Joanna Rutkowska supposedly demonstrated yesterday at the Black Hat conference in Washington DC a way to defeat malware detectors who are looking for rootkit attacks. According to a story in Dark Reading " How to Cheat Hardware Memory Access" Joanna says ""I believe that this is going to be the first public presentation of how malware can cheat hardware-based memory acquisition" "
The article goes on to state:
"Researchers and forensics investigators today rely more on reading hardware-based memory to get an accurate picture of the OS to help detect malware, mainly because it's difficult to find rootkits in today's complex operating systems."
""All rootkit detectors on the market today can be seen as more or less random 'hacks' that check only some limited number of well-known places in the OS," Rutkowska says."
"Plus if the system has already been compromised, you can't trust any programs executing on it -- not even the rootkit detector program itself, she says. So hardware-based memory access has emerged as the best way to get a real look at what's going on."
Joanna is the same person who last year presented the Blue Pill attack, using virtual memory. She has also recently been discussion her concerns re Vista's UAC.
Bottom line: The attacks get cleverer and cleverer and the tools to respond to these attacks are far behind. Have layers of strong authentication in your enterprise to mitigate the risk. Use transaction authentication around your crown jewels. Then have filters on everything digitally leaving the enterprise to catch precious information that has evaded all the other defense layers.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us