New Tools May Beat Rootkits

I wrote in this space
last week that IceSword, a new antivirus tool by a Chinese security research
group, had gained the respect of even some hackers.

Specifically, I quoted the author of Hacker Defender, a so-called rootkit
program, who said on his site,
“One of my priorities this summer [will be] to beat IceSword.” He called it
“such a nice tool, [a] real challenge.”

IceSword became available only last month as a free download from Xfocus.net, a
computer security site in China. Unfortunately for my English-speaking readers,
the site is written entirely in Chinese, and IceSword comes only in a Chinese
version. The group’s English-language site, Xfocus.org, says nothing about
IceSword as of yet.

I believe we’ll be hearing more about this tool in the months to come, however.
More and more virus authors are writing rootkits, which can successfully hide
from typical antivirus scans. So the need for antirootkit programs such as
IceSword will only grow.

The State Of Rootkit Detection

To learn more about IceSword, I spoke with Drew Copley, a senior research
engineer for eEye
Digital Security in Aliso Viejo, Calif., south of Los Angeles. Copley is not
only familiar with the Chinese group’s work, he’ll be a speaker at the XCON
conference in Beijing, China, which is being sponsored by Xfocus on August 18
through 20.

“Xfocus is a cutting-edge security group, similar to the CCC [Chaos Computer
Club] of Germany,” Copley says. “At this time, I do believe Xfocus is a leader
among all of the groups, and this is why I am honored to be speaking there.”

Regarding IceSword, Copley says because of its newness the program is
little-known by security researchers in the U.S. Based on what he’s discovered
so far, the techniques IceSword uses may be novel but they can eventually be
copied by rootkit authors to make their rogue programs invisible once again,
Copley indicates.

“Now that they know how IceSword works, they could do that,” he says. “It’s
always a case of who gets there first.”

The Race To Add Antirootkit Code

“There,” in this case, is a Windows API [application programming interface] that
IceSword hooks into when it runs. If IceSword hooks this API first, rootkits
can’t hide from it. Unfortunately, rootkit authors could start hooking this API
when their spyware is initially installed. This means the rootkits would “get
there first” and frustrate diagnostic tools such as IceSword.

Security researchers around the world, however, are rapidly creating defenses.
Some programs can already detect rootkits such as Hacker Defender and Morphine,
a related program. Morphine is an encryption routine developed by Hacker
Defender’s author. It cloaks viruses so they don’t match any signatures
currently used by antivirus programs.

eEye’s own Blink
vulnerability prevention program, Copley says, can detect the current version of
the rootkit “because Hacker Defender injects itself into every process and uses
some exploit techniques common to malware.”

A new version of Blink will have “a generic detection mechanism for any file
that is using Morphine as a file-obscuring shell,” he said. “I know that
Kaspersky handles Morphine successfully, too.” Kaspersky Lab is a respected antivirus firm
based in Moscow, Russia.

Virus authors increasingly include code that hunts for “antivirus signatures.”
This allow them to disable or evade specific antivirus software that a PC may be
running.

As a result, Copley says, antivirus programs must add cloaking mechanisms of
their own to hide from viruses. “Something like polymorphism could be good,” he
suggested. A polymorphic program encrypts itself differently every time it’s
installed, thereby avoiding detection by signature scans.

A Well-Built Program That’s Hard To Grok

Another security researcher, who asked that neither he nor his company be
identified by name, said the copy of IceSword he’s examined is designed
carefully to avoid giving up its secrets too easily.

“It has a lot of techniques built in to prevent you from reverse engineering
it,” this researcher says.

“IceSword is more of an advanced tool,” he continues. “It doesn’t have a button
you can click to detect rootkits. You have to read through the [PC’s] files
yourself.

“The program’s really well built, but the documentation’s all in Chinese,” he
notes. Researchers in the U.S. are using machine translations to get a rough
idea of how the program works until native Chinese speakers in the West can give
IceSword a thorough technical examination.

The program sports a user interface similar to a file explorer. The difference
is that IceSword shows files and running processes that are invisible to
ordinary file-handling programs. In that respect, “It looks fairly similar to
F-Secure
Blacklight and Rootkit
Revealer,” this researcher says. Both of those programs attempt to detect
rootkits that may already be silently running on a PC.

White Hats Love It, Hackers Hate It

Whatever the good guys think of IceSword, we know how the developer of at least
one rootkit feels about it. Hacker Defender’s author, who uses the handle
“holy_father,” said in a June 3 posting reacting to my column on IceSword, “It
is [a] great challenge to crack it,” adding, “I’ve never seen [a] better tool.”

That’s enough of an endorsement for people like me to hope that IceSword comes
out in an English-language version as soon as possible.

The Chinese version of IceSword, which is downloadable in a compressed RAR
format for those interested in trying it, is at

Xfocus.net/tools/200505/1032.html.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020