John Sequeira


Monday, March 14, 2005
RootkitRevealer Arms Race

This blog post describes some tricks used by rootkits to bypass rootkitrevealer.

When I read something like this, I always think about how much harder it would be to bypass a rootkit revealer if it was running on a host operating system, and the OS instance it was scanning was running in a VM. This would essentially be collapsing the definition of network- and host-based intrusion detection, and making it much more difficult for malware to disarm your machines. Now it's certainly possible to imagine rootkits designed to counter this scenario, but if you used a different operating system to run your intrusion detection than you used to run your applications it would present quite a complicated testing matrix for malware authors (no more monoculture).

As someone who has suffered from the complicated testing matrices presented by OS * browser * JVM * (etc), this idea has a lot of appeal.

Note that IBM recently revealed that they'd been working on a Xen-like hypervisor. Lost in the shuffle was a mention that they're also working on a security hypervisor, which may implement the aforementioned scheme (not sure from the marketecture overview).
11:46:18 PM      comment []  trackback []

Win4lin follow-up

Rockford Lhotka has a prediction for the future of Windows:

  • ...Then DOS was emulated in Windows.
  • Then there was .NET which ran on Windows.
  • Then Windows was emulated in .NET.
  • Interestingly, Win4lin has something called AppWrapper mode where you can "wrap" a Windows application in an instance of Windows, so that when you launch it from Linux you only see the application's UI (not the underlying Windows 9x instance), so you can't tell it's not running natively

    A nice feature, which is hidden somewhere on the Netraverse site, is the Appwrapper program (this can be found under "Miscellaneous Files" in the member account screen). By replacing the default "explorer.exe" with appwrapper in system.ini, with an application as a parameter the specified application will run in a Window on the desktop, as if it were a stand-alone Linux application.

    It's architecturally very similar to what Rockford describes above -- instead of the .NET vm you have an entire intrumented OS instance as your vm. Although pretty wasteful from a resource perspective, I think Moore's Law and imminent multicore cpu's ultimately make the difference between the approaches pretty minor. I'm still hoping colinux evolves to provide this type of solution for Linux apps looking to deploy in the other direction.
    8:12:40 PM      comment []  trackback []

    EPIC on combatting data theft (vie Schneier)

    In conjunction with the universal notice, the FTC shall develop a centralized mechanism for people to exercise their rights with respect to their personal information. Such a mechanism would mimic the Do Not Call website, which allows individuals to opt-out of telemarketing and verify their enrollment by visiting a single website.

    Great stuff.

    In some ways I hope the data theft problem continues to get worse, because then extreme legislative measures (aka sensible ones) will have a greater chance of getting through.
    8:08:28 PM      comment []  trackback []

    © Copyright 2005 John Sequeira.
    March 2005
    Sun Mon Tue Wed Thu Fri Sat
        1 2 3 4 5
    6 7 8 9 10 11 12
    13 14 15 16 17 18 19
    20 21 22 23 24 25 26
    27 28 29 30 31    
    Feb   Apr

    Click here to visit the Radio UserLand website.

    Click to see the XML version of this web page.

    Click here to send an email to the editor of this weblog.
    Yahoo: johnseq2
    MSN: [email protected]
    AIM: amped02139
    Skype: johnjulian