Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

[marraco]

{If you never ran the infected file, your system would never be infected. To get around this, you had the boot sector virus. ...

Joanna: That is a bit incorrect. Back in the DOS OS there was no notion of any memory protection, so it was not needed for the virus to be loaded before the OS in order to control all of the OS--it could control to OS even if loaded later}

How is possible that such supposed "expert"Joanna cannot understand it?

oh, is a mac user. I understand now.

 

[Shadow703793]

I wonder if she's reading this....

 

[marraco]

{Alan: So continuing on, while Windows ME and other DOS-based operating systems relied on the capabilities of the BIOS to handle disk access, Windows NT did not.

Joanna: DOS should not be confused with Windows 95/98/ME. Those latter systems did use protected mode, and had a notion of kernel memory protection. }

here again Security IGNORANT Joanna is confusing the things:

"Protected mode" was completely unrelated with security. It was a trick to maintain compatibility with older/non multitasking programming paradigms, so you can program code without need to consider the entire memory space. That way your bugs -NO security bugs- would not crash other codes. His objective was to reduce BSOD, nothing to do with virus protection...

 

[marraco]

{Alan: I’ll actually keep it in. That’s the whole point of doing these interviews. Ninety-nine percent of the content we do is all in-house, but these interviews let us augment our knowledge with expertise we don’t have.}

Here is the place in which the dude who faked this Interview tries to "explain" why it does not look like an real interview with an expert.

 

[marraco]

{...on Linux? How about setting up your new 3G network card on a Linux laptop?

All the people who are aesthetically-impaired should probably go for Windows and PC hardware. Others will not want to hear about anything else than a sexy Mac--at the end of the day, it really comes down to aesthetics and nicer GUI experience in my opinion.

No matter whether you chose PC or Mac, I think the only viable solution today is to use some virtualization ...}

Is clearly a paragraph added by Apple propaganda. It does not have a natural place in the text.

Apple dudes inserted propaganda in the first page, and in the end. Those are the only places who dumb Apple consumers read.

For the rest of us... this is trying "too hard". So obvious

Well I gonna have an aesthetically-impaired session of Far Cry 2 at max settings and 60 fps.

 

[P_haze420]

Will you marry me?

 

[atippey]

So I though the point of interviewing a security expert was examining her thoughts on security and NOT her thoughts one YOUR thoughts on security, which is what Alan seemed to spend most of his time doing. Of course since she’s a GIRL (OMG!) who uses a MAC (>:[) and likes OTHER GIRLS (zOMG!!!), it’s not like anyone’s really paying attention to that in the first place. Slow summer in hardware, right?

 

[222222]

See here how she claimed she made "100% undetectable rootkit", but when invited to a challenge against rootkit detector she demanded
be paid in advance 200$ per hour for four people for 6 months for improvements
http://blogs.zdnet.com/security/?p=340

without taking any responsibility to return the money if her rootkit is detected!

 

[aortega]

"Also, there was a bit unfortunate presentation at CanSecWest earlier this year by two researchers from Core, who presented on "Persistent BIOS Infection." I saw their slides..."

Miss Rutkowska, we made perfectly clear in the presentation, later slides, articles and interviews the fact that our attack was unsigned-bios only, together with many other details missing.
Slides are not a good source of information, particularly in our talks. I think that's is why is called a talk and not a slide show.
Also, while our presentation' rootkit is no-doubts technically inferior that yours, it's more generic and affects way more systems.

I'm starting to think, by the tone of your interview, that you don't like Us.

Alfredo Ortega, one of the researchers from core

 

[xmxtppafh]

Stick to backs Alan, you spent nine pages on a Polish transvestite. Check the hands and Adam's apple, I kid you not. There's video of this thing at security conferences. That deep throat mumbling isn't normal.

ASLR and canaries are, "Security by Obscurity" < Highlight of the painful interview.

 

[del35]

Response to:

"I can still see the weak point of the Mac hardware though: the lack of TPM, TXT, VT-d, and the OS X system. I try to get around some of the limitations of the OS with virtualization."

Your are paying a high premium for mediocre hardware in "nice" casing. And what about the fact that you are bound under the Mac contract to use Apple's operating system? No comments on that? Doesn't intelligence opt for power and freedom over meager perceived security due to lack of popularity?

Unimpressive interview overall.

 

[buckinbottoms]

whether or not there is some flaw in reasoning, which i dont think is possible since the design and defense of system security requires unusual methods of thought, this is the type of classic THG goodness that made this site popular to begin with.

props to alan for writing this article. craps to alan for turning this into a mac fest and ultimately getting slapped down to earth by a fellow mac user that knows better.

 

[cracklint]

even though she is a mac fan girl, I find those lips extremely sexy.

 

[dedhorse]

Note to Alan, let the interviewee do the talking. You just ask questions. If you wanted to write about the history of malware, you probably should have just put that stuff into its own article. In an interview with a security expert, I want to read their thoughts, not the interviewers. It honestly just looks like you're trying to impress the interviewee with your own knowledge. Your knowledge constantly getting shot down by her got really annoying after a while. Just let the expert do the talking.

And LOL at "Joanna: Our conversation is becoming an Apple ad I guess." Which is the polite way of saying, "We don't need to hear about how much you love your Mac. Just stay on topic, please."

 

[222222]

[citation][nom]aortega[/nom]Miss Rutkowska, we made perfectly clear in the presentation, later slides, articles and interviews the fact that our attack was unsigned-bios only, together with many other details missing. Slides are not a good source of information, particularly in our talks. I think that's is why is called a talk and not a slide show.Also, while our presentation' rootkit is no-doubts technically inferior that yours, it's more generic and affects way more systems.I'm starting to think, by the tone of your interview, that you don't like Us.Alfredo Ortega, one of the researchers from core[/citation]

Is not it already clear that she likes herself only, she wants to be the only star of any show.

 

[jhaws1001]

An A/V product, at least in the form as we have them today, is a waste of money and resources in my opinion.

Thank you for clearing my conscience! All these years I have felt like a rebel for refusing to install A/V software because of the performance issue. I don't deal with viruses ever!

 

[Guest]

@haplo602: I think you are understating the importance of having control of the machine. True, there are many technical challenges if you are to do anything useful, since you're sitting at such a low-level. But it is surely technically possible. As you say, in the extreme, you need to have a mini-os with drivers for everything... but then again, why is that so extreme? Why can't the root-kit carry a tiny Linux kernel with drivers for most common network devices, which is probably all that is required for it to send data back home.
In any case, skilled hackers will find many clever short-cuts to make the attack vector useful. Looking for passwords? Intercept keyboard traffic. Looking for other day? Use signature-based memory scanning methods.

And this is just one idea I came up with after thinking about it for 2 minutes. Surely, there are much smarter ways and probably also ways you can get the o/s API's to help you while still defying detection (make it look like the user application is requesting it or whatever). It is of course also possible to altogether disable the active a/v if you know the product and make a targeted attack against it.

 

[truehighroller]

[citation][nom]johnbilicki[/nom]...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.[/citation]


Which is eactly why you are a dork. Actually if you act like they are gods and treat them as such, then you will get none. Do your research on how to talk to women in order to get women, then lash out at me. Such an amature. Also just for your info in the future, nerdy chicks are freaks.

 

[bobcov1]

It's great to read that she runs VMs for security. That's the same thing I've been working on for the last few months...trying to build as small a VM as possible to just run Firefox and VMWare tools for cut and paste. Not been easy. 1.9 gb is the smallest so far. Virtual Box is out of the running because for some reason it spikes the cpu at a far higher level than VMWare. Just waiting now for VMWare Player 2.5.2 to be fixed. It has an awful "focus" bug, where if you click on an external (host) window, anywhere other than the title bar, the VMPlayer windows remains on top.

 

[johnbilicki]

[citation][nom]truehighroller[/nom]Which is eactly why you are a dork. Actually if you act like they are gods and treat them as such, then you will get none. Do your research on how to talk to women in order to get women, then lash out at me. Such an amature. Also just for your info in the future, nerdy chicks are freaks.[/citation]

Seriously 'truehighroller', even your alias shows you don't belong here. The only women you could possibly get are the ones on your computer screen. All you've proven is that you talk trash and can't say a single thing on topic. Take your self-inflated egotistical sexist single digit IQ trash to the curb because the only place any one would be willing to take you is out to the dump.

 

[Guest]

I propose this "Ring -3" attack: Flash the BMC firmware with malware.

Or "Ring -4": social engineer the coders who develop the firmware running on the BMC to include the malware in their stack.

 

[Guest]

Why is this article split across multiple pages? It would read just fine on one page.

If the answer is ad revenue, nobody looks at ads anyway. We all use ad blocking software.

 

[Guest]

Anyone who says 3G modem support isn't what it should be in linux obviously hasn't tried Ubuntu lately and is talking out of the top of their hat. I have tried ZTE MF622, Huawei E220, Novatel Wireless XU950D. Even if you were unlucky enough to get a modem that isn't detected out of the box you can use the generic usb serial driver.

Ill informed statements like that throw question marks over other stuff you've said.

 

[Guest]

i dunno.. but it seems to me the more complicated people try to make things, the easier it is for them to make mistakes.
would it not be fairly simple to run a scan for all Virtual Machine executables?

i mean, honestly i hardly know anything at all about Virtual Machines, that's why i sat here reading this. but within a few minutes of reading up on them, i now know there are 2 different types: system and process - and i have a list of a good number of both types in front of me.

List 1) Comparison of platform virtual machines from Bochs to z LPARs
List 2) Comparison of application virtual machines from CLR to libJIT

i'll admit i'm making an assumption here, but if you're able to identify the virtual machine(s), you're back to the original issue.

i also found it interesting that Virtual Machines have been around since 1967.

"The pioneer system using this concept was IBM's CP-40, the first (1967) version of IBM's CP/CMS (1967-1972) and the precursor to IBM's VM family (1972-present)."

thoughts?

 

[daedlanth]

A choppy article on a great subject. No problem it is all amusing to me. A beautiful lady too, but she used the word "partner" so I do not think any of you pervs have a snowballs chance in hell I will be lurking around this lass for years.