Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/17/2006
06:00 PM
50%
50%

Holy_father Delivers Rootkits To The Masses

The futility of today's model for antivirus protection is fairly obvious. Plug one hole in the dike and another will sprout. Pretty soon, you're running out of fingers and toes to hold back the flood. It gets worse. Attackers without the skill to create their own malicious hacks can outsource their dirty business to others who will write the code for them and then offer services that keep these rootkits from being detected. It's the virtual version of Spy vs. Spy, with many black hats claiming t

The futility of today's model for antivirus protection is fairly obvious. Plug one hole in the dike and another will sprout. Pretty soon, you're running out of fingers and toes to hold back the flood. It gets worse. Attackers without the skill to create their own malicious hacks can outsource their dirty business to others who will write the code for them and then offer services that keep these rootkits from being detected. It's the virtual version of Spy vs. Spy, with many black hats claiming that they're giving the technology world exactly what it needs -- tough love.One of the most prominent rootkit suppliers is the Hacker Defender site, which I learned about during an interview with Herbert Thompson, Ph.D., chief security strategist for Security Innovation Inc., a Boston-based provider of application security services. Worse than simply selling rootkits to the masses, Hacker Defender also offers anti-detection services that will help ensure that its rootkits aren't detected by antivirus and other malware-prevention software.

These third-party rootkits could be used by an employee who is about to leave an organization or someone who thinks they will be fired and would love to keep control within a network, Thompson told me. "Some of this is illegal, some isn't, depending upon what country you live in," he added. "Many of the auction sites that trade in zero-day vulnerabilities benefit from unclear and inconsistent laws." If there's no law against renting out botnets in Russia, then it's difficult for the U.S. to prosecute an attack launched from within the country, or even to collaborate with international law enforcement. "The legal community is still trying to catch up with the implications of the cyber universe," he said.

It's incredibly difficult for law enforcement to gather evidence against someone selling hacks or botnets, unless they slip up somehow. "If they are doing it from their house, they are traceable; but what about if they're doing business from kiosks or libraries?" Thompson asks.

When I asked Thompson how a site trying so hard to protect its identity (the person running the site refers to himself only as Holy_father) could collect for its services, he told me that the answer is E-gold. Excuse me? He told me about one West Indies company, E-gold Ltd., that doesn't possess any national currency of any nation and has no bank accounts. "They don't trade in any sovereign currency, so they avoid the scrutiny of the Secret Service," Thompson says.

Like most tech pros who make a living selling security to defend against attacks, Thompson couldn't give me a good explanation of why someone would trade in malicious code, other than to make money. Of course, if you're that skilled a programmer, there are lots of ways to make money. I decided to bless myself and E-mail Holy-father.

To my surprise, he actually got back to me within a few hours. Holy-father's command of the English language confirms for me that he's not based in the U.S., but he has little difficulty articulating his desire to push the antivirus community to do a better job of designing its software. HF claims that it's because of his work -- he launched the site in 2002 -- that so many people even know what a rootkit is. Of course, he had a lot of help from Sony.

HF's contention is that antivirus companies benefit from keeping their customers just one step ahead of the next big malware attack. This keeps their customers coming back for more and renewing their subscriptions to antivirus database services. If the antivirus companies were to create "something incredible, [a] great AI engine that would beat all other companies on the market and take 95% of the market," they would run the risk of having that program reverse-engineered by the competition and quickly lose their advantage, HF wrote me. In other words, why bother to invest the time and money creating a revolutionary anti-malware engine when companies are willing to pay to upgrade regularly? Sounds to me like he's accusing the software market of complacency. I suppose he wouldn't be the first.

Not surprisingly, antivirus companies take umbrage with HF's assertions. The Hacker Defender site certainly makes it easier for a person without a high level of programming skills to get his hands on a sophisticated rootkit, says Ed English, Trend Micro's chief anti-spyware technologist. But, since Hacker Defender's code and intentions are out in the open, it gives companies like Trend Micro the ability to track this activity. "Publishing these rootkits publicly is one way to do this, but they also can directly contact a vendor," if they have a criticism of that vendor's software. English says. Hackers who claim to be trying to help improve IT security by threatening it tend to display such passive-aggressive tendencies.

The chess match between the white hats and black hats will continue for the foreseeable future. Either way, IT pros can't pretend these threats don't exist. "The first time a CIO goes to a site such as Hacker Defender, it's a big wake-up call," Thompson told me. "But if you're not aware that these groups exist, it's hard to defend against them." Company executives are realizing that even if a disgruntled former employee doesn't have the skill to attack their IT systems, they can outsource.

Comment  | 
Print  | 
More Insights
White Papers
More White Papers
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
The Problem with Artificial Intelligence in Security
Dr. Leila Powell, Lead Security Data Scientist, Panaseer,  5/26/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Register for Dark Reading Newsletters
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8603
PUBLISHED: 2020-05-27
A cross-site scripting vulnerability (XSS) in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow a remote attacker to tamper with the web interface of affected installations. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or ...
CVE-2020-8604
PUBLISHED: 2020-05-27
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to disclose sensitive informatoin on affected installations.
CVE-2020-8605
PUBLISHED: 2020-05-27
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to execute arbitrary code on affected installations. Authentication is required to exploit this vulnerability.
CVE-2020-8606
PUBLISHED: 2020-05-27
A vulnerability in Trend Micro InterScan Web Security Virtual Appliance 6.5 may allow remote attackers to bypass authentication on affected installations of Trend Micro InterScan Web Security Virtual Appliance.
CVE-2020-11075
PUBLISHED: 2020-05-27
In Anchore Engine version 0.7.0, a specially crafted container image manifest, fetched from a registry, can be used to trigger a shell escape flaw in the anchore engine analyzer service during an image analysis process. The image analysis operation can only be executed by an authenticated user via a...