rootkits. Nuff Said. Favorite Email Client: DEBUG.EXE
The Pundit Ex Analyst Gone Indie with a technical bend.
Why You Care: Has heard it all and seen it all. Possibly has said it all.
Lethally Trained In: Sniffing out BS.
Enterprise Security Drill Sergeant
In the trenches at an F1000.
Why You Care: Unlike our first two participants, he actually has to deal with this crap.
Most Comforting Sound: Machine gun fire.
Should we invest time into rootkit detection?
As a pundit who’s also on the research side, I always think investing time into advancing a technology is good. Just because we’re facing a losing battle against a sophisticated attacker is no reason to give up, since most attackers are far from sophisticated. For every genius criminal mastermind, there are hundreds of bumbling idiots leaving their truck bumpers (with license plate) chained to the ATM machine they tried to haul off. Now that’s the research answer, and I think we clearly need to continue to advance rootkit detection. The truth is this should be included in our AV suites, and customers shouldn’t be paying more for every new category of malware.

On the user side, unless you are one of the lucky few to have rootkit detection included in your existing endpoint security suite for free (with good performance), it’s something that should only be used tactically. When you have reasonable suspicion something is going on, through network security monitoring or some other anomalous behavior, the cash and performance cost of rootkit detection probably isn’t worth it. You might consider it more for exposed or high value systems, but even there you want to do a bunch of testing first. In other words, it’s more an incident response, investigative, and cleanup tool (when you can’t just nuke the system from orbit, which is the safest option). Eventually this functionality will be a standard part of our anti-malware (AV) tools, and probably perform about the same. Which means it will miss the hard stuff, catch the easy stuff, and probably cost too much for the value provided. But anti-malware still provides enough marginal value that we can’t just dump it.
Yes. If you can’t detect them, how do you know they are there?
Of course we should spend time and money in rootkit detection. There will always be attacks that you can’t or don’t prevent and it is still useful to detect the traces of the whatever rootkit that the attacker installs. Refusing to spend effort to detect rootkits and relying solely on prevention is naive. Both are complicated and difficult problems, but you get better traction having a variety of efforts on both ends.

However, we shouldn’t go trying to detect malware hiding in every possible nook and cranny. It is much better to detect their effects because no matter how stealthy the rootkit abuses SMM, hardware-assisted virtualization, or operating system drivers, it still has to actually *do* something and that may be detectable. An anomaly in process CPU usage accounting, file system usage, or network traffic may give it away.
Should researchers continue to explore where they can hide themselves?
They should, if that research is used to directly drive product hardening or detection/protection/cleaning features in a security tool. Just finding problems really isn’t good enough anymore, that research and those results should drive improvements. And just finding some new, cool way to hide, publicizing it to show how smart you are, and not working with the vendor or tools vendors to detect or prevent it isn’t really contributing positively. And yes, I think we have a responsibility to not just identify problems, but identify fixes. As a pundit/analyst I know all about pooping on other people’s work, and the importance of making that work better after you wipe the brown stuff off.
Absolutely. It isn’t an arms race if only one participant is running!

You will not stop people from attempting to write better rootkits, and there will always be people working to better detect them. It is to my advantage that this happens “in the open” so I can benefit from all the hard work and competitive spirit of both sides.
Yes and especially when it proves that existing tools, techniques, and products are insufficient. Someone needs to challenge product vendors to do better and make sure that everyone learns from past mistakes (i.e. relying on signature-based anti-virus for so long).
Will either make things better?
Not really, but neither does anything else. We’re all dead in the end anyway (except me, I’m going the freeze-dry route). I mean how are you defining “better”. In eternal battles incremental victories are all we can hope for. There’s been crime and bad guys since long before any of us were around, and we sure as heck won’t be the ones putting them out of business. It’s about risk reduction. Yes, you’re totally pwned once someone can get a rootkit on your system, but you can at least minimize that damage under certain circumstances.

But the truth is we should take a step back, look at the problem, and try and come up with solutions that fix the root cause. Rootkits aren’t the problem- exploitation of the systems is. Viruses, spyware, remote hacking, none of those are the real problems, they are just the vector. I’d rather see more investment in anti-exploitation technologies than rootkit detection, not that the two are mutually exclusive. It’s a matter of prioritizing the research, not dropping one for the other.
Both combined will make things better. As time goes on, effectively hiding long-term access tools on systems will become more time consuming and less of a “sure thing”. This is excellent. Long-term access to high-value information processing systems has more value than just a snapshot of the data. This added value attracts a more dangerous type of “threat actor”.

My strongest defense is to make attacking my information assets riskier and more expensive for The Bad Guys. An ongoing arms race will continue to make rootkits more complicated and less survivable. This effectively reduces the risk adjusted rate of return an attacker gains from them.
The rootkit research attack/defense cycle results in much less collateral damage when it is between researchers and defense product architects rather than simply malware authors and product vendors. The improved products that stop researcher’s techniques also often make malware author’s job more difficult. You need both sides working together on the problem, otherwise it is just vendors shadow boxing with “the malware threat” that is only the malware that is detected by current techniques.
Sweet, I can add myself to this anytime I want. Wish I had done that earlier. Well, allow me to wrap this up. Rootkit detection is a last-ditch strategy, after many other components failed you. It also appears to have a somewhat low success rate. What we should really be doing is focusing more on prevention. It’s simply too late when you are looking around for rootkits (especially if your software can’t find them or delete them).

You are already screwed when someone installed it on your machine. Especially, when the attacker is in a position to leverage SMM or install a malicious hypervisor. It’s pretty much game over the second someone compromised your user account. You know the account with privileges to access all of your stuff.

Oh. If you were wondering who was on the blanel, some of the images are clickable.

Viewing 7 Comments

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus