New Tools May Beat Rootkits

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More .

I wrote in this space
last week that IceSword, a new antivirus tool by a Chinese security research
group, had gained the respect of even some hackers.

Specifically, I quoted the author of Hacker Defender, a so-called rootkit
program, who said on his site,
“One of my priorities this summer [will be] to beat IceSword.” He called it
“such a nice tool, [a] real challenge.”

IceSword became available only last month as a free download from Xfocus.net, a
computer security site in China. Unfortunately for my English-speaking readers,
the site is written entirely in Chinese, and IceSword comes only in a Chinese
version. The group’s English-language site, Xfocus.org, says nothing about
IceSword as of yet.

I believe we’ll be hearing more about this tool in the months to come, however.
More and more virus authors are writing rootkits, which can successfully hide
from typical antivirus scans. So the need for antirootkit programs such as
IceSword will only grow.

The State Of Rootkit Detection

To learn more about IceSword, I spoke with Drew Copley, a senior research
engineer for eEye
Digital Security in Aliso Viejo, Calif., south of Los Angeles. Copley is not
only familiar with the Chinese group’s work, he’ll be a speaker at the XCON
conference in Beijing, China, which is being sponsored by Xfocus on August 18
through 20.

“Xfocus is a cutting-edge security group, similar to the CCC [Chaos Computer
Club] of Germany,” Copley says. “At this time, I do believe Xfocus is a leader
among all of the groups, and this is why I am honored to be speaking there.”

Regarding IceSword, Copley says because of its newness the program is
little-known by security researchers in the U.S. Based on what he’s discovered
so far, the techniques IceSword uses may be novel but they can eventually be
copied by rootkit authors to make their rogue programs invisible once again,
Copley indicates.

“Now that they know how IceSword works, they could do that,” he says. “It’s
always a case of who gets there first.”

The Race To Add Antirootkit Code

“There,” in this case, is a Windows API [application programming interface] that
IceSword hooks into when it runs. If IceSword hooks this API first, rootkits
can’t hide from it. Unfortunately, rootkit authors could start hooking this API
when their spyware is initially installed. This means the rootkits would “get
there first” and frustrate diagnostic tools such as IceSword.

Security researchers around the world, however, are rapidly creating defenses.
Some programs can already detect rootkits such as Hacker Defender and Morphine,
a related program. Morphine is an encryption routine developed by Hacker
Defender’s author. It cloaks viruses so they don’t match any signatures
currently used by antivirus programs.

eEye’s own Blink
vulnerability prevention program, Copley says, can detect the current version of
the rootkit “because Hacker Defender injects itself into every process and uses
some exploit techniques common to malware.”

A new version of Blink will have “a generic detection mechanism for any file
that is using Morphine as a file-obscuring shell,” he said. “I know that
Kaspersky handles Morphine successfully, too.” Kaspersky Lab is a respected antivirus firm
based in Moscow, Russia.

Virus authors increasingly include code that hunts for “antivirus signatures.”
This allow them to disable or evade specific antivirus software that a PC may be
running.

As a result, Copley says, antivirus programs must add cloaking mechanisms of
their own to hide from viruses. “Something like polymorphism could be good,” he
suggested. A polymorphic program encrypts itself differently every time it’s
installed, thereby avoiding detection by signature scans.

A Well-Built Program That’s Hard To Grok

Another security researcher, who asked that neither he nor his company be
identified by name, said the copy of IceSword he’s examined is designed
carefully to avoid giving up its secrets too easily.

“It has a lot of techniques built in to prevent you from reverse engineering
it,” this researcher says.

“IceSword is more of an advanced tool,” he continues. “It doesn’t have a button
you can click to detect rootkits. You have to read through the [PC’s] files
yourself.

“The program’s really well built, but the documentation’s all in Chinese,” he
notes. Researchers in the U.S. are using machine translations to get a rough
idea of how the program works until native Chinese speakers in the West can give
IceSword a thorough technical examination.

The program sports a user interface similar to a file explorer. The difference
is that IceSword shows files and running processes that are invisible to
ordinary file-handling programs. In that respect, “It looks fairly similar to
F-Secure
Blacklight and Rootkit
Revealer,” this researcher says. Both of those programs attempt to detect
rootkits that may already be silently running on a PC.

White Hats Love It, Hackers Hate It

Whatever the good guys think of IceSword, we know how the developer of at least
one rootkit feels about it. Hacker Defender’s author, who uses the handle
“holy_father,” said in a June 3 posting reacting to my column on IceSword, “It
is [a] great challenge to crack it,” adding, “I’ve never seen [a] better tool.”

That’s enough of an endorsement for people like me to hope that IceSword comes
out in an English-language version as soon as possible.

The Chinese version of IceSword, which is downloadable in a compressed RAR
format for those interested in trying it, is at

Xfocus.net/tools/200505/1032.html.