Tool Shed: IceSword for Rootkit Detection
By JimmyRay on Mon, 01/12/09 - 10:17am.I mentioned in other blogs that cooperatively I run a good sized pseudo-grid honeypot with some other folks all over the world to increase our skill sets and research the temperature of the hacking community. We see all kinds of great stuff out there. Recently, I have noticed a real spike in rootkits in the United States.
Detecting rootkits is bad enough but to also remove them, well, I hope you packed a lunch. The problem with rootkits is that they tend to hook into system calls to improve the stealthy qualities. Unlike most bots and viruses that run as executable code and are fairly easy to check/destroy with a signature based scanner, rootkits offer a challenge to any security researcher or network administrator.
When it comes to a rootkit, for me, the best method is to look at system calls. Now, folks that have watched nearly any episode of TechWiseTV know that I am a huge fan of Cisco CSA. Mainly because I have really beat up that product in my own testing/reversing. I also run it in the wild on one of my sensors and it holds it own against the world. I wanted to focus on some of the other tools out there that help when things tend to slip by...like on a Sony CD...
anyway....
I have been testing IceSword http://www.antirootkit.com/software/IceSword.htm and I am impressed with the functionality of this Chinese wrote program. (yeah scared me too at first...) This is a kernel level tool and I found that out real quick when I tried to use my kernel debugger with it. My system crashed faster then a Lotus on the sensitive setting on Need For Speed Underground. IceSword really acts as a kernel proxy so any action you take here is just like the kernel would do, but it is that flexibility that makes it more powerful then Blacklight or Rootkit Revealer. By enumerating services, reg keys, processes, ports, etc... I have been able to circumvent a majority of the hiding methods employed by rootkits (Klish,SinAR,BlueB8,etc..) plus it splits the differences between the rootkit preferred high level API calls and the low level calls not normally used by a rootkit.
Great program! I use IceSword often and consider very valuable in my security research. Give it try and let me know what you think.
Jimmy Ray Purser
Trivia File Transfer Protocol
Some folks think that John Dillinger played Professional Baseball. Actually, he played local ball for Mooresville, Indiana BUT he was in the United States Navy for 5 months and stationed on the USS Nevada which was in Pearl Harbor on 07 December 1941. He was unauthorized absent and then dishonorably discharged before Pearl. It is rumored he hid some of his loot on the grounds of the Little Bohemia Lodge in Manitowish Waters, Wisconsin...hmmm...that is about 5 hours from here...ROAD TRIP!!!!
- About Networking Geek to Geek
Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.
Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering.
Most Discussed Posts
-
Network World, Inc
The Connected Enterprise