New Antivirus Tests Show Rootkits Hard to Kill 178
ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."
In other news... (Score:5, Insightful)
Grass is green, sky is blue, Pope is Catholic, etc...
When people create these things... isn't the intent to make them hard to detect/kill?
What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.
Re:Interesting way of putting it (Score:5, Insightful)
AV's actually doing quite well (Score:5, Insightful)
If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.
That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).
Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.
Re:AV's actually doing quite well (Score:5, Insightful)
It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.
Re:Interesting way of putting it (Score:1, Insightful)
That doesn't help.
It should be written this way to clear up the two possible readings:
"AV-Test.org also found that a few big name AV scanners, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121, had serious problems finding and removing active rootkits."
Re:Rootkits are hard to kill? (Score:2, Insightful)
All it takes is one bad/ignorant/rogue package manager, and the whole house of cards can come down.
Remember, the world "rootkit" comes from the *nix world, not the windows one.
Re:Interesting way of putting it (Score:3, Insightful)
Re:Killing rootkits. You're doing it wrong. (Score:5, Insightful)
Boot CD with live update? (Score:2, Insightful)
1) connects to the Internet
2) downloads the latest version of itself and verifies the download is authentic
3) scans the disk and cleans up malware
4) reports results to someplace that can be read later
Re:I don't even bother trying to clean them up. (Score:5, Insightful)
It would have to compare the checksum of every executable and every DLL on the system to known good examples to confirm they've not been infected (though to be honest I suspect most of them are just taking advantage of the labyrinthine mess that is Windows rather than going to all the hassle of infecting files).
It would have to confirm that every patch which has security implications has been installed (eg. there have been patches which deal with code which loads JPEGs - not much point in rebooting if the first thing that's going to happen is you get reinfected so that's got to be solved).
It would have to delete any application that isn't on a known-good list. So you need a "known-good" list covering every Windows application known to man, and you also need to account for those rare cases where you're dealing with a software developers machine and there are executables on there that aren't known to man.
And remember what I said earlier about "there have been vulnerabilities in code that reads JPEGs"? Well, that means you need to delete any JPEG which isn't known-good, And any other file for which similar vulnerabilities in decoding have been found. Or it's possible that the first thing that will happen on reboot is the user will email out this "kewl JPEG" to all their friends, forwarding the malicious payload in the process.
And you need to do all this without breaking anything in the process. Or else if you do, you might just as well have wiped and rebuilt the system.
Come on... this is so easy (Score:2, Insightful)
Re:Killing rootkits. You're doing it wrong. (Score:4, Insightful)
Run-timeLibraryOfGraphicsFunctionsForWord.DLL
Re:Bootable antivirus discs? (Score:3, Insightful)
no shit? (Score:3, Insightful)
Any half-competent root-kit will simply tell the scanner what it wants to hear via hooks into the O/S to trap any "diagnostics" that it may perform.
The trick is not not get infected in the first place - once your PC *is* infected, you're fucked. Do not pass go, do not collect $200. Reinstall time - nothing on your box can be trusted any more.
The sooner people "get" this, the better off they'll be.
Re:Killing rootkits. You're doing it wrong. (Score:3, Insightful)
On windows? Try "everywhere". Some other poorly-named libraries that come to mind are libm.so and libiberty.so (as cute as gcc -liberty may be, it is a useless name from a functional standpoint). Or if you consider any file, what about any of the 3-letter UNIX-style directory names?
I would want to shoot any developer that used the phrase "Run-time library" or similar in the name of a DLL file. Windows DLLs are run-time libaries by definition. So we're down to WordGraphicsFunctions.dll. Or, since "functions" is a silly name (especially if you end up putting classes in the DLL or macros in the related header files), how about WordGraphics{Util,Tools}.dll or just WordGraphics.dll?
Re:Fundamental difference in philosophy (Score:3, Insightful)
You're confusing "stupid" with "ignorant". An ignorant user will have to reinstall Word if he removes one of its DLLs. A stupid user will have to reinstall Word a second time when he removed the DLL after reinstallation.
The ignorant user will no longer be ignorant, and will think twice before removing said file.