MetraRootkit

It’s been a long time since we've seen a new rootkit that doesn't rely on virtualization in some or the other way. There is a new rootkit called MetraRootkit that appears to bypass most of the public anti rootkit tools that are available. The author claims that it bypasses SwapContext hooks and PspCidTable scanning. A video of this rootkit in action is available here.

Unfortunately, the binaries for this rootkit are not available, making it difficult to ascertain how the rootkit works. Speculating a bit, it seems that the only way that a rootkit could generically evade checks based on SwapContext hooking would be if it implemented its own thread scheduler. (This would explain how it can remove itself completely from the PspCidTable as well.) While this idea is not exactly new (Alexander Tereshkin, aka 90210, had implemented it to bypass klister on NT/2k systems), it is the first time we've seen it implemented for XP. Mind you, we could just as easily be completely wrong as to how it is functioning.

Attack on disk encryption tools

There's been an attack, called the backup attack, reported on all on-the-fly disk encryption tools by PMC Ciphers. In case a copy of an encrypted volume is made, and new data is added to the original volume, parts of the data can be revealed by diffing the 2 volumes.

Supposing one has a volume A, which is then copied to another location. This clone is called volume B. An image file is then added to volume A. The corresponding space in volume B contains known plaintext (all zeroes). Performing a bitwise subtraction of the data, can reveal parts of the image to the attacker. This works on volumes encrypted in ECB, Counter, CBC, LRW and other modes.

There are a couple of issues that remain unclear -

1. In case of sparse files, there is no data to perform a bitwise subtraction. On-the-fly encryption programs like Truecrypt offer this mode.

2. Bitmap files leak data more easily than other file types which have complex header types. The attack does not appear to be practical against these data types as even corruption of few bytes would render the whole file inaccessible.

The paper is available here.

TCP Denial of Service Attack

Jack C. Louis and Robert E. Lee of Outpost24 have discovered a new vulnerability in the TCP stack. They claim that it is a Denial of Service attack that can bring down any TCP stack, running on any operating system in seconds. The details about it are sketchy, but it appears to be confirmed by security vendors.

There has been some speculation that it is based on a full connection flooding and slowly consumes all the resources on the server until it crashes. Hopefully, full details will follow shortly so we can all understand exactly what the vulnerability is.