Wednesday, December 21, 2005

Fascinating article from a hacker on rootkits and security

Email Battles features an article today from a person claiming to be the author of the rootkit, Hacker Defender. He makes the case that he authors these malicious pieces of software in order to raise the bar on security. While it is impossible for me to judge his true intentions from this post, I do agree with some of the insights he provides on the anti-virus business.

Antivirus companies sell a fake sense of security, but they do not
bring real security to your computer. Antivirus just fights programs
that are visible to common users. They don't care about the cause.


If I publish Hacker Defender's antidetection code, antivirus companies
will do nothing but add a few bytes to their databases of virus
patterns, or simply fool my engine in some way. They show their
customers they can handle rootkits based on my antidetection engine,
but they won't solve the problem. So there would be easy ways to bypass
them again and again.


This attitude brings money to security companies because their users
download upgrades and buy new versions of their products. This is why
these security companies don't want to change the situation.


Yes, antivirus products will protect you against wildly spreading
threats like destructive worms. But the real danger for users is from
pointed attacks, where private tools are used. These tools use the same
methods as my tools. They are not detected because security companies
have no chance to download them and add those few bytes to their
databases. Security companies catch only the tools they know and do not
solve the cause. So attackers will succeed with their tools.


This has to be changed. Hacker Defender and other rootkit projects
force security companies to care about the core of the problems, to
develop better and better products. And after years, I see the results.
The situation is better. But there is still a lot of work to be done
with rootkit detectors and antivirus products.


This is why I will continue in my work to try to find ways to bypass
their poor products until antivirus companies come with the real
solution. And this is why a lot of my customers are security guys who
offer penetration testing etc., not bad (or blackhat) guys.

...If you think about it, simple code scrambling in what is called
dangerous or malicious software results in a clean scan report. It is
really as easy as changing one byte here and there to fool your
expensive antivirus product.


This fact forced us to think about how antivirus products are implemented and what all those powerful heuristics engines that reveal even unknown future threads
really mean. Just visit some antivirus vendor website to see what they
offer. Then modify a few bytes in your favourite destructive malware
and create your own opinion.


The antidetection engines in more advanced paid versions of Hacker
Defender also evade the latest versions of all well known modern
rootkit detectors like BlackLight, RootkitRevealer, IceSword, UnHackMe
and RKDETECTOR 2.0.


It is curious that Hacker Defender's antidetection was implemented
months ago and hasn't changed (except some minor bugfixes) since then.
In spite of this fact, no security product is able to beat it today.


The world is still waiting for the first real rootkit detector that
would bypass Hacker Defender's antidetection engine. Hacker Defender is
just there to show they have to improve their products.

No comments: