Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on March 1, 2007 6:49 PM.

The previous post in this blog was Phishing attacks rise against UK Banks from 40 to 1,000 a month.

The next post in this blog is Vista Activation Cracked?.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Phishing attacks rise against UK Banks from 40 to 1,000 a month | Main | Vista Activation Cracked? »

More on foiling rootkit detectors

A great article appeared today in eWeek "Black Hat Demonstrations Shatter Hardware Hacking Myths". It discusses two presentations this week at the Black Hat Conference in Washington DC that destroy some common beliefs about detecting and removing rootkits.

The article states: "
One shocker was Coseinc Senior Security Researcher Joanna Rutkowska's demonstration of a way to subvert system memory through software—in essence, the shattering of our long-held belief that "going to hardware" to secure incident response is a security failsafe.

Security professionals at the show called it the "attainment of the holy grail," particularly since the only way to fix the system's memory corruption is to reboot—thus erasing all tracks of the subversion.

It's a digital forensic team's worst nightmare. How can you figure out—and prove in court or to auditors—what people have been doing on your company's PCs, for good or evil? "

It then goes on to talk about the other presentation by John Heasman from NGSS (Next Generation Security Software) . The article states: "

Heasman chose to persist a rootkit on a PCI device containing a flashable expansion ROM. At the present time, how to detect and prevent such an attack isn't understood when the system in question doesn't contain a TPM (Trusted Platform Module).

"My thinking is if you can get a rootkit into an environment where they reimage the system daily, as in some secure systems, we could still survive," Heasman said in an interview with eWEEK. "There are no tools in pub domain that would detect that."

Heasman went on to demonstrate the abuse of PXE, the Preboot Environment developed by Intel as part of is "Wired for Management" initiative.
"

Both of these presentations together combine to present very serious challenges to enterprises in first of all detecting rootkit attacks and then getting rid of them. I am wondering (and this is just me dreaming out loud) if this is why the US Department of Commerce physically replaced over a hundred computers after being successfully attacked last year? Perhaps the US government already realized that re-imaging the disks wouldn't necessarily guarantee the elimination of the malware.

Stay tuned for more discussion on this topic.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on March 1, 2007 6:49 PM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/127

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)