30 March 2007

Perils of Rootkit Detection

i admit i haven't followed security as closely as i did when i just ran windows, but are there now rootkits that can hide themselves from computer b when it's on computer a? - ice60

Yes, but they do not explicitly. In fact, any rootkit hiding itself from other processes is also hiding itself from other systems on the network as a free side-effect.

If computer b is looking for a rootkit on computer a, it will ask for information about the system. Details about running processes, files, logs, and so forth may be queried. The problem is all of these requests must pass though the infected system, and therefor cannot be trusted. Involving a daemon in your quest to sniff out a rootkit only provides an additional opportunity for the rootkit to hide itself.

Let's look at one of my infamous metaphors as an example. We can equate a rootkit-infected system with a brainwashed individual.

  • If you were brainwashed, you wouldn't necessarily know you were brainwashed. Any decent brainwasher would hide the brainwashing from you, perhaps with false memories.

  • If I asked you if you were brainwashed, you wouldn't be able to tell me you are brainwashed. Quite simply, you wouldn't know.

  • If I asked you indirect questions relating to your brainwashing, I *might* be able to infer you were brainwashed. There are certain inconsistencies that may come up in your responses. Perhaps you claim you were eating an anchovy pizza, but I know you hate anchovies.

  • Since any response you give could be effected by the brainwashing, I still wouldn't be able to tell with any certainty that you had been brainwashed.

The only 100% reliable way to detect a rootkit, assuming you have a signature for it, is to bring the infected system off line, and look for it without relying on any part of the infected system. This could mean running the system from a separate, bootable disk, or transplanting the infected systems hard drive into another clean system.

For further reading, please see this article in Computerworld.

No comments: