MetraRootkit
It’s been a long time since we've seen a new rootkit that doesn't rely on virtualization in some or the other way. There is a new rootkit called MetraRootkit that appears to bypass most of the public anti rootkit tools that are available. The author claims that it bypasses SwapContext hooks and PspCidTable scanning. A video of this rootkit in action is available here.
Unfortunately, the binaries for this rootkit are not available, making it difficult to ascertain how the rootkit works. Speculating a bit, it seems that the only way that a rootkit could generically evade checks based on SwapContext hooking would be if it implemented its own thread scheduler. (This would explain how it can remove itself completely from the PspCidTable as well.) While this idea is not exactly new (Alexander Tereshkin, aka 90210, had implemented it to bypass klister on NT/2k systems), it is the first time we've seen it implemented for XP. Mind you, we could just as easily be completely wrong as to how it is functioning.
Unfortunately, the binaries for this rootkit are not available, making it difficult to ascertain how the rootkit works. Speculating a bit, it seems that the only way that a rootkit could generically evade checks based on SwapContext hooking would be if it implemented its own thread scheduler. (This would explain how it can remove itself completely from the PspCidTable as well.) While this idea is not exactly new (Alexander Tereshkin, aka 90210, had implemented it to bypass klister on NT/2k systems), it is the first time we've seen it implemented for XP. Mind you, we could just as easily be completely wrong as to how it is functioning.
posted by Helios Dev Team at 9:06 PM
0 Comments:
Post a Comment
<< Home