[QueueNews] A Conversation with Jamie Butler

Mon Mar 5 16:00:01 UTC 2007

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
. . . . . . . . . . . . . . . . . . . . . . . .
   Queue E-Mail Newsletter
   for the Week of Mar/5/2007
. . . . . . . . . . . . . . . . . . . . . . . .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------------------------------------------
      Sponsored by

      SPI Dynamics
      Macrovision
      2007 JavaOne(SM) Conference
      Interop Las Vegas

/----------------------------------------------------------\

ALERT: "How A Hacker Launches A Web Application Attack!"

Learn why 70% of today's successful hacks involve Web Application
attacks such as: SQL Injection, XSS, Cookie Manipulation and Parameter
Manipulation. All undetectable by Firewalls and IDS! Download *FREE*
white paper from SPI Dynamics for a complete guide to protection! 
https://download.spidynamics.com/1/ad/web.asp?cs1_ContSupRef=70130000000

\----------------------------------------advertisement------/

Latest Articles:

A Conversation with Jamie Butler
Coauthor of Rootkits: Subverting the Windows Kernel explains why
it's OK to make rootkit code publicly available.
http://acmqueue.com/rd.php?c.462
   (scroll down to read an excerpt from this article)

A License to Kode
While it's sometimes tempting to blame the coders, the seeds of many
problems are sown well before any lines of code have been written.
http://acmqueue.com/rd.php?c.460

Latest Blog Posts:

Terry Coatta

A New Approach to DB Programming
http://www.acmqueue.com/modules.php?name=News&file=article&sid=377
Object Relational Mappers (ORM) have been around for a while, but I
think they are poised to come into much wider use. While the basic idea
of ORMs is simple - make objects able to automatically persist
themselves to a database - the ramifications on how you program are
fundamental. 

Setting an Example (to program by)
http://www.acmqueue.com/modules.php?name=News&file=article&sid=376
As a parent, I have a strong visceral appreciation for the adage
"actions speak louder than words." It is readily apparent that the
examples I set are far more important than the "words of wisdom" I
occasionally dispense. In this regard, I think a case can be made that
Microsoft is guilty of some very poor parenting.

Charlene O'Hanlon

Happy Birthday, E-Mail
http://www.acmqueue.com/modules.php?name=News&file=article&sid=372
Next week marks a milestone in communication. E-mail that
technological blessing (or curse, depending on how you look at it) is
turning 25. 

The Control Issue
http://www.acmqueue.com/modules.php?name=News&file=article&sid=371
Keeping development costs in control is a recurring problem for many
companies. Software firms that sell their wares for hundreds or
thousands of dollars per user regularly claim that the high price is
needed to cover the cost of development. 

/----------------------------------------------------------\

Vista Installation

Learn the five steps to a better Vista app installation - ACM Queue
Premium Queuecast sponsored by Macrovision.
http://acmqueue.com/modules.php?name=Queuecasts&id=16

\----------------------------------------advertisement------/

New article on ACM Queue:
A Conversation with Jamie Butler
http://acmqueue.com/rd.php?c.462
Rootkitting out all evil

>From the Open Source Security issue, vol. 5, no. 1 - February 2007

article excerpt:
Rootkit technology hit center stage in 2005 when analysts discovered
that Sony BMG surreptitiously installed a rootkit as part of its DRM
(digital rights management) solution. Although that debacle increased
general awareness of rootkits, the technology remains the scourge of
the
software industry through its ability to hide processes and files from
detection by system analysis and anti-malware tools.

The best way
to understand rootkits - how they work and how best to detect them - is
to write one yourself. This month's interview subject, Jamie Butler,
has
done just that. Butler wrote the well-known FU rootkit, a
proof-of-concept that illustrates vulnerabilities in the Windows and
Linux operating system kernels. Butler also wrote a book on rootkits, a
tome he coauthored with Greg Hoglund entitled Rootkits: Subverting
the Windows Kernel (Addison-Wesley, 2005). Prior to that, the team
collaborated on the rootkit.com Web site, a repository of rootkit
information, code, and discussion. The Web site is controversial, with
some security professionals bemoaning the fact that it provides
executable rootkit code that could be exploited by miscreants.

Currently at Mandiant, Butler is the principal software engineer on
the product development team. Prior to Mandiant, he was director of
engineering at HB Gary and CTO of Komuko Inc., where he developed a
low-level rootkit detection product. 

Interviewing Butler is Matt
Williamson, principal scientist at Sana Security. No stranger to
rootkits himself, Williamson has spent his career inventing and
integrating anti-malware technologies. At Sana, Williamson developed
behavior-based malware detection and removal technology that identifies
malware by looking at what the code does rather than what the code is.
Prior to joining Sana, he worked at Hewlett-Packard Labs on a virus
containment technology called Virus Throttling. Williamson has a Ph.D.
in computer science from MIT.

MATT WILLIAMSON I
think rootkit.com is a good place to start. A rootkit is software used
to hide other software from the user and security tools, to evade
detection. Rootkit technology is a common component of malicious
software. Rootkit.com is a Web site where various aspects of rootkits
are discussed. Do you know the early history of that site? Were you
involved in setting it up?

JAMIE BUTLER
Rootkit.com came along a few years before I got started, but I'm a
close
friend of Greg Hoglund, who established the site. I believe that his
goal in starting rootkit.com, and much the same reason I got into this
area of research, was to debunk the false sense of security in the
security software market. Hoglund wanted to prove that the company he
was working for at the time needed a more thorough solution than it was
using. 

MW Where in particular did the false
sense of security come from?

JB Well, there was
one technology used to identify malware and such, and Hoglund believed
it was possible to hide from the detection algorithms or software that
his company was using. It was more proof-of-concept.
MW So from the beginning, rootkit.com was more of a
disclosure type of organization. 

JB It's also
an open community to discuss better ways to detect these things. The
site also has some threads about malicious software. 
MW Was the idea, then, to show publicly that these
security tools weren't working well by giving examples of where they
didn't work?

JB Yes, that was why it was
founded. When I got involved, my role was to show that the technology
at
the time wasn't good enough for the level of threat that was really out
there. Just because you buy something for $29.95 and install it across
your enterprise doesn't mean it necessarily does everything the glossy
tells you it does. There are circumstances where you aren't protected
and perhaps you never will be, but the goal of rootkit.com was to try
to
bring those out into the public discussion so that they could be
researched more in depth and solutions could be adopted by the vendors.
It's free to both security vendors and malicious people.
MW I guess that's always going to be the case when
you make things public: they can be used for good or for evil. But do
you think that rootkit.com was successful in raising the attention of
the security vendors? 

JB I don't think it
single-handedly changed the security environment that we live in, but I
do think that along with vulnerability disclosure lists and other types
of open information sharing, it has prompted the security environment
to
change quite radically over the past two or so years. And it's still
evolving. 

MW What about the converse? What sort
of impact do you think it has had on the malware writers, the people
who
are using these techniques a lot more commonly? We perhaps need to
highlight that in the past two to three years, the purpose of writing
malicious software and distributing it on the Internet has really
changed radically from amateurs writing it for fun, if you like, to
professionals writing it to make money. The way they make money is by
stealing and selling information from machines. Sana Security has a
behavior-based detection product, and of the malware that we detect in
the wild, a significant proportion has some sort of rootkit technology
in it hiding files, processes, DLLs, and so on. In my experience, there
has been a terrific take-up in rootkit technology out in the wild in
the
past two years. Maybe it's hard to chart these things, but do you have
any inkling about how much of that is a result of the influence of
tools
such as rootkit.com?

JB I don't have raw
statistics, but I do know from vendors that rootkits that are kind of
self-packaged or don't require a lot of recompilation and so forth were
adopted quite widely and used in everything from botnets to worms. Most
of those rootkits, however, were software on rootkit.com, one of which
was the FU rootkit, which I wrote. They weren't something that
extremely
malicious people would use if they really wanted to hide their
presence.
There were ways to detect them that were brought to light maybe a year
or two after the fact. Not only that, there was no remote command and
control system. There were no encryption modules for any
communications.
There were no self-destruct mechanisms within the rootkit so it would
go
away. There was no polymorphism. There was no data deletion or even
data
acquisition within the rootkit, so I believe that most of the better
technologies that are discussed on rootkit.com, such as Shadow Walker,
the FU rootkit, the FU-2 rootkit, and even the original NT rootkit,
were
more academic in that they showed the level of threat and were
"demo-able." They weren't everything that a hacker would want to use,
however.
Read the rest of this article at acmqueue.com
http://acmqueue.com/rd.php?c.462

/----------------------------------------------------------\

Register Early and Save $200!

Join us for the 12th annual JavaOne(SM) conference May 8-11, 2007 at
The
Moscone Center in San Francisco, California. You won't want to miss
this year's new and expanded program. Register today and save $200! Use
Priority Code J7NLQM. Visit http://java.sun.com/javaone for more
information.
\----------------------------------------advertisement------/

To unsubscribe to this newsletter, send an email to
queuenews-request at acmqueue.com
with the words 'unsubscribe' in the subject line.

Change your email address
http://www.acmqueue.com/mailman/options/queuenews

Subscribe to Queue in print
http://www.acmqueue.com/click.php?id=30
About Queue
http://acmqueue.com/rd.php?s.31.5
Contact Us
http://acmqueue.com/rd.php?s.32.10
Privacy policy
http://acmqueue.com/rd.php?s.27.9

For advertising information, contact advertising at acmqueue.com

/----------------------------------------------------------\

Attend Interop Las Vegas to get the big picture

As the leading global technology event, Interop brings together IT
professionals and business leaders to see all of the latest
technologies
in action. Visit more than 400 exhibitors, attend 200+ sessions, and
check out live demos of tomorrow's business solutions. Learn how
different technologies work together to connect your infrastructure,
your business, your people and your customers. Come to Interop this
May.
It's the only place you'll get the big picture. www.interop.com
\----------------------------------------advertisement------/