Tuesday, January 23, 2007

ethical conflict in the anti-'rootkit' domain - part 2

while jamie butler, the creator/distributor of one of the most widely deployed stealthkits in the world (as i pointed out previously), is no longer the CTO of the government/military funded anti-stealthkit startup komoku (oh, to have been a fly on that wall), there's a new conflict to grab the spotlight...

found on the anti-rootkit blog a couple days ago, apparently the creator of a program called rootkit unhooker have created a stealthkit called unreal that no one (not even his own product) can detect and he's planning to release it...

tell me something - what kind of a world do we live in where people who are supposed to be anti-X go around making X's? if anti-virus vendors created and released viruses all hell would break loose... could you imagine buying anti-spam technology that you read about in a spam email? would you use an anti-spyware app created by people who make spyware?

so this person, known as EP_XOFF (wow, that instills confidence), expects people to trust his stealthkit detector after he's built and released a stealthkit that not even his own product detects? aside from the fact that he's just demonstrated that neither his nor any other detector is able to protect you (so far only outside-the-box cross-view analysis is going to pick it up and none of the mainstream stealthkit detectors use that technique), you now have to wonder if his detector actually comes with a similarly undetectable stealthkit that you don't know about... how could you know one way or another? and why would you trust someone whose making the technology to bypass all stealthkit detectors available for people to download and modify for their own ends?

i mean, i understand trying to find ways to break the security of something, but when it's the security in applications like the one you yourself make shouldn't you first come up with ways to prevent that break before giving the attack information to the public? who is he serving by releasing the info before even his own product is able to deal with it because it sure doesn't seem like he's serving the end user? though he may not be earning money off of making the problem worse as others have, there are still plenty of personal rewards he will almost certainly reap such as notoriety, influence, and social standing in the stealthkit research community...

what this all boils down to is this: EP_XOFF is gaining rewards at everyone else's expense... this is not the way you want your security software provider to behave...

27 comments:

cdman83 said...

Hello. You can read my take on it over at my blog. The main points are:

EP_X0FF is a teenager whose main goal is to brag, so you should avoid having anything to do with him.

And generic rootkit prevention is impossible, unless people start running as limited users (which in my experience is perfectly doable under Windows and I'm amazed that Microsoft isn't doing more to push this approach to users). The fact that security vendors are not doing it isn't that surprising :-(.

kurt wismer said...

hmmm... a teenager looking to brag, huh - that explains the gut feeling i was getting... i thought something about this seemed familiar, almost like the vx...

thanks for the background info...

ben said...

lol EP_X0FF a teenager !! he was allready coding when your mama was changing your pampers
talent allways causes jealousy to mormons

kurt wismer said...

@ben:
well, i can't speak for cdman83 but i am definitely not a mormon (or any other religious group that believes in 1 or more gods)...

is EP_XOFF a teenager? who can say for sure, but i'm fairly certain he's got at least one teenage sycophant...

SpannerITWks said...

Hi,

Whether EP_X0FF is a teenager or not, is Actually completely irrelevent !

Does he post a lot on various forums ? sure he does, as do a lot of other people, including us. He also gives out Plenty of helpful info to assist people in Malware cleaning, expecially Rootkits.

Not only that he and several of his friends have written the Worlds best ARK, and given it to everybody for Free. They also frequently update it, as recently as last week.

Furthermore the Unreal Test RK is a Totally SAFE way of establishing how good, or not, your security Apps are when trying to find stealthy hidden code. Without such a test, how on earth would Anybody Really know if their defences where as effective as they might have thought.

Yes he blows his own trumpet about his Apps and skills, but so what ! He is an a Very eviable position to do so, and Not many people in the world can claim that. And at least he and his friends are Actually taking positive steps to do something about the present very serious escalating Malware situation.

Sometimes i feel that a bit more toning down of how things are phrased etc would be advisable and beneficial, but i can understand his frustration at others who just want to attack him, Without any real just cause.

Maybe others should spend more time trying to come up with Real solutions, instead of crowing and dissing etc. What's the point in being negative to some of the most positive things happening in AntiRootkit technology available right now ?

Spanner

SpannerITWks

kurt wismer said...

@spanneritwks:
"Whether EP_X0FF is a teenager or not, is Actually completely irrelevent !"

you're right, i agree... his ethical transgressions are unaffected by his age...

"Does he post a lot on various forums ? sure he does, as do a lot of other people, including us. He also gives out Plenty of helpful info to assist people in Malware cleaning, expecially Rootkits."

yeah, and i've helped plenty of people clean up virus problems... somehow i managed to do it without creating and distributing viruses, however...

"Furthermore the Unreal Test RK is a Totally SAFE way of establishing how good, or not, your security Apps are when trying to find stealthy hidden code."

no it isn't... it's designed specifically to bypass everything (in some cases targeting the security app and shutting it down to affect that bypass)... it can't show you how good or bad something is when the only outcome (by design) is negative...

"Without such a test, how on earth would Anybody Really know if their defences where as effective as they might have thought."

by looking at reviews from trusted 3rd party experts... ordinary people have never been good at devising their own ad-hoc anti-malware tests or interpreting the results - that requires a level of expertise that ordinary folks don't have and shouldn't need...

"And at least he and his friends are Actually taking positive steps to do something about the present very serious escalating Malware situation."

unfortunately he's taking negative steps as well...

"
Sometimes i feel that a bit more toning down of how things are phrased etc would be advisable and beneficial, but i can understand his frustration at others who just want to attack him, Without any real just cause."

without just cause? look, this is not rocket science - if you claim to be anti-X, you shouldn't be making and distributing X's... that just makes you a hypocrite...

"Maybe others should spend more time trying to come up with Real solutions, instead of crowing and dissing etc."

maybe you should read my post on the deceptiveness of the word solution before you use it again...

"What's the point in being negative to some of the most positive things happening in AntiRootkit technology available right now ?"

unreal doesn't advance the state of the art of anti-'rootkit' technology, it advances the state of the art of 'rootkit' technology... he's empowering the bad guys, that's plenty reason to be negative about it...

Robert said...

Greatis posted a warning about Rootkit Unhooker @ http://www.greatis.com/security/Warning_Rootkit_Unhooker.htm

Vlad said...

I am not agree with your opinion. The "rootkit" and "rootkit unhooker" posted by EP_X0FF is a proof of concept: It is NOT possible to fully protect your PC under windows. It's design flaw in the windows. Even if you work under restricted account. I think we must know it, and ask microsoft to redesign the future OS and protect us, and not blame EP_X0FF, he show us the trues. By the way the rootkit unhooker is a good one.

kurt wismer said...

@vlad:

the 'rootkit unhooker' is/was actually an anti-'rootkit' product made by ep_xoff, and i had no problem with it before he showed his true colours...

the 'rootkit', on the other hand, was malware - and as an anti-malware type of person i had a problem with that... as an anti-'rootkit' type of person ep_xoff should have had a problem with it too - the fact that he didn't suggests that he wasn't really anti-'rootkit' and therefore not to be trusted to create an anti-'rootkit' product...

i agree that it's not possible to fully protect a pc... i agree that his "unreal" 'rootkit' was a proof of concept - that doesn't change the fact that he armed the bad guys by releasing it to the public...

nor does it change the simple truth that when you're anti-X you don't go around making and distributing X's... this isn't rocket science and i don't see why people have such a hard time with the concept of being anti-something...

in the end, he made a name for himself through less than ethical means and got hired by microsoft... he has benefited socially (increased status) and financially (well paying job) by contributing to the problem he was supposed to be helping to solve... this is the very definition of an ethical conflict of interest, and he has clearly demonstrated that he is a hypocrite...

(and that doesn't even get into his illegal activity regarding soliciting people to compromise a critic's website...)

Vlad said...

Guys like ep_xoff neither 'anti X' nor 'X', they are scientists, they explore internals, learn, find bugs, fix them, make new bugs to explore the consequences and so on. It gives them pleasure. Why he should be 'anti' ? It is not the area of their intrests. Compromising a systems is not the area of their intrests also. They have enough knowledge to compromise a bank or other financial institute, steal millions and disappear somewhere in mexica or chili !

Realising a rootkit to the public does not mean giving it to the bad guys. It's possible that a bad guy take it and try to use. But 1 week later there will be 'anti rootkit' available. Microsoft and security companies are to lazy to fix bugs! They do nothing unless an exploit in the public domain. Publishing is good it's very good. Much beter then writing a destructive virus or using it to compromise the systems.

He made a name for himself through the knowledge. You will be disappointed, but the 80% staff of the security and antivirus companies wrote viruses and rootkits before. It's very simple : you can't write an antivirus or an antirootkit if you don't know how to write a virus !

Vlad said...

Some more information about security: in 1988 Robert Tappan Morris ( http://en.wikipedia.org/wiki/Morris_worm ) wrote a first virus that discovered a significant flaw in the processors: You can't make a memory page EXECUTABLE and READ ONLY. If it contains executable code, then it can be modified! Just 19 years later AMD invent NX bit that allow a memory page be EXECUTABLE and READ ONLY. ( http://en.wikipedia.org/wiki/NX_bit )
It will work only with 64 bit systems. But it will take 20 year more before the Microsoft fully implement support for NX bit.

Who is the bad guy ? ep_xoff ?

kurt wismer said...

@vlad:
"Guys like ep_xoff neither 'anti X' nor 'X', they are scientists, they explore internals, learn, find bugs, fix them, make new bugs to explore the consequences and so on. It gives them pleasure. Why he should be 'anti' ?"

i too am a scientist, but i am also a member of society and recognize that i have an obligation to my fellow man not to contribute to their problems if at all possible...

obviously you don't recognize such obligations - thank you for making your amorality so obvious... scientific knowledge may not be inherently bad on it's own but the way we acquire it and what we do with it definitely can be... since you don't seem to feel the need to make distinctions between right and wrong i doubt there will be much more for us to really discuss after today...

"Realising a rootkit to the public does not mean giving it to the bad guys."

axiomatically false - the bad guys are part of the public...

"You will be disappointed, but the 80% staff of the security and antivirus companies wrote viruses and rootkits before."

you will be disappointed but i already debunked that myth...

"Some more information about security: in 1988 Robert Tappan Morris (http://en.wikipedia.org/wiki/Morris_worm)"

if you're going to cite such information in a discussion of right and wrong, you might want to read the info more closely and notice that robert morris was tried and convicted for his actions...

ep_xoff is lucky the law hasn't caught up with him yet...

Vlad said...

I see, it's a hopeless case. I pointed you that EP_X0FF did nothing wrong by publishing the rootkit (like a seller that sells guns, like a supermarket that sells knifes, like an engineer that designed guns, bombs). You answered me that I am amoral. Nice :)

I pointed you that the industry do nothing during 20 years to increase security, they are hunting for money not for security. You answered me that Morris was convicted for his action, and you hope ep_xoff will be convicted also. Ask Morris what he thinks :)

I pointed you that if a man does not have experience in making viruses he will not be able to make antiviruses. You anwered that you already debunked that myth...
Try to learn to drive a car without a car.

You are ridiculous !

You are afraid of viruses. When a man does not understand something - he is afraid. He thinks that we need to eliminate it, then the problem will be solved. No way !!!

Bye.

kurt wismer said...

@vlad:

this does indeed seem hopeless...

"I pointed you that EP_X0FF did nothing wrong by publishing the rootkit (like a seller that sells guns"

what a great analogy... do they sell guns to every tom, dick, and harry in your country without even checking to see if the person can be trusted with a gun? 'cause they sure as hell don't in mine...

"You answered me that I am amoral."

you made it perfectly clear that you felt there was no need to make a distinction between pro-threat and anti-threat - that is by definition amoral...

"I pointed you that the industry do nothing during 20 years to increase security"

blatantly false.. you did not show that they did/do nothing, you only showed a single example where they took a long time...

"I pointed you that if a man does not have experience in making viruses he will not be able to make antiviruses. You anwered that you already debunked that myth...
Try to learn to drive a car without a car."

try to learn how to use logic - just as you only need to have a car in order to learn how it works, you only need to have a virus in order to learn how it works... you don't have to make either one of them...

"You are ridiculous"

and you are absurd...

Vlad said...

1. What about knifes ?

2. An idiot can't use published rootkit. All published rootkits/exploits does't work without small corrections. Only an expirienced person can make that corrections. Indeed if he can make correction then he can write one own.

3. I made it perfectly clear that ep_xoff have enough knowledge to compromise a bank and steal millions. He will never do it. Use your logic.

4. "Have a virus" is not enough. There are million variations of viruses. You need to study how to make a viruseS. Find common technics. Find a weak part. Attack the virus. Viruses are not so stupid. They defend itself. Now let me know where can I study the technics of making viruses ? (to be able to defend my computer) Nowhere !!! Fortunately the people like ep_xoff publish this information. FIRSTLY YOU STUDY HOW TO MAKE A VIRUS (TECHNICS) next step is HUGE analysis. Then you write antirootkit. In reality it's much more complicated and takes more then 5 years. Clear ?

5. There are more examples that the industry does nothing. For example windows vista. The protection level in windows vista is the same like in windows XP and like in windows NT. There was only ONE step from dos to windows NT that increased security. This step was a side effect from microsoft trying to stop crashing applications.

Vlad said...

Now guess where the staff of the AV companies learned techics of making viruses ? (you need 3-10 years to study) There are no university or school. They were MAKING viruses. Though that doesn't mean they were USING and SPREADING it. But they publish it Asking : "hey, I made a new virus, what do you think about the new technics ?" And got answered... "hmmmmm intresting idea, you have found a new microsoft bug, I wrote a program that defeat you virus (or correct bug)"

It's a sort of competition for them. Later they find out that their hobby and knowledge so powerfull that they may do many good and many bad things. At this moment one decide to belong to the evil the other decide to belong to the opposite side - AV or security company.

They don't tell anyone they were making viruses because the people associate "making a virus" with evil. Like you do. "making a virus" is not evil - it's acquiring the knowledge. Publishing a virus is not evil - it's sharing the knowledge. But using and spreading a virus that compromises systems or do something bad is evil. Be aware! published viruses are not working versions, they always need some corrections. It's made intentionally to protect from idiots. Although there are "special" unprotected versions for idiots trying to spy or revenge his girl friend. This kind of a malware is an apart subject to discuss. Don't mix all types of viruses or rootkits.

kurt wismer said...

@vlad:
"1. What about knifes ?"

great idea, lets sell sharp knives to small children... maybe you should have asked about pea soup instead...

look, clearly there are some things that you can hand out to anyone like candy, but also just as clearly there are some things you can't... some things require reasonable care to make sure they don't fall into the wrong hands and malware happens to be one of those things...

"2. An idiot can't use published rootkit. All published rootkits/exploits does't work without small corrections."

this is blatantly false and i have to wonder what world you're living on because here on earth 'rootkits' and exploits are published with executable samples... take the FU 'rootkit' - according to greg hoglund (operator of rootkitDOTcom) it became one of the most widely deployed 'rootkits' around and people weren't recompiling the source, they were using the precompiled binary available for download from his site...

"3. I made it perfectly clear that ep_xoff have enough knowledge to compromise a bank and steal millions. He will never do it. Use your logic."

you also said:"Guys like ep_xoff neither 'anti X' nor 'X', they are scientists, they explore internals, learn, find bugs, fix them, make new bugs to explore the consequences and so on. It gives them pleasure. Why he should be 'anti' ?"

this implies that you see no problem in disregarding basic concepts of good and bad... whether or not ep_xoff is amoral i can't say, but you are demonstrably so...

"4. "Have a virus" is not enough. There are million variations of viruses."

technically there are a countably infinite number of possible variations... as such there's no reason to believe that the virus you write will be similar enough to ones in the wild to be of any help in learning how to defend against the ones in the wild...

"You need to study how to make a viruseS. Find common technics. Find a weak part. Attack the virus. Viruses are not so stupid. They defend itself."

you keep saying you need to make viruses but you never provide support - finding common techniques, weaknesses, etc. are all things you can do by studying existing viruses...

"Now let me know where can I study the technics of making viruses ? (to be able to defend my computer) Nowhere !!! "

if you're going to engage in this debate then you're going to have to at least know what you're talking about... john aycock started a course at university of calgary that involved actual virus writing as part of it's curriculum... it's not the only one, either, but it was the first to get mainstream attention and it evoked quite a backlash from the av industry and community (an open letter from frisk to the university to not go through with it, a petition against the very concept of teaching virus writing, public statements from many av vendors stating that graduates of that course would never be hired by their companies, etc)...

"FIRSTLY YOU STUDY HOW TO MAKE A VIRUS (TECHNICS) next step is HUGE analysis. Then you write antirootkit. In reality it's much more complicated and takes more then 5 years. Clear ?"

what's clear is that you haven't got a clue... you don't need to make viruses in order to analyze them... richard ford taught (and perhaps still teaches) a class at the florida institute of technology that deals with analysis of existing malware rather than the creation of new malware for analysis...

"5. There are more examples that the industry does nothing."

no, there are examples of the industry doing nothing (subtle but important semantic difference), and there are also examples of the industry doing something... therefore overall the industry does more than nothing...

"Now guess where the staff of the AV companies learned techics of making viruses ? (you need 3-10 years to study) There are no university or school. They were MAKING viruses. Though that doesn't mean they were USING and SPREADING it."

the staff at av companies learned about viruses by studying existing viruses, not by making them... jimmy kuo (currently working for microsoft's anti-malware team but previously long time head of R&D at mcafee, and before that he was at symantec) once said he avoided hiring anyone who knew much of anything about viruses specifically to avoid hiring someone who might have secretly been a virus writer... he preferred they learned about viruses on the job by analyzing the samples that got submitted... (see this usenet post)

hiring a virus writer would be a public relations nightmare for an anti-virus company because they wouldn't be able to keep it a secret and their competitors would crucify them in the court of public opinion...

"Be aware! published viruses are not working versions, they always need some corrections."

the insertion of so-called bork code into virus source code to protect the idiots was almost never done... in the 18 years i've been following this field, i've only ever encountered 1 person who did it... furthermore, it did nothing to protect against malicious non-idiots...

now, please recognize that you cannot use your intuition or some vague notion of how things ought to be as a replacement for specific knowledge of how things really are... your assertions are demonstrably out of touch with reality...

Vlad said...

Uhhhhhh, nice :)

Suppose, you are right.

Your solution ? Shutdown internet ? It's the source of malware !

kurt wismer said...

@vlad:

the internet is not the source of malware, it is merely the vector... people are the source of malware...

my solution? i don't believe there really is a true solution... there are techniques and technologies that are useful in dealing with the threats (both technological and biological) and mitigating the risks they pose, but nothing will make the problem magically go away...

Vlad said...

I knew it. No solution, nothing constructive. Hope that others will protect you. You are rabble, that will run away by the first sight of danger and scream "mama".

End of discussion.

kurt wismer said...

@vlad:

if you think i'm hoping others will protect me then you clearly haven't read very much of my blog...

and if you think a solution to the malware problem is anymore feasible than a solution to the crime problem then you're deluding yourself...

Vlad said...

Every system that have a SECURELY controlled way of altering AND adding of EXECUTABLE code is safe from malware and viruses.
There are examples: gsm phones with wap (not smart ones, safely connected to internet, altering and adding of code is fully prohibited), industrial programmable logic controllers (more like computers, simply don't allow adding of executable code and altering is protected by a hardware switch) means no viruses in the industrial equipment (that sytems also connected to internet). Some hardware routers also safe from viruses because they have a controlled way of altering executable code. Bank's smart cards is a computer like system, writing of code is allowed one time, then altering and adding of code is not possible at all, they also protected against hardware hack. It's clear that there are solutions against viruses and malware. Microsoft does nothing. They just try to cure infected systems (like antiviruses), means they try to remove consecuences of the malware problem and does nothing to solve the problem of the real source of the contaminations. Firewalls try to reduce the problem by reducing the domain of communications. No feasible solution to the crime problem in general, but there are solutions to the malware/viruses problem.

kurt wismer said...

@vlad:
"Every system that have a SECURELY controlled way of altering AND adding of EXECUTABLE code is safe from malware and viruses."

define "securely controlled"... even systems that require new or updated code to be digitally signed have encountered problems by virtue of the fact that the people doing the signatures can't reliably tell good code from bad...

as for your examples of non-smart phones, industrial programmable logic controllers, routers, and smart cards - do you have any examples that include something more than a glorified calculator? i fully agree that malware isn't a big problem for special purpose computers (or ones limited to fixed first-order functionality) but for general purpose computers it's a whole different ball game...

Mike av said...

kurt I work in antimalware industry and you really have no clue. Unreal was PoC.

kurt wismer said...

@mike av:
it would be more correct to say that you work in the anti-malware industry and you have no clue.

wm/concept was also a PoC and look how much real word trouble it caused. proofs of concept can be every bit as dangerous and troublesome as any other piece of malware. being a PoC doesn't make something magically safe, it only makes it the first of it's kind.

someone who works in the anti-malware industry ought to know this.

Mike av said...

Kurt my apologies for English not being my first language, boy you are foolish.
You obviously have a thing against EP_X0FF and there is really no need has this was all blown out of proportion by people like you.

Thanks EP for your PoCs, wonderful antirootkit and community input.

kurt wismer said...

@mike av:
yeah, right, EP_XOFF is such a great guy, writing and releasing malware, inciting online attacks against his critics, etc. a true gentleman for sure.

ok, that's enough sarcasm for one day.

i had nothing against him until he wrote and released malware. if you, as a supposed member of the anti-malware industry, wish to morally support a malware creator (or even the very act of malware creation itself) then how about putting your money where you mouth is and revealing who you really are and who your employer is. after all, if there's nothing wrong with what EP_XOFF did then there should be nothing wrong with supporting him and you should have no reason to hide that particular information.