What comes next?

« Kernel Mode Ircbot | update »

What comes next?

by tibbar @ 2006-04-11 – 22:07:40

Well, I was quite surprised by the amount of interest that has been shown in the POC kernelmode ircbot.

So what should come next? Should I continue to develop these kind of kernelmode applications, or is it a bad thing that these come out in the public?

I've seen feedback positive and negative, the arguments against mainly along the lines that malware will become nastier as a result of this code being published...I take an issue with this view.

Ok, so I could have kept this quiet or not have even bothered to write it...but let's get this in perspective. I am a single person in this rather large world, and probably not more than average skilled in kernel mode programming (I'm pretty good in writing usermode applications, but am purely a hobbyist kernel mode programmer).

So, if I can write this POC, you are guaranteed that the full time professional spyware writers, black hat hackers etc are more than capable of this - and I would wager this type of kernel mode application already exists in the wild.

Now, what's better? I keep quiet, and we can all pretend to be safe? (while cybercriminals use this technology in secret...). Or, I should publish every idea and POC I can think of, and share this knowledge with the security community?

I personally favour this being out in the open, as it means the anti-virus and firewall companies can research this type of threat and develop technologies to protect the end user.

This is the general argument for "full disclosure" and I think most will agree it is a policy that works.

I therefore have no moral issues with proceeding with further related research and will be 100% open with the results.

The kernel ircbot was a client network application, the next step will be to write a server network application within the kernel, and I think it will be called "KFtp".

See you next time,

Tibbar.
Options:

25 Comments to What comes next?

Hide subcomments

- kurt wismer (Visitor)
- http://anti-virus-rants.blogspot.com/
- 2006-04-11 @ 22:49:30
whether or not others have already created these types of things is irrelevant - you have contributed to the problem by making more of them and by making it easier for people who don't know how to make them themselves to find one they can modify for their own ends...
- Reply to comment
- Permalink
- tibbar
- 2006-04-11 @ 23:39:24
So in your eyes, every security researcher who releases a POC is part of the problem?

What about companies like eeye? They released a boot sector rootkit with full sourcecode, which is somewhat more harmful that an ircbot that can only say "Hello I am a KernelBot"...
- Reply to comment
- Permalink
- kurt wismer (Visitor)
- http://anti-virus-rants.blogspot.com
- 2006-04-12 @ 03:40:47
i didn't say every researcher who releases a POC is part of the problem... i do, in fact, believe that full disclosure is a good thing for certain classes of vulnerabilities...

if you look at the underlying assumptions of the arguments for full disclosure i think you'll find that one of those assumptions is that the vulnerability in question is correctable - that it is the result of some mistake that is both fixable and avoidable should we manage to learn from our mistakes... full disclosure in such a case places pressure on those in a position to correct the problem and raises awareness of that class of mistake so that everyone can benefit and improve the systems they are creating/working on...

unfortunately, not all vulnerabilities are created equally - some are inherent to the fundamental building blocks of the system suffering from the vulnerability, and some aren't even technological in nature... we don't necessarily benefit from the full disclosure of these sorts of vulnerabilities...

malware, in general, does not represent a correctable vulnerability and with the advent of 'rootkits' that virtualize the hardware layer and run the OS inside of that it should be clear to most people that 'rootkits' and stealth techniques in general also do not represent correctable vulnerabilities...

and yes, if eeye released a 'rootkit' they were being part of the problem too... and why shouldn't they be part of the problem... if SANS' internet storm center can host and distribute malware, why not eeye...

of course, just because everyone else drops their garbage in the street doesn't mean you should too...
- Reply to comment
- Permalink
- tibbar
- 2006-04-12 @ 06:52:50
well, i can respect your view on the matter, but my personal view is that by bringing these types of technologies out into the open, we:

a) are at least aware that the problem is real and current (rather than a speculative view - e.g. what if video cards could be used by rootkits, which no security firm takes seriously, since no POC exists);

b) do not lead people to believe they are safe, when actually the "underground scene" is using these techniques unchecked by the security community.

You are correct that this does help some people, but they are the "script kiddies" of the world, who never pose the main threat. It is the more sophisticated cybercriminals that we need to be worried about.
- - kurt wismer (Visitor)
  - http://anti-virus-rants.blogspot.com/
  - 2006-04-12 @ 14:41:14
  a) is anyone in the computer security field NOT aware that hooking into the kernel is possible or that you can put just about any functionality you want into a driver? because if so, they don't belong in the computer security field...
  
  b) most people are going to believe they're safe no matter how many POCs you release... much of the public is ignorant of the finer points of security and have been trained by the media to think of POCs as not representing real threats...
  
  and don't underestimate the script kiddies - they are legion, and the only thing that makes a cybercriminal sophisticated is the tools s/he uses... the most obvious application of a kernel mode ircbot is improving the stealth capabilities for kernel mode rootkit botnets, which certainly increases the sophistication of the tools available to the script kiddies...
  - Reply to comment
  - Permalink
- ncosta (Visitor)
- 2006-04-12 @ 13:36:23
well, the world is not fare right ???

i think is interesting how people can blame other people just because a source code of something was released, when every day source codes and exploits somes 0day are out there.

i think all kind of this codes should be public, just a few people understand that this codes, and other codes help kernel and OS developers create a better and secure OS.

kurt wismer, we are talking about a ircbot, could be anything else, but if you want justice, maybe trie first with big things like microsoft and IE flaws, or if you realy want the perfect justice to finish with security problems, please just dont use a pc to have important and confidential documents, just put them on the paper and not in a compeuter, or better dont use a compeuter.

we discuss a ethic problem about source codes of some ircbots and in africa they just want to drink some water and eat some rice to not die!!! so what we are realy bored about this problems with ircbots and stuff... ffs
- - kurt wismer (Visitor)
  - http://anti-virus-rants.blogspot.com/
  - 2006-04-12 @ 14:50:33
  you're basically saying there are bigger problems out there... that, however, does not mean we should ignore the small problems...
  
  nor does the fact that lots of other people are releasing malware mean it's ok for people to do so... lots of people drop their garbage on the street too, but that doesn't make it ok...
  
  and for the record, just because i'm here posting comments on this blog doesn't mean i'm not paying attention to the bigger problems as well...
  - Reply to comment
  - Permalink
- crash override (Visitor)
- http://www.cia.org
- 2006-04-12 @ 14:31:30
Sorry but this IRCBot is not panacea against good firewalls like Zone Alarm, Outpost etc whick monitor traffic not only at TDI layer but at NDIS layer as well.
Vice versa, if such firewall is installed on PC, this bot definitely WILL NOT WORK. Firewall will see - some NDIS packet without maching TDI request - it will block it.
Let's imagine following situation: I want to install bot on PC but I don't know is such firewall installed there or not. That's why I won't use this bot in this case.
Sad but true. Firewall problem is still remains undecided.
- Reply to comment
- Permalink
- Eber Irigoyen (Visitor)
- http://ebersys.blogspot.com/
- 2006-04-12 @ 18:29:55
I'm impressed by the negative feedback on your articles, I'm not a kernel programmer my self, but I do enjoy seeing how things work at the low level

I encourage you to continue to develop these applications
- Reply to comment
- Permalink
- tibbar
- 2006-04-12 @ 22:58:54
one thing i'd like to mention...kurt - so i suppose you think the existence of rootkit.com is plainly wrong?

Let's think about this a second, what if Greg Hogland had never setup the site, then blackhats would still have rootkits, but we would not really know much about them...then we could never have developed the powerful rootkit detectors that exist today...

so would the world really be a safer place had rootkit.com never existed?
- - kurt wismer (Visitor)
  - http://anti-virus-rants.blogspot.com
  - 2006-04-13 @ 04:51:26
  yes, rootkit.com is wrong on so many levels, but that discussion is for another time, i think...
  
  however, the idea that the makers of security software wouldn't get samples of 'rootkits' without them being published for all to see on the web is absurd... you need only look at the anti-virus industry to see how false that is... the anti-virus vendors regularly get samples straight from the virus' creator or people in the creator's circle of friends... not to mention the fact that people do manage to discover these things without the aid of specialized virus detection tools and then send what they find to the vendors...
  
  think 'rootkits' are different because the 'hide' themselves? wrong - viruses have been using stealth techniques for longer than 'rootkits' have been around.. in fact, stealth techniques have been applied to virtually every type of malware there is... and some of the practices that developed as a means of bypassing stealth in viruses works just as well for 'rootkits'...
  
  oh, and those powerful 'rootkit' detectors? they aren't all that... by and large they rely on the 'rootkit' to be active and to be hiding itself in a flawed (and therefore detectable) manner... that is a strategic mistake in the anti-malware field - if the malware is allowed to run on the actual system there are all sorts of self-defense mechanisms it can use to ultimately defeat the security app... the code that gets control first wins unless it can't retain that control and allowing malware to run gives up that control...
  
  now as far as the world being a safer place without rootkit.com - publication of exploit code does a couple of things, it raises awareness of the vulnerability, it places pressure on those who can fix the problem to do so, and it maximizes the risk for everyone while the window of exposure is left open (this is where the pressure on the vendor comes from)... so you tell me, what does publishing an exploit for a vulnerability that can't be corrected do? does it hasten the closure of the window of exposure? obviously not in theory, nor in practice since not only are 'rootkits' just as possible now as they were in the beginning but microsoft has actually thrown up their hands in defeat on the issue of 'rootkits'... does it still maximize the risk? you betcha - just look at all the malware in the wild based on hacker defender...
  - Reply to comment
  - Permalink
- SpannerITWks (Visitor)
- 2006-04-12 @ 23:05:06
Hi, I would have said @ one time that realising POC's + exploits etc wasn't a good idea. But i also, now believe it's Much better to have these out in the open, so people skilled in the art can examine them and make Antis etc for them. I've also heard about how uncooperative some, like MS for eg, can be when approached directly with exploits etc. If they and others were Much more receptive and responded more quickly and were more appreciative, they wouldn't all have as many OPEN vulnerabilities/problems as they have and keep getting. - I wonder how well this is supposed to work - VideoCardKit - https://www.rootkit.com/project.php?id=19 - It appears to be more than just POC ? And there are ones out there for the BIOS too ! Spanner
- Reply to comment
- Permalink
- Fan (Visitor)
- 2006-04-13 @ 12:59:17
Codecrypter 0.31 been added to KAV :-(
when will be next realese?
- - kurt wismer (Visitor)
  - http://anti-virus-rants.blogspot.com/
  - 2006-04-13 @ 16:36:06
  my, what an interesting question...
  
  interesting because it reveals it's motive...
  
  wah! the av programs detect the current version - make me a new undetectable version so i can get past av programs, please...
  
  no questions about when new features will be ready, or if there are new concepts the next version will prove, just a statement that the current version is getting detected by kav (and so is no longer useful) and when will the next version be coming...
  
  still think you're fighting the good fight, tibbar?
  - - black hat (Visitor)
    - http://www.blackhatpublications.com
    - 2006-06-27 @ 08:29:49
    Yes, not only is it possible but black hat guys already were doing it months ago
    - Reply to comment
    - Permalink
- DiabloHorn (Visitor)
- http://www.kd-team.com
- 2006-04-16 @ 13:08:11
Hmmm interesting discussion going on here.

I still see one big flaw in Kurt his way of representing this as a "non-fixable-problem". Cause that is totally not true.

The bit about persons asking for non detectable versions of this is normal since the weak will always relong on the strong to make them theire tools, even if the strong intended it only as poc of some sort of technique.

Now for the bit where I said that Kurt represented the problem wrong.

Let's take a look at rootkit history in big lines:

- There where rootkits --- accidentally a admin discovered it
- There where more advanced rootkits --- a few security specialists knew about it
- A site was setup to inform --- a lot of security specialists knew about it, and some "less-good-intention-guys"
- There are tutorials,example kits,easy to use code --- Lots of malware,kiddies etc using them and FINALLY the OS makers are starting to worry about them.

Now what does this show us?

That just like an exploit,you need pressure so that the patch is released. The problem with rootkits is that since they are not a exploit on themself and only usefull after you have gained access to te system. They are not seen as a real thread.

Meaning at that point you can consider rootkits like a zero-day exploit since, most manufacteres who know about it, ignore it cause of it not beeing widespread and the ones who don't know about it have a false sense of security.

So for the rootkit dilemma it has just take some more attentions to make OS makers more aware of the fact that rootkits actually dangerous. Now finally with Vista and the linux 2.6 latest it's getting harder and harder to have a fully working rootkit. I don't say it's impossible, but for the masses that only, download,compile,execute. It's going to be a no-go to use the rootkits.

Why is that you say ,since rootkit makers will overcome those problem and present a new version? Cause more and more of the rootkit makers are just legit people trying to expose a problem so more often there will be mistakes in the public released exploits just enough to make sure compiling is a hell, or it just misses a piece that they explained.

Also it's not only the OS makers that are finally applying the patch we all have waited for so long. It are also the cpu makers that are finally searching for ways to stop them. Intel has recently announced beeing busy with investigation how they can preven rootkits from taking over.

So after all you can consider this EXACTLY like an exploit.

- It's dangerous
- It shows there is a problem in this case a designing problem.
- There is a window in which victims are exposed
- After some time there has been enough pressure build
- vendors of the vulnerable software are making and publishing the patch.

You could say the window of danger is to big for victims. But this is not a point of discussion since there are alot of ring3 and normal applications with big remote exploits that are not fixed.

Sorry for my bad english, I'm no native english speaker.
- - kurt wismer (Visitor)
  - http://anti-virus-rants.blogspot.com
  - 2006-04-17 @ 03:31:46
  I still see one big flaw in Kurt his way of representing this as a "non-fixable-problem". Cause that is totally not true.
  
  oh really? let's take a closer look at that, shall we?
  
  i take as a given that any hardware conforming to a general purpose computing platform can support either hardware virtualization or emulation or both... any operating system running within an emulated/virtualized environment can be manipulated by that virtualization layer so as to report false results to the user and to other applications running on that OS... therefore, at the very least the ability to support VM 'rootkits' is inherent to the general purpose computing platform - therefore it cannot be corrected...
  
  what about other kinds of 'rootkits' though? let's say, just for kicks, that windows didn't fundamentally depend on the existence of kernel hooks and microsoft did away with them - that would still leave open the method used by classical rootkits... if you can't hook the kernel, replace it entirely with a trojanized version... there's no way to prevent that either - you have to be able to replace the kernel if/when you're updating the OS...
  
  under hoglund's definition of 'rootkit', hiding itself and other processes and activities all boils down to tricking the user into believing that the false results returned by illegitimate code are true results returned by legitimate code - there is no way to prevent that in the general sense... rootkits are 'non-fixable'...
  
  So for the rootkit dilemma it has just take some more attentions to make OS makers more aware of the fact that rootkits actually dangerous.
  
  ummm, hello? microsoft not only recognizes the fact that 'rootkits' are dangerous, they've admitted defeat...
  
  So after all you can consider this EXACTLY like an exploit.
  
  - It's dangerous
  - It shows there is a problem in this case a designing problem.
  - There is a window in which victims are exposed
  - After some time there has been enough pressure build
  - vendors of the vulnerable software are making and publishing the patch.
  
  excuse me but, the window of exposure has been open for more than 10 years... this is not something that is ever going to be patched, stop deluding yourself...
  - Reply to comment
  - Permalink
- Steo (Visitor)
- http://www.antirootkit.com
- 2006-04-16 @ 14:51:20
Tibbar,
full disclosure is the key. Keep up the good work.
regards
Steo
- - kurt wismer (Visitor)
  - http://anti-virus-rants.blogspot.com
  - 2006-04-17 @ 03:35:53
  full disclosure in all things is a foolish consistency... you know what ralph waldo emerson said about a foolish consistency, don't you?
  - - Yorn (Visitor)
    - 2006-05-20 @ 01:42:21
    How is it a "foolish consistency"?
    
    You either believe one extreme or another. Information should be private, therefore all information is private, or information should be public, therefore all information is public. There is no middleground. No matter how hard you fight for a middleground there will always be dissent, if your goal is to eliminate dissent, then you must pick a side now.
    
    The reason why full-disclosure works is the incapable of coping are weeded out. In other words, those corporations, governments, individuals who are unable to perform (ie protect) will be unable to keep up and will inevitably be lost. It's sort of like letting the weak die in a pack of wolves, a den of lions, I could go on and on.
    
    Keeping the information private allows festering buffoons to shape policy and determine what information is fit to be consumed by the public. This is not ideal for actually advancing society.
    
    Likewise, this type of exe modification and kernel releasing that tibbar is doing is ensuring that the anti-virus companies will no longer be complacent. It's ensuring that the leaders in AV technology (like Kaspersky) will continue to evolve. This works for the better for everyone.
    
    But, as tibbar has stated, other reputable organizations have released far more damaging work than him, so little of this matters. The way I see it is, if you want to keep information private, then keep it private, but if it gets out, don't expect some governing authority to enforce that it stays quiet, just chalk it up as a loss and move on.
    - - kurt wismer (Visitor)
      - http://anti-virus-rants.blogspot.com/
      - 2006-06-19 @ 17:00:41
      How is it a "foolish consistency"?
      
      You either believe one extreme or another.
      
      that too is a foolish consistency... there is plenty of space in between the two extremes... for some things the pros outweigh the cons and for others they don't and ignoring that simple truth in favour of either extreme is a foolish consistency...
      
      The reason why full-disclosure works is the incapable of coping are weeded out. In other words, those corporations, governments, individuals who are unable to perform (ie protect) will be unable to keep up and will inevitably be lost. It's sort of like letting the weak die in a pack of wolves, a den of lions, I could go on and on.
      
      the reason that your logic fails is because it ignores the fact that some vulnerabilities are inherent at a very fundamental level rather than being the result of a mistake or failure on the part of corporations, governments or individuals...
      
      Likewise, this type of exe modification and kernel releasing that tibbar is doing is ensuring that the anti-virus companies will no longer be complacent. It's ensuring that the leaders in AV technology (like Kaspersky) will continue to evolve. This works for the better for everyone.
      
      that is absurd... lets find a new way to do something bad so that those who protect people don't rely on stopping the old way... that doesn't help people, it creates new threats and hopes the folks who are protecting them will actually do something about it in a timely fashion - as if they didn't have enough work dealing with the real bad guys... av companies deal with 60-70 new pieces of malware each day, they aren't complacent, and they don't need so-called security researchers to create new attacks for the bad guys to use...
      
      The way I see it is, if you want to keep information private, then keep it private, but if it gets out, don't expect some governing authority to enforce that it stays quiet, just chalk it up as a loss and move on.
      
      and the way i see it, so-called whitehats shouldn't be helping the bad guys...
      - Reply to comment
      - Permalink
- Kdm (Visitor)
- http://syshell.org
- 2006-04-17 @ 19:26:57
Hello,

Just a few words about my own experience.
When I released NtIllusion rootkit in phrack 62, I got lot's of commentaries ranging from "uninteresting" to "you stole the source to x". Fortunately the no-disclosure debate was not as burning as it is today and I had no problem on this side. I was however shocked by the fact that people criticize things that are proposed 100% free.

Anyway, I learnt something. Don't hesitate to publish (as long as you abide by law of course). There will always be discontent persons and they will always make much more noise than others.

You can't stop people from complaining, but you can make people complain elsewhere. Maybe that locking comments is the key.

To end up, I have to say that I appreciate your code.
The "educational purpose" label is not a cover. One can learn how to make weapons without firing a single bullet.
Of course this kind of code speeds up the malware developping process. But honestly, for a motivated and skilled person, there is no difference between a 7 days and 7 months trip in rootkit devlopment.

Regards,
Kdm.

NB: is there a single place to define KERNELMODE for all source files?
- Reply to comment
- Permalink
- tibbar
- 2006-04-17 @ 20:51:46
you can define KERNELMODE via the visual studio build settings for the kernel mode build. If you are using DDK, then you will need to add another header file to all .c's in which you can define it.
- Reply to comment
- Permalink
- kurt wismer (Visitor)
- http://anti-virus-rants.blogspot.com
- 2006-06-13 @ 02:29:02
Please Update!
We love your posts!
- Reply to comment
- Permalink
- para (Visitor)
- 2007-02-21 @ 23:07:00
You should definately post some more stuff like this because it is usefull for enthusiasts it is too complicated for script kiddies and it is already known by regular criminal hackers so I think you shouldn't worry about this ... I mean other people post shopping cart software sql injection 0day's that even idiots can use(most of the time they only have to copy paste it) and they have fewer moral dillemas than you seem to have.

but my question is since modern desktop firewalls like zonealarm outpost and kerio don't allow the installation of drivers what use is all of this to a would be attacker? zone alarm will just prompt the user if he wants to install the driver and if not
- Reply to comment
- Permalink

Reflecting on better times
by tibbar on 2008-07-21 – 20:25:10
CodeCrypter 1 Year On
by tibbar on 2006-12-26 – 01:43:20
Hooking drivers
by tibbar on 2006-12-22 – 17:42:56
linux server framework
by tibbar on 2006-10-19 – 23:13:23
ReactOS
by tibbar on 2006-07-15 – 22:31:13
update
by tibbar on 2006-06-18 – 23:31:25
What comes next?
by tibbar on 2006-04-11 – 22:07:40
Kernel Mode Ircbot
by tibbar on 2006-04-06 – 20:00:27
codeCrypter next release plans
by tibbar on 2006-03-31 – 16:16:51
jotti scan
by tibbar on 2006-03-23 – 13:59:00

25 Comments to What comes next?

Leave a comment (Login)