[转载]Rootkits vs. Stealth by Design malware

原始连接：http://rootkit.com/newsread.php?newsid=436
文章作者：joanna

The presentation I gave at Black Hat Federal last week about new generation of stealth malware, so called Stealth by Design (SbD) malware, which doesn't use any of the classic rootkit technology tricks, but still offers full stealth, can be download here:

http://invisiblethings.org/papers/rutkowska_bhfederal2006.ppt

And you can also get AVI demos here (10MB):

http://invisiblethings.org/papers/rutkowska-bhfed2006-demos.rar

The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems – I call it Memory Reading Problem (MRP).

ECD approach is used by tools like VICE, SVV and MS’s Patch Guard. Out of these tools only PG avoids MRP problem, as it was build by MS itself and the PG team was aware of how to avoid MRP (which seems to be impossible for ISV today).

Also, you can get the new SVV 2.2 here:

http://invisiblethings.org/tools/svv/svv-2.2-bin.zip

With this new SVV you should be able to detect all the Apropos modifications (some of them were not detectable by SVV 1.x), Eeye Bootroot, Shadow Walker and many more of the type I malware.

Please note though, that SVV is not able to detect the malware which I presented during the presentation, mostly because it was type II malware and because of the MRP.

cheers,
joanna.