[ISN] Microsoft exec warns of rootkits

From: InfoSec News (isn@private)
Date: Mon Apr 10 2006 - 22:18:32 PDT


By Ellen Messmer
Network World

ORLANDO - If your system gets infiltrated by a rootkit, you might as 
well just "waste the system entirely," a Microsoft official told 
fellow security professionals last week at the annual InfoSec 
Conference here. 

Microsoft's Mike Danseglio, program manager in the company's security 
solutions group, was among a host of security experts from big-name 
companies who swapped advice about protecting networks with 1,700 

According to Danseglio, the hacker rootkit is "probably the nastiest 
piece of malware you'll get," because it is designed to hide unwanted 
files - or any sign a computer has been compromised - stealthily. 

Microsoft dedicates four staffers to analyze rootkit samples found in 
customer computers or on the Internet. In his presentation, Danseglio 
offered a list of the most-wanted rootkits (see graphic), adding that 
90% of what Microsoft finds relates to Hacker Defender, a rootkit from 
the Czech Republic-based programmer who calls himself Holy Father. The 
programmer charges several hundred dollars to make Gold versions of 
his basic rootkit. 

Writing rootkits isn't a crime, but using them to hide code in a 
computer that's been hacked by other means is, Danseglio said. Holy 
Father last month indicated he's retiring from his Web site business, 
leading some to speculate that he's been hired for some purpose 

According to Danseglio, rootkits have been embedded in many networks, 
with college campuses especially hard-hit. The University of 
Washington has become notorious for its students using rootkits to 
hide pornography and music on the university's servers, he said. 

Danseglio offered a list of tools, including a few from Microsoft, 
that can detect rootkits. But he said there are no simple ways to 
address the menace. "There are no rootkit-resistant operating 
systems," Danseglio said. 

Lessons shared

Kerry Anderson, a Fidelity Investment Brokerage vice president in the 
information security group, spoke on the topic of setting up a 
computer forensics program to tackle crime, including child 
pornography, terrorism and financial fraud. 

A company's first priority should be establishing a policy and 
internal training for auditing and investigating suspected computer 
crime, coordinating among the legal, human resources and IT 
departments, she said. 

She advised extending that policy to include working with outsourcing 
providers, vendors and business partners to ascertain their 
computer-investigation procedures and get the right to audit and 
monitor their computers if necessary. "Our contracts today are 
requiring the right to do risk assessment and visitation audits," she 
pointed out. 

The insider threat is a top concern at State Street, which manages 
more than $10 trillion in assets. State Street Senior Technology 
Officer Doug Sweetman said securities laws require the firm to conduct 
background checks on employees and prospective employees. 

But these days, that might go beyond a criminal-history check and 
include scouring the Web to find blogs an applicant has written or 
evidence of a gambling habit or visiting hacker sites - all of which 
might raise a red flag. "I don't feel any restrictions going after 
your blog or pulling all these data together," he said. 

One headache at State Street is the freeware that employees download 
and the company wants to remove as a potential security risk. Google 
Desktop 3.0 search software is among the programs State Street watches 
out for: "It allows for file-sharing and takes the file up to the 
Google complex," Sweetman said. 

"You've got to think about where that file is when Google indexes 
content," he said.



Microsoft's most-wanted list

Rootkits that hide in Windows: 
* Hacker Defender 
* FU 
* HE4Hook 
* Vanquish 
* AFX 
* NT Rootkit 

Tools that can detect rootkits: 
* PatchFinder2 and Klister/Flister, proof-of-concept tools from Polish 
  researcher Joanna Rutkoska 
* RootkitRevealer from Sysinternals 
* Blacklight from F-Secure 
* Microsoft File Checksum Integrity Environment 
* Bootable Antivirus & Recovery Tools from Alwil Software 
* Knoppix Security Tools Distribution (open source) 

LayerOne 2006 : Pasadena Hilton : Pasadena, CA
Infomation Security and Technology Conference

This archive was generated by hypermail 2.1.3 : Mon Apr 10 2006 - 22:23:42 PDT