[kvz3]

Hi, I was reading yesterday how stuxnet infected the dll used by the siemens step7 software to intercept the communication with the PLC and I wondered, is it still so difficult to detect a user-level rootkit these days? I mean, wouldn't it be possible to have a table with sensitive files and their hashes and only authorize signed binaries to change it? What is the state of the art of such techniques to detect that a dll or a binary has been modified?

Thanks!

[Vrtule]

I think the main problem here is that people are not looking for a rootkit if they have no suspicion.

If a file on disk is signed, you definitely can detect its modifications (if you also know something about the signing certificate). Situation is quite different when detecting changes made only to memory copies of the file. Some types of modifications may be nearly undetectable (e.g. if the application takes advantage of callbacks, virtual methods etc.), or you need to have a deep knowledge about how the application works.

[EP_X0FF]

Hi, I was reading yesterday how stuxnet infected the dll used by the siemens step7 software to intercept the communication with the PLC and I wondered, is it still so difficult to detect a user-level rootkit these days? I mean, wouldn't it be possible to have a table with sensitive files and their hashes and only authorize signed binaries to change it? What is the state of the art of such techniques to detect that a dll or a binary has been modified?

Thanks!

I remember in 2010 when this hyped story taken place - real reason why it was labeled as difficult to remove rootkit on windows was a total incompetency of people who were looking for it and strong desire to do hype PR from legalized fake AV industry. In 2010 year existed multiple freeware solutions "antirootkits" that were able to find/identify and wipe so-called stuxnet "rootkit" from Windows (even some x64!). It was nothing new or sophisticated in terms of Windows rootkits up to date. Instead of this they tried bloatware paid solutions called antiviruses and what a surprise they failed - because they are designed to fail on every unknown malware, especially when this malware aware about them. There never was any difficulty in removing user mode "rootkits" and no pure user mode "rootkits" exist in last 7-10 years, because there is no sense in them - they all too easy to remove. Yes some of trojans use sort of "rootkit" tech on board - for example Betabot & Ngrbot or Carberp and Spyeye (both dead) but this does not complicate their removal and in fact useless artifacts added just to rise bot price. Well actually almost same apply to kernel mode rootkits on Windows (almost dead, especially x64).

[LibbyStanson]

Good Morning,

interesting. You mentioned a few times (dead)
Why are rootkits dead or lets say it otherwise. Why do we see less rootkits in to the wild ?
What happened ?
AV is same Shit as ever .


Regards,
Libby

[EP_X0FF]

AV? It is just variation of PUA - bloatware shit that opens additional backdoors and compromise your security when installed. There is no rootkits families ITW, all of them dead: Rustock? dead, Simda? dead Sinowal? dead TDSS? dead ZeroAccess? dead Necurs? It driver agent never was anyhow rootkit. What is still widely avaiable is the South Korean origin game hacking related "rootkits". What about APT then? Well it is hard to even name "rootkit" compared to what was itw 10 years ago. What happened? x64 happened, new Windows versions and new hardware/firmware. Definitely not related to any AV "evolutions". And it turned out that you can get the same money without any "rootkits" in the price list. It took so called malware industry 10 years to realize that. Is it still possible to do some awesome kernel mode rootkit for Windows? Yes some nation state sponsored maybe, but this is inexpedient.