Thursday, December 14, 2006

Back from New Zealand (AVAR2006 Conference)

I am back from the AVAR2006 conference in Auckland, New Zealand. This was my first security conference while pursuing my first professional job as an Anti-Virus Research Engineer. I am delighted to have been able to attend the conference. It was also a great experience to be able to present at the conference as well. I surely had a wonderful time.

You can access my "Rootkits on Windows" presentation and paper from my website: Anti-Malware Research

The best part of the conference was being able to meet and connect with some the well renowned researchers in the AV-industry, many of whom I highly revere and respect. Prominent among them are Peter Ferrie, Peter Szor, Dr. Vesselin Bontchev, Dr. Igor Muttik, Joe Telafici, Andrew Lee, Randy Abrams, and Tony Lee, to name a few.

Here is a picture of me just before delivering my presentaion :)

You can find some more of the pictures taken at the conference on the AVAR2006 website.

I was fortunate to be able to bring my wife with me on the trip as well. After the conference, we spent a few days vacationing in the North Island of New Zealand. A truely amazing and beautiful place I must say. We both had a great time. The people are very nice and laid back. There is so much fun and adventure stuff to do with such beauty surrounding, it w
as absolutely amazing!

My kind of adventure: "Free Flying"

We highly recommend visiting New Zealand for all those who love to travel. As for us, we will have to go back and visit the South Island next time, which the New Zea-landers say is much more awesome...

Digg This | Slashdot This | Add to

Wednesday, November 29, 2006

Presenting at AVAR2006, Auckland, New Zealand

Exciting news to share!!
I am preparing for my visit to Auckland, New Zealand for the AVAR2006 conference (Association for Anti-Virus Asia Research) to be held from 3rd Dec through 5th Dec. I will be doing a presentation about “Rootkits on Windows”. This is about the "rootkit-like" techniques used by today's Window's based malware to “subvert” the kernel and about the co-evolution of anti-rootkit techniques. The presentation will extensively cover the well-known tricks to the latest developments in the rootkit area. Apart from the long flight journey (24 hrs), I am looking forward to visit the beautiful land of New Zealand :)

Digg This | Slashdot This | Add to

Thursday, October 12, 2006

Rootkit techniques in today’s Windows based Malware

Recent Malware trends on Windows NT based platforms are adopting more and more Rootkit like techniques, i.e. employing cloaking and stealth. Such techniques are either embedded within the malware itself or simply assist the malware while existing as a third-party application. Two such proliferating malware that embed "rootkit-like" functionalities within them are W32/Haxdoor and W32/Goldun. The wide range of today's Window's based malware such as Trojans, Mass-mailers, Backdoors, Spyware & Adware Programs, use stand-alone/third-party rootkit programs in order to cloak files/folders, processes, registry entries, memory modules, handles, TCP/UDP communication ports, logins, log files, and any other resource used of the Operating System to conceal their malicious activity.

There are two types of rootkits: the ones that operate at Window's kernel level and the ones that stay at the user level. Kernel-mode rootkits are more powerful and much harder to detect, disinfect or de-activate. But these are more complicated to implement and require administrator privileges to be installed on a machine. A kernel-mode rootkit is usually a kernel mode device driver program which is loaded by the malware. User-mode rootkits are less powerful but still very efficient and much easier to implement and deploy. The most popular among the publicly available rootkits are the FU-rootkit (Kernel-mode rootkit) and Hacker Defender (User-mode rootkit).

The wide usage of rootkits in today’s malware is attributed to their ease of availability via the web. They are downloadable as ready to use rootkits or as source code for those who want to compile custom rootkits. Ther are online resources for both rootkit developers and security professionals who could use this information to educate themselves and learn the ways of the attacker in order to develop anti-rootkit techniques. Most advances in Windows based rootkits are posted on the internet in the form of discussion groups, news reads, blog posts etc.

Another reason to which the use of rootkits can be attributed is “a shift in intent of writing malware”. Viruses and worms are no longer written to prove skill or to draw attention but rather as a means to bank the green bucks! This shift in intention or rather the commercialization of malicious intentions has greatly increased the creation and proliferation of “crime-ware” (or snoop-ware such as spyware, keyloggers, backdoors, Trojans, etc.). These applications demand the use of stealth in order to "own the box" for as long as possible without being detected and without being able to be traced back to.

In order to combat today’s rootkits we require more of a pro-active approach rather than the traditional reactive approach. Merely adding signatures to definition files (i.e. if we are lucky enough to get our hands on the rootkit in the first place), is only “pushing the problem under the rug”. More wide-spread use of rootkits among malware is predicted in the near future and so will co-evolve the sophistication of rootkit detection tools and methods.

Digg This | Slashdot This | Add to