New Tools May Beat Rootkits

With more and more virus authors writing rootkits, which can successfully hide from typical antivirus scans, the need for antirootkit programs such as IceSword will only grow.
I wrote in this space last week that IceSword, a new antivirus tool by a Chinese security research group, had gained the respect of even some hackers.

Specifically, I quoted the author of Hacker Defender, a so-called rootkit program, who said on his site, "One of my priorities this summer [will be] to beat IceSword." He called it "such a nice tool, [a] real challenge."

IceSword became available only last month as a free download from, a computer security site in China. Unfortunately for my English-speaking readers, the site is written entirely in Chinese, and IceSword comes only in a Chinese version. The group's English-language site,, says nothing about IceSword as of yet.

I believe we'll be hearing more about this tool in the months to come, however. More and more virus authors are writing rootkits, which can successfully hide from typical antivirus scans. So the need for antirootkit programs such as IceSword will only grow.

The State Of Rootkit Detection

To learn more about IceSword, I spoke with Drew Copley, a senior research engineer for eEye Digital Security in Aliso Viejo, Calif., south of Los Angeles. Copley is not only familiar with the Chinese group's work, he'll be a speaker at the XCON conference in Beijing, China, which is being sponsored by Xfocus on August 18 through 20.

"Xfocus is a cutting-edge security group, similar to the CCC [Chaos Computer Club] of Germany," Copley says. "At this time, I do believe Xfocus is a leader among all of the groups, and this is why I am honored to be speaking there."

Regarding IceSword, Copley says because of its newness the program is little-known by security researchers in the U.S. Based on what he's discovered so far, the techniques IceSword uses may be novel but they can eventually be copied by rootkit authors to make their rogue programs invisible once again, Copley indicates.

"Now that they know how IceSword works, they could do that," he says. "It's always a case of who gets there first."

The Race To Add Antirootkit Code

"There," in this case, is a Windows API [application programming interface] that IceSword hooks into when it runs. If IceSword hooks this API first, rootkits can't hide from it. Unfortunately, rootkit authors could start hooking this API when their spyware is initially installed. This means the rootkits would "get there first" and frustrate diagnostic tools such as IceSword.

Security researchers around the world, however, are rapidly creating defenses. Some programs can already detect rootkits such as Hacker Defender and Morphine, a related program. Morphine is an encryption routine developed by Hacker Defender's author. It cloaks viruses so they don't match any signatures currently used by antivirus programs.

eEye's own Blink vulnerability prevention program, Copley says, can detect the current version of the rootkit "because Hacker Defender injects itself into every process and uses some exploit techniques common to malware."

A new version of Blink will have "a generic detection mechanism for any file that is using Morphine as a file-obscuring shell," he said. "I know that Kaspersky handles Morphine successfully, too." Kaspersky Lab is a respected antivirus firm based in Moscow, Russia.

Virus authors increasingly include code that hunts for "antivirus signatures." This allow them to disable or evade specific antivirus software that a PC may be running.

As a result, Copley says, antivirus programs must add cloaking mechanisms of their own to hide from viruses. "Something like polymorphism could be good," he suggested. A polymorphic program encrypts itself differently every time it's installed, thereby avoiding detection by signature scans.

A Well-Built Program That's Hard To Grok

Another security researcher, who asked that neither he nor his company be identified by name, said the copy of IceSword he's examined is designed carefully to avoid giving up its secrets too easily.

"It has a lot of techniques built in to prevent you from reverse engineering it," this researcher says.

"IceSword is more of an advanced tool," he continues. "It doesn't have a button you can click to detect rootkits. You have to read through the [PC's] files yourself.

"The program's really well built, but the documentation's all in Chinese," he notes. Researchers in the U.S. are using machine translations to get a rough idea of how the program works until native Chinese speakers in the West can give IceSword a thorough technical examination.

The program sports a user interface similar to a file explorer. The difference is that IceSword shows files and running processes that are invisible to ordinary file-handling programs. In that respect, "It looks fairly similar to F-Secure Blacklight and Rootkit Revealer," this researcher says. Both of those programs attempt to detect rootkits that may already be silently running on a PC.

White Hats Love It, Hackers Hate It

Whatever the good guys think of IceSword, we know how the developer of at least one rootkit feels about it. Hacker Defender's author, who uses the handle "holy_father," said in a June 3 posting reacting to my column on IceSword, "It is [a] great challenge to crack it," adding, "I've never seen [a] better tool."

That's enough of an endorsement for people like me to hope that IceSword comes out in an English-language version as soon as possible.

The Chinese version of IceSword, which is downloadable in a compressed RAR format for those interested in trying it, is at

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.