[转载]RAIDE Rootkit Elimination Tool Hits Beta
<P>信息来源:[url]http://www.eweek.com/article2/0,1759,1938948,00.asp?kc=EWRSS03129TX1K0000614[/url]</P><TABLE cellSpacing=0 cellPadding=0 width=780 bgColor=#ffffff border=0>
<TBODY>
<TR>
<TD width=5></TD>
<TD vAlign=top width=615><!--include virtual="/common/creprint.asp"--><SPAN class=dot><BR></SPAN>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR vAlign=top>
<TD vAlign=top align=left colSpan=2></TD></TR>
<TR>
<TD vAlign=top width="65%"></TD>
<TD vAlign=top align=right width="35%">
<DIV id=talkback_bug></DIV></TD></TR>
<TR>
<TD class=Article_Posts align=left colSpan=2></TD></TR>
<TR vAlign=top>
<TD class=Article_Content align=left colSpan=2>
<P><BR>
<P>Spurred on by the ongoing cat-and-mouse game between malicious hackers and existing anti-rootkit scanners, a pair of security researchers have teamed up on a new tool that promises a solution to the threat from stealthy malware.</P>
<P>The new tool, called <A href="http://rootkit.com/newsread_print.php?newsid=456">RAIDE</A> (Rootkit Analysis Identification Elimination), is the brainchild of Peter Silberman, a college student known for his reverse-engineering skills, and Jamie Butler, chief technology officer at Komuku, a College Park, Md.-based company that specializes in rootkit detection.
<P>The duo introduced RAIDE at the Black Hat Europe 2006 Briefings in Amsterdam and plan to roll out a commercial version with features that go beyond finding and removing rootkits that serve as a <!-- start ziffarticle //--><A href="http://www.eweek.com/article2/0,1895,1896605,00.asp">hiding place for spyware</A><!-- end ziffarticle //--> and other pieces of malware.
<P>Rootkits are used to modify the flow of the kernel to hide the presence of an attack or compromise on a machine. It gives a hacker remote user access to a compromised system while avoiding detection from anti-virus scanners.
<P><!-- start ziffimage //--><IMG height=34 alt=Pointer src="http://common.ziffdavisinternet.com/util_get_image/2/0,1425,i=28571,00.gif" width=28 align=left border=0 ?><!-- end ziffimage //--><!-- start ziffarticle //--><A class=NAVELEMENT href="http://www.eweek.com/article2/0,1895,1897728,00.asp">Where are rootkits coming from? <U>Click here</U> to read more.</A><!-- end ziffarticle //-->
<P>In an interview with eWEEK, Silberman said RAIDE offers several unique features that cannot be found in other anti-rootkit tools.
<P>"[It] can take care of things like API hook detection and restoration and the restoration of hidden processes to make them visible again. Instead of having the user run multiple tools to do different things, RAIDE combines everything. That was one of the design goals," Silberman said.
<P>Existing anti-rootkit scanners like <A href="http://www.f-secure.com/blacklight/cure.shtml">BlackLight</A> and <A href="http://www.sysinternals.com/Utilities/RootkitRevealer.html">RootkitRevealer</A> look for registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit, but Silberman said weaknesses in that approach have been proven.
<P>In a <A href="http://www.uninformed.org/?v=3&a=7&t=txt">research paper</A> that accompanied the release of RAIDE, Silberman said the rootkit world has moved away from implementing system hooks to hide their presence.
<P>"RAIDE offers the user an extended suite of features for hidden processes since most common users are going to at some point get owned by some rootkit hiding processes," he stressed, adding that the new tool will offer easy removal features such as restoring the process so the process can be closed or removing the hook hiding the process.
<P>He said processes hidden by rootkits can be made visible by "relinking" them. For example, the widely used FU rootkit hides processes using a method called DKOM (Direct Kernel Object Manipulation), but Silberman said RAIDE reverses this method to make the process visible again.
<P>"Steps like that will help the user's anti-virus software pick and remove the file actually causing the problem," he explained.</P>
<P><!-- start ziffimage //--><IMG height=34 alt=Pointer src="http://common.ziffdavisinternet.com/util_get_image/2/0,1425,i=28571,00.gif" width=28 align=left border=0 ?><!-- end ziffimage //--><!-- start ziffarticle //--><A class=NAVELEMENT href="http://www.eweek.com/article2/0,1895,1887826,00.asp"><U>Click here</U> to read about how security vendors are clueless about rootkit invasions.</A><!-- end ziffarticle //-->
<P>Silberman, who did security research stints at vulnerability assessment firms iDefense and HBGary, said RAIDE was designed to thwart application-specific attacks by ensuring using encrypted memory segments to communicate results back and forth.
<P>RAIDE can also be used by advanced customers and security researchers to retrieve a dump of hidden processes and imported DLLs for analysis.
<P>Butler, who served as architect and technical director during the development of RAIDE, said he is impressed with the finished product.
<P>"I think the tool is very promising. I especially like its ability to relink hidden processes that were hidden using DKOM attacks. There are also some clever hook restoration techniques," he said in an interview.
<P>"Currently it is not user friendly, but if it was outfitted with a GUI or network communication and reporting it would be a nice tool," said Butler.
<P><!-- start ziffimage //--><IMG height=34 alt=Pointer src="http://common.ziffdavisinternet.com/util_get_image/2/0,1425,i=28571,00.gif" width=28 align=left border=0 ?><!-- end ziffimage //-->Check out eWEEK.com's <!-- start ziffsection //--><A href="http://www.eweek.com/category2/0,1874,1237860,00.asp">Security Center</A><!-- end ziffsection //--> for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor <A href="http://blog.ziffdavis.com/seltzer">Larry Seltzer's Weblog.</A> </P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE>
<P></P>
页:
[1]