New Antivirus Tests Show Rootkits Hard to Kill

ancientribe writes "Security suites and online Web scanners detect only a little more than half of all rootkits, according to new tests conducted by independent test organization AV-Test.org. Many of today's products struggle to clean up the ones they find. AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

Interesting way of putting it

I know that AV software can be fairly intrusive, to the point that it feels like it's taking over your box, but to call Microsoft Windows Live OneCare and McAfee VirusScan rootkits seems a bit strong.

Re:Interesting way of putting it

"removing active rootkits, such as Microsoft Windows Live OneCare 1.6.2111.32 and McAfee VirusScan 2008 11.2.121."

Perhaps you yourself need a lesson in reading and comprehension.

Re:Interesting way of putting it

In other news: half of jokes made on Slashdot are incorrectly interpreted as serious commentary.

Re:Interesting way of putting it

You ended that sentence with a "~". Why are you sarcastically advocating a new punctuation mark? ~

Re:Interesting way of putting it

I don't know about Onecare, but as someone who fixes Windows boxes all day I'd say McAfee is more like a virus. If you want an Av that is a rootkit,then you'd get Norton. I have never seen an AV bone more Windows installs than Norton,ever. And every time I would have to work on a box that was infected by Norton it would feel slower than the virus laden machines I was working on! I have wondered on more than one occasion if the Norton way of getting rid of viruses was to use up all the resources so the little buggers would starve to death.

But on a more serious note, I think these new super stealth rootkits are going to be the beginning of the end for the AV industry. IMHO we are going to have to end up with whitelisting at the OS level as the never ending tidal wave of viruses will simply become too hard for the AV industry to keep up with without overloading the systems with the constant scanning and updating. And in this day and age IMHO it is kind of silly that I can't simply make a list of the two dozen or so programs that I use and have them be the only things that are allowed to run. And with all the legacy systems out there running older MSFT OSes some company could make some good money with an easy to use system that lets a user specify the couple of dozen programs he uses and refuse to run the rest. Anyway that is my 02c,YMMV.

In other news...

Grass is green, sky is blue, Pope is Catholic, etc...

When people create these things... isn't the intent to make them hard to detect/kill?

What this article has highlighted, though, is that a thorough study on how those rootkits got installed in the first place (especially with regard to the level of user interaction required) combined with some basic education provided to end-users within the OS could go a long way. It's the whole ounce of prevention worth a pound of cure thing. Obviously the cure is not yet up to snuff... and potentially never will be.

I don't even bother trying to clean them up.

My nephew got something or other on his laptop. I made a desultory effort to clean it, but whatever crap was on there would kill the anti-spyware install routines within seconds. Fortunately I'd installed Ubuntu on another partition, and he was still able to do web and email and stuff, and I told him to back up the data he needs and I'll wipe it and start fresh.

I'm pretty sure it was trojaned game mods that got him instead of the usual porn sites. At least, if it was porn, he did a pretty good job hiding his tracks. :->

Re:I don't even bother trying to clean them up.

Don't they have virus scanners you can run from CDs?

Let's assume you wanted to write the perfect AV which was able to work from a CD with guaranteed 100% success rate. Once complete, you can be sure that the computer can be rebooted and will neither be affected by a piece of malware, nor will the user inadvertently spread dormant malware.

It would have to compare the checksum of every executable and every DLL on the system to known good examples to confirm they've not been infected (though to be honest I suspect most of them are just taking advantage of the labyrinthine mess that is Windows rather than going to all the hassle of infecting files).

It would have to confirm that every patch which has security implications has been installed (eg. there have been patches which deal with code which loads JPEGs - not much point in rebooting if the first thing that's going to happen is you get reinfected so that's got to be solved).

It would have to delete any application that isn't on a known-good list. So you need a "known-good" list covering every Windows application known to man, and you also need to account for those rare cases where you're dealing with a software developers machine and there are executables on there that aren't known to man.

And remember what I said earlier about "there have been vulnerabilities in code that reads JPEGs"? Well, that means you need to delete any JPEG which isn't known-good, And any other file for which similar vulnerabilities in decoding have been found. Or it's possible that the first thing that will happen on reboot is the user will email out this "kewl JPEG" to all their friends, forwarding the malicious payload in the process.

And you need to do all this without breaking anything in the process. Or else if you do, you might just as well have wiped and rebuilt the system.

Re:I don't even bother trying to clean them up.

What you described sounds similar to how signature/definition-based scanners work. I'm sure a lot of scanners make bootable versions - I know that older versions of McAfee came with a boot floppy.

Not really.

Signature-based scanners are a glorified form of grep. They look through every file looking for a string of bytes which is reasonably unique to a virus. It's not possible to have a computer know in advance with 100% certainty whether executing a particular block of code is dangerous - the best you can do is say "this is probably dangerous", so realistically your options are:

1. Look for things which are known to be bad, delete any we find. Well, 20 years of antivirus should have taught us by now that this is a crappy solution.
2. Look for things which are known to be good. Anything which isn't known to be good we delete. This is essentially what I described originally.

The minor issue with this (and indeed with what I described) is that writing a general-purpose application which does this without leaving the system broken beyond real use (who's going to put up with an AV product which deletes every data file they've got because there have been known vulnerabilities in programs which read those files?) is impossible.

However, they do say an ounce of prevention is worth a pound of cure, and nowhere in IT is it more true than here. Don't allow users to run as admin, filter email for anything even remotely suspicious, configure your desktop PCs to automatically update, run antivirus on your fileserver to slow down the spread of anything, get proper configurable desktop AV software - preferably configurable such that end users can't easily mess with the configuration - and set it up to scan everything on access.

And while we're at it, abandon any email scanner which filters dodgy attachments on the basis of their file extension. The first virus which comes with text saying "Rename to .exe and run" will sail straight through.

This sounds like a lot of work, but I've been in the middle of dealing with virus outbreaks before. Once configured, 99.5% of my suggestions can be just left to their own devices and it's a lot less hassle than dealing with a virus outbreak.

Killing rootkits. You're doing it wrong.

Every time this subject comes up, I say the same thing.

The problem with finding and removing rootkits (and other forms of malware) is that the vendor of the OS does not provide any means of identifying what the LEGITIMATE files are.

With Ubuntu, I can boot from a LiveCD and check any file on my hard drive. What package does it belong to? Does it have the correct checksums?

Anything that cannot be identified can be moved to a different drive. A drive without run permissions.

Problem solved.

Re:Killing rootkits. You're doing it wrong.

One of the things I hate about Microsoft software (indeed, almost all software thet runs in Windows) is non-descriptive file names. Back in the DOS days XR2732A.DLL might have made sense, but wouldn't "Run-time library of graphics functions for Word.DLL make a whole lot more sense? If in fact you had removed Word (or some game or whatever) you would know that you could delete the file with impunity.

What a title!

from the article:

Dan Kaminsky, Director - Penetration Testing

If you think that's bad

Try working in an area of the building labeled "Mail Insertion" (for stuffing envelopes.) It doesn't come off too well when you tell someone you work over in mail insertion, no matter how you try to emphasize the 'i' in mail.

Re:What a title!

I hear it's a temporary title, as he changes positions often.

I wonder if promotion to the position came with a raise.

I heard he reports to the VP for Internal Affairs.

His responsibilities include data massage, internal handling of customers, and staff management.

I could do this all day...

Re:What a title!

Please, go on.

Since you insist...
Performance review:

His performance metrics primarily include duration of uptime and average time need to recover from downtime. He has expanded the scope of his role to fill the requirements.

He is able to handle repetitive tasks well.
He does not think outside the box.
He is good at getting his workgroup to multitask.
His staff responds well to stress.
Work/life balance may be an issue -- he always makes his work come first.

I think that's enough for now :)

Re:What a title!

I could do this all day...

now you're just bragging

Since your ID is 'witherstaff' I think I understand the source of your envy.

AV's actually doing quite well

If you read TFA it says that some products were actually able to detect, though not remove, as many as 29 out of the 30 rootkits tested once they were installed.

That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

Personally I run virus scans from a clean windows PE disk on any windows machine I suspect to be infected anyway; partly because some malware is very good at hiding itself from the OS once it's installed, partly because it makes removal much easier, but I wouldn't read these results as being bad for (some of) the antivirus makers concerned, as the summary seems to suggest.

Re:AV's actually doing quite well

That's far higher than I would have expected. I thought the whole idea of a rootkit is that it modifies/hooks the kernel to make detection from userspace practically impossible, so either they're using poor/outdated rootkits or the antivirus makers are actually doing a pretty good job of detecting them (gasp).

It's an arms race. Since a rootkit is making the appearance of reality disagree with physical fact, there's always some way to detect the deception: for example, hidden disk usage could be detected by writing data to fill the disk, and then seeing if the amount of data written is equal to the apparently-free disk space. The latest antivirus software will detect these discrepancies; the latest rootkits will patch over whatever techniques the antivirus software is using.

Not really surpirsed

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then. Usually it's able to kill the thing, but every now and then one comes along that's just a pig to get rid of.
Norton (keep in mind, last time I used it was half a decade ago, if not more) had a great habit of going "HEY! YOU'VE GOT A VIRUS!" but when you actually tell it to delete the bloody thing, it refused to do anything. What was annoying was that often you could delete it simply by killing the process, but I digress.
Every other AV I've used has been able to handle most, but to this day, every now and then a virus will come along that whatever AV I try simply can't shift, forcing me to do the ol' safe-mode delete trick (or sometimes having to boot into a different OS entirely).
I don't understand why these AV's don't pop up saying "we've found a virus, unfortunately it's going to be a pain to remove, so I can't do it for you, instead here's some instructions on what to do to get rid of it..." instead of just repeatedly popping up that the Virus is there and refusing to do anything about it....

Re:Not really surpirsed

Thanks to all the porn sites my FRIEND goes on, it's not uncommon for my AV to pick up a virus every now and then.

It's funny, the embarrassing part here isn't that you look at porn, it's that you get infected while doing it. Get NoScript, a bittorrent client, and a clue.

Well, DUH!

First rule of system scanning: if your system is compromised, you can't trust anything running on it including the scanning software. Any malware that's gotten far enough in to be a threat can readily trap the system functions to load programs and read the disk and the system functions used to detect trapping of system functions, allowing it to invisibly return false data to the scanning program. This was standard practice in the late 80s for viruses, see the origin of the term "stealth virus". You can scan incoming files using a scanner running on the main OS but to scan the main OS for infection you need to be running from a different boot image, one that's never been made available in a writable state to the main OS. And no, that doesn't mean a different partition on the hard drive, that's writable by the main OS even if it's not directly available as a drive. The media has to have been physically write-protected or read-only any time it's been in the drive while the main OS is running.

Bootable ClamAV CD image... Ubuntu live CD?

What I'm just waiting for is a bootable Linux CD that includes ClamAV ready-to-run.

Once a root kit has its tentacles through your system, you can't trust your system. So it just makes sense to boot a trusted system before running a malware scan.

I know enough that I could boot an Ubuntu CD, make sure clamav is installed, update it to the latest virus definitions, mount each disk volume, and then run clamav by hand. But more people could use it if this was easier.

Originally I was thinking of a CD you boot just for virus scanning. But I already carry around an Ubuntu CD to use as a utility disk (you can boot it as a RAM tester, or you can boot to a desktop to help repair a non-booting computer). And if it finds any malware you will want to fire up a web browser and read about how to clean your system. So now I think the very best thing would be for the standard Ubuntu live CD desktop to have a "scan computer for viruses" icon. Ideally it should have some kind of attractive GUI interface, but I'd settle for a scrolling text display as long as it does everything automatically.

Ideally this would also have a way to download a signed program, verify the signature, and run the program; then people could write programs that automatically clean malware off a computer.

I already give away Ubuntu CDs to friends who use Windows, and I tell them how to use them to test their RAM. It would be so cool if they could also use it to check their computers for malware. (Who knows, they might get tired of cleaning malware off their computers and try running Ubuntu someday.)

Is there any way to suggest this as a "summer of code" project or something?

steveha

Re:Bootable ClamAV CD image... Ubuntu live CD?

Steveha..
http://www.ultimatebootcd.com/ [ultimatebootcd.com]
http://www.ubcd4win.com/ [ubcd4win.com]
Both have excellent tools on them, including some UPDATABLE AV kits.

Re:Naturally, (on first)

"Security suites and online Web scanners detect only a little more than half of all rootkits

security suites/online web scanners != antivirus only. as for why

AV-Test.org also found that a few big name AV scanners had serious problems finding and removing active rootkits

I would have to say that a lot of scanners that are referred to as being antivirus target several types of malare, viruses especially so but not exclusively. havng to develop separate scanners for each type of malware and actually charging for them would be enormously expensive, not that they won't be doing it soon.

Re:Bootable antivirus discs?

Ah. Lazy me for not searching more closely before asking... just found this as one alternative: http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html [free-av.com].