07-29-2005, 07:21 PM
|
#1 (permalink)
|
|
Administrator
Join Date: Apr 2004
Posts: 68
|
Shadow Walker
E-week reports on a proof-of-concept that says the next generation of spyware/malware will be undetectable by current programs:
http://www.eweek.com/article2/0,1895,1841266,00.asp
Quote:
The proof-of-concept, dubbed Shadow Walker, is a modification of Butler's FU rootkit, a kernel-level program capable of hiding processes and elevating process privileges. The rootkit uses DKOM (Direct Kernel Object Manipulation) to fake out the Windows Event Viewer to make forensics virtually impossible and can also hide device drivers, Butler explained.
With Shadow Walker, Butler and Sparks explore the idea of memory subversion to hide the rootkit in memory with almost no performance impact.
"This is a prototype for a fourth generation of rootkits that would defeat the current rootkit detection technology," said Sparks, who is renowned for her work around offensive/defensive malicious code technologies.
Some existing rootkit defense technologies use behavior detection, integrity detection and signature-based detection to find the stealth programs. Others, like Microsoft Corp.'s Strider Ghostbuster, F-Secure Corp.'s BlackLight and Sysinternals Freeware's RootkitRevealer, search for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
|
|
|
|
Linear Mode
