I was reading blog entry of Joanna Rutkowska, a really smart and good looking (*fg*) expert in security and rootkits from Poland, and I was really asking myself, should we be scared about rootkits in the future? To give you a short answer: Yes we should!
Ok of course such rootkit can maybe be blocked before they’re installed or while it tries to installs itself or any other malware tries to install it. I am reading about the technology and the evolution of the knowledge in this area for a while and I need to say that it is really scary how fast the evolution moves forward.
Last year I was reading something about DKOM (Direct Kernel Object Manipulation), after thinking about the concept I was sure something like this is comparative easy to detect. Also hooking SSDT, IAT, EAT or using Inline Hooks (Detours) is almost harmless if you know how to get rid of it (see my previous post Trojan.Downloader.uj which is about an userland rootkit)
Anyway this year, only about 6 months later I read something which really scared me. joanna Rutkowska held some presentations about rootkits again and there she demonstrated a rootkit she is calling ‘deepdoor’. After taking a look at what she can do with this threat I was really asking myself how should you detect something like this. Ok there will be some smart guy who will be abled to detect (I am sure there will be one!). But now (ok it was already in June, but it doesn’t matter) she is writing about ‘Blue Pill’. Think about this: You are running VMWare on your computer and host another windows in there. This no great deal, that’s right but what would you say if somebody tells you that you’re hosting VMWare already in a virtual environment?
Huh? That’s really scary. And I must admit that using the name ‘Blue Pill’ is a really good choosen name.
I am right in the beginning in understanding how malware works and how it can be detected and removed but if I read something like this I am really asking myself how should we prevent ourselves from such threats?
I hope that we will be abled to have an idea how to get a ‘Red Pill’ for such threats and are abled to remove or at least to warn the users about such a threat.
Further reading about this subject you can find at:
Edit: (8th August 2006) I found another really interesting blog entry about this at http://www.ryanpmanning.com/?p=56
Be aware! Be scared!
Regards,
Vinzenz Feenstra