CyberSecurity Institute

The researchers Tuesday discussed the growing threat posed by kernel rootkits at a session at the RSA Security Conference in San Francisco.

The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

With names like “Hacker Defender,” “FU” and “Vanquish,” the programs are the latest generation of remote system monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft’s Security Solutions Group.

The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed and are typically installed on a machine without the owner’s knowledge, either by a virus or following a successful hack of the computer’s defenses, they said.

Once installed, many rootkits simply run quietly in the background but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs.

Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer’s memory, or configuration settings in the operating system’s registry, are invisible to administrators and to detection tools, said Danseglio.

One rootkit, called Hacker Defender, which was released about one year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as Transmission Control Protocol (TCP) port 135 to communicate with the outside world without interrupting other applications that communicate on that port, he said.

The kernel rootkits are invisible to many detection tools, including anti-virus, host and network intrusion detection sensors (IDS) and anti-spyware products, the researchers said.

One strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer, then comparing the profile of the clean operating system to the infected system, according to Dillard and Danseglio.

http://www.nwfusion.com/news/2005/0217rsa-mic.html

The paper described how two separate documents could be manipulated to deliver the same SHA-1 hash with a computation of lower complexity level than previously believed possible.

It is a key technical underpinning of Secure Sockets Layer, a private-key technology used broadly to send secure information such as credit card numbers over the Internet. In addition, a handful of chipmakers—including Atmel, Infineon, National Semiconductor and STMicroelectronics– use SHA-1 as the basis for so-called Trusted Platform Modules (TPMs) at the heart of an industry effort to provide a hardware root of trust in PCs and other devices.

Shamir and others said they believe the work of the Chinese trio will probably be proven to be correct based on their academic reputations, although details of the paper are still under review.

It’s extremely important to develop new kinds of hashing algorithms,” said Shamir in the panel session at RSA. “This break of SHA-1 is stunning,” said Ronald Rivest, a professor at MIT who co-developed the RSA algorithm with Shamir.

“This is another reminder that conservatism is needed in the choice of an algorithm,” added Rivest at the panel session.

“They are going to go nuts,” said a technical advisor to the American Bar Association, trying to assess the legal implications of the news.

http://www.eetimes.com/article/printableArticle.jhtml;jsessionid=KXLBKKQ2JSDYIQSNDBCSKHSCJUMEKJVN?articleID=60401254&url_prefix=&sub_taxonomyID=4217