whether or not others have already created these types of things is irrelevant - you have contributed to the problem by making more of them and by making it easier for people who don't know how to make them themselves to find one they can modify for their own ends...

So in your eyes, every security researcher who releases a POC is part of the problem?

What about companies like eeye? They released a boot sector rootkit with full sourcecode, which is somewhat more harmful that an ircbot that can only say "Hello I am a KernelBot"...

i didn't say every researcher who releases a POC is part of the problem... i do, in fact, believe that full disclosure is a good thing for certain classes of vulnerabilities...

if you look at the underlying assumptions of the arguments for full disclosure i think you'll find that one of those assumptions is that the vulnerability in question is correctable - that it is the result of some mistake that is both fixable and avoidable should we manage to learn from our mistakes... full disclosure in such a case places pressure on those in a position to correct the problem and raises awareness of that class of mistake so that everyone can benefit and improve the systems they are creating/working on...

unfortunately, not all vulnerabilities are created equally - some are inherent to the fundamental building blocks of the system suffering from the vulnerability, and some aren't even technological in nature... we don't necessarily benefit from the full disclosure of these sorts of vulnerabilities...

malware, in general, does not represent a correctable vulnerability and with the advent of 'rootkits' that virtualize the hardware layer and run the OS inside of that it should be clear to most people that 'rootkits' and stealth techniques in general also do not represent correctable vulnerabilities...

and yes, if eeye released a 'rootkit' they were being part of the problem too... and why shouldn't they be part of the problem... if SANS' internet storm center can host and distribute malware, why not eeye...

of course, just because everyone else drops their garbage in the street doesn't mean you should too...

well, i can respect your view on the matter, but my personal view is that by bringing these types of technologies out into the open, we:

a) are at least aware that the problem is real and current (rather than a speculative view - e.g. what if video cards could be used by rootkits, which no security firm takes seriously, since no POC exists);

b) do not lead people to believe they are safe, when actually the "underground scene" is using these techniques unchecked by the security community.

You are correct that this does help some people, but they are the "script kiddies" of the world, who never pose the main threat. It is the more sophisticated cybercriminals that we need to be worried about.

well, the world is not fare right ???

i think is interesting how people can blame other people just because a source code of something was released, when every day source codes and exploits somes 0day are out there.

i think all kind of this codes should be public, just a few people understand that this codes, and other codes help kernel and OS developers create a better and secure OS.

kurt wismer, we are talking about a ircbot, could be anything else, but if you want justice, maybe trie first with big things like microsoft and IE flaws, or if you realy want the perfect justice to finish with security problems, please just dont use a pc to have important and confidential documents, just put them on the paper and not in a compeuter, or better dont use a compeuter.

we discuss a ethic problem about source codes of some ircbots and in africa they just want to drink some water and eat some rice to not die!!! so what we are realy bored about this problems with ircbots and stuff... ffs

Sorry but this IRCBot is not panacea against good firewalls like Zone Alarm, Outpost etc whick monitor traffic not only at TDI layer but at NDIS layer as well.
Vice versa, if such firewall is installed on PC, this bot definitely WILL NOT WORK. Firewall will see - some NDIS packet without maching TDI request - it will block it.
Let's imagine following situation: I want to install bot on PC but I don't know is such firewall installed there or not. That's why I won't use this bot in this case.
Sad but true. Firewall problem is still remains undecided.

I'm impressed by the negative feedback on your articles, I'm not a kernel programmer my self, but I do enjoy seeing how things work at the low level

I encourage you to continue to develop these applications

one thing i'd like to mention...kurt - so i suppose you think the existence of rootkit.com is plainly wrong?

Let's think about this a second, what if Greg Hogland had never setup the site, then blackhats would still have rootkits, but we would not really know much about them...then we could never have developed the powerful rootkit detectors that exist today...

so would the world really be a safer place had rootkit.com never existed?

Hi,

I would have said @ one time that realising POC's + exploits etc wasn't a good idea. But i also, now believe it's Much better to have these out in the open, so people skilled in the art can examine them and make Antis etc for them.

I've also heard about how uncooperative some, like MS for eg, can be when approached directly with exploits etc. If they and others were Much more receptive and responded more quickly and were more appreciative, they wouldn't all have as many OPEN vulnerabilities/problems as they have and keep getting.

-

I wonder how well this is supposed to work - VideoCardKit - https://www.rootkit.com/project.php?id=19 - It appears to be more than just POC ?

And there are ones out there for the BIOS too !

Spanner

Codecrypter 0.31 been added to KAV :-(
when will be next realese?

Hmmm interesting discussion going on here.

I still see one big flaw in Kurt his way of representing this as a "non-fixable-problem". Cause that is totally not true.

The bit about persons asking for non detectable versions of this is normal since the weak will always relong on the strong to make them theire tools, even if the strong intended it only as poc of some sort of technique.

Now for the bit where I said that Kurt represented the problem wrong.

Let's take a look at rootkit history in big lines:

- There where rootkits --- accidentally a admin discovered it
- There where more advanced rootkits --- a few security specialists knew about it
- A site was setup to inform --- a lot of security specialists knew about it, and some "less-good-intention-guys"
- There are tutorials,example kits,easy to use code --- Lots of malware,kiddies etc using them and FINALLY the OS makers are starting to worry about them.

Now what does this show us?

That just like an exploit,you need pressure so that the patch is released. The problem with rootkits is that since they are not a exploit on themself and only usefull after you have gained access to te system. They are not seen as a real thread.

Meaning at that point you can consider rootkits like a zero-day exploit since, most manufacteres who know about it, ignore it cause of it not beeing widespread and the ones who don't know about it have a false sense of security.

So for the rootkit dilemma it has just take some more attentions to make OS makers more aware of the fact that rootkits actually dangerous. Now finally with Vista and the linux 2.6 latest it's getting harder and harder to have a fully working rootkit. I don't say it's impossible, but for the masses that only, download,compile,execute. It's going to be a no-go to use the rootkits.

Why is that you say ,since rootkit makers will overcome those problem and present a new version? Cause more and more of the rootkit makers are just legit people trying to expose a problem so more often there will be mistakes in the public released exploits just enough to make sure compiling is a hell, or it just misses a piece that they explained.

Also it's not only the OS makers that are finally applying the patch we all have waited for so long. It are also the cpu makers that are finally searching for ways to stop them. Intel has recently announced beeing busy with investigation how they can preven rootkits from taking over.

So after all you can consider this EXACTLY like an exploit.

- It's dangerous
- It shows there is a problem in this case a designing problem.
- There is a window in which victims are exposed
- After some time there has been enough pressure build
- vendors of the vulnerable software are making and publishing the patch.

You could say the window of danger is to big for victims. But this is not a point of discussion since there are alot of ring3 and normal applications with big remote exploits that are not fixed.

Sorry for my bad english, I'm no native english speaker.

Tibbar,
full disclosure is the key. Keep up the good work.
regards
Steo

Hello,

Just a few words about my own experience.
When I released NtIllusion rootkit in phrack 62, I got lot's of commentaries ranging from "uninteresting" to "you stole the source to x". Fortunately the no-disclosure debate was not as burning as it is today and I had no problem on this side. I was however shocked by the fact that people criticize things that are proposed 100% free.

Anyway, I learnt something. Don't hesitate to publish (as long as you abide by law of course). There will always be discontent persons and they will always make much more noise than others.

You can't stop people from complaining, but you can make people complain elsewhere. Maybe that locking comments is the key.

To end up, I have to say that I appreciate your code.
The "educational purpose" label is not a cover. One can learn how to make weapons without firing a single bullet.
Of course this kind of code speeds up the malware developping process. But honestly, for a motivated and skilled person, there is no difference between a 7 days and 7 months trip in rootkit devlopment.

Regards,
Kdm.

NB: is there a single place to define KERNELMODE for all source files?

you can define KERNELMODE via the visual studio build settings for the kernel mode build. If you are using DDK, then you will need to add another header file to all .c's in which you can define it.

Please Update!
We love your posts!

You should definately post some more stuff like this because it is usefull for enthusiasts it is too complicated for script kiddies and it is already known by regular criminal hackers so I think you shouldn't worry about this ... I mean other people post shopping cart software sql injection 0day's that even idiots can use(most of the time they only have to copy paste it) and they have fewer moral dillemas than you seem to have.

but my question is since modern desktop firewalls like zonealarm outpost and kerio don't allow the installation of drivers what use is all of this to a would be attacker? zone alarm will just prompt the user if he wants to install the driver and if not