2007-08-01
Abstract
'Anyone who writes even one example of a piece of malware, exploit or rootkit feels qualified to call himself a security researcher.' Aleksander Czarnowski, AVET, Poland.
Copyright © 2007 Virus Bulletin
Recently the security community has been busy discussing a bet made over the detectability of a rootkit, after Joanna Rutkowska claimed that she and her Invisible Things team are able to create a rootkit that is undetectable.
As someone working for a company that offers penetration testing and forensic analysis services among other things, I am very interested in rootkit technology. During pen-testing, rootkits can provide a great risk demonstration after gaining control of a system, so they add value both to the process and the customer. In the case of forensic analysis we need to identify how system security has been compromised and to what extent the attacker has penetrated the system. This means rootkit detection as well. This puts us in an interesting position when sometimes rootkits are bad, and sometimes they are a good thing.
Personally, I think the issue is not as technical as it seems, and is a lot broader than just rootkits. The real problem is the number of researchers who fail to do their research properly before making claims. These days it seems that anyone who writes even one example of a piece of malware, exploit or rootkit feels qualified to call himself a security researcher. However, the reality is that becoming a security researcher takes a lot more than a few minutes or hours of hacking. It involves a lot of research including research into what has happened in the past.
The past is important here because similar claims about 'undetectable'/'unbeatable' malware have been made in the past. None lasted very long. Repeating such claims just makes me wonder about the reasons for doing so. What's more, part of the technology is already well known. Do you know how to bypass all Windows Vista anti-rootkit safeguards? Run it within VMware - you then have total control of the operating system execution environment. Does Vista complain when it runs inside a virtual machine? No. So theoretically somebody could say that he has found a system vulnerability or a rootkit that is undetectable (by the operating system).
Now let's consider the term 'invisible' or 'undetectable'. If I understand these correctly, such a rootkit should always be hidden so that it leaves no sign of its presence. So we could argue that even a simple 'hello world!' message on the screen would make the rootkit visible. If I can see it, I can detect it.
Ms Rutkowska should also prove that her rootkit is 100% bug free and it will never crash any system during operation. We all know that this problem is non-trivial from a mathematical point of view. If the system crashes due to rootkit installation, it will be visible. This is important as Ms Rutkowska's rootkit technology targets a very broad range of modern PCs. The trend among current exploits is that they increasingly target specific systems due to differences and safeguards like address randomization. So it's a very brave approach to try to target a broad range of systems in today's world.
Let me come back to the crash problem for a while. If I can see it (crash) I can detect it, which brings us to the question of 100% detection. Can anyone show me a 100% detection rate without false positives in anti-malware or IDS/IPS solutions? Anyone?
Last, but I guess not least is the issue of money. A newly established company requesting financial support for its research in the way in which Ms Rutkowska and her Invisible Things team have done is a bit strange. Does this mean they don't have customers who would back up their research investment? I hope not! When you try to sell something it must be useful. I really can't see any benefits to a customer paying almost half a million dollars for such an experiment, but I'm sure there would be a lot of customers willing to pay half a million for a solution that would provide an organization with some benefits. So it seems that somebody had an interesting idea and certain technical knowledge but no business plan or vision of how to sell it. Does gambling make it more sellable? I'd bet not.
The views presented in this article are the author's own, not those of his employer.
