xkcd

[mzellman]

I was reading this article today, and it brought up quite a few questions:
http://arstechnica.com/tech-policy/news ... nment.ars/

• could you reliably take a snapshot of the contents of RAM and use the snapshot for analysis? I mean, I imagine you could shelve all new calls to memory while you write its contents to a file somewhere, right? (obviously, at the expense of having a completely unresponsive computer while this is going on, and interfering with several other processes during the operation, but if you're this concerned about finding and removing a rootkit, isn't that your priority? )
  
• are the images of the system processes generally static or highly variable?
  
• if you have a rootkit that deleted all its own files from the disk after it was loaded into memory (to avoid detection), wouldn't pulling the plug basically remove the rootkit in its entirety?

[Yakk]

How do you "take a snapshot of RAM"? Typically when you want a computer to do something, you ask the computer to do it (instead of "doing it to the computer").

But the rootkit is in charge of the computer -- so it lies to you and tells you want you want to hear.

Rootkits often hide themselves on disk by having the OS lie to you about what is on the disk. Some anti-rootkit detecting trickses involve accessing the disk at a "lower level" and detecting discrepancies. Anti-anti rootkit detecting trickses involve detecting that kind of behavior and not lying when that particular process (and friends) asks about what is there, so it doesn't detect the discrepancy (which is easier than lying to the low-level routines often).

The "foolproof" way to attack a rootkit is to take the hardware apart and mount it on a system that doesn't trust the hardware to do anything. So long as the individual components are "dumb", this works. (In theory, you could have a rootkit that lived in the hardware of a hard disk drive in such a way that anyone who asks wouldn't see it unless they accessed it just right).

[Xeio]

In theory, you could have a rootkit that lived in the hardware of a hard disk drive in such a way that anyone who asks wouldn't see it unless they accessed it just right.

This kind of stuff is the real scary (albeit, almost unheard of) kind. Since effectively it's impossible to remove by an end user once it's taken over the firmware.

Are there any rootkits out there that actually try to do that though? I'd guess the spread of such things would be terribly inefficient (every new hard disk you encounter, or motherboard, or whatever, would need new firmware) for the work involved (particularly given firmware is more complicated, with a higher rate of bricking).

[Moose Hole]

One way to detect rootkits is to have multiple operating systems on different disks, and have them check eachother out. I got a windows rootkit off by dual booting linux and virus scanning the windows partition. Of course, antivirus programs aren't perfect either.

[Yakk]

In theory, you could have a rootkit that lived in the hardware of a hard disk drive in such a way that anyone who asks wouldn't see it unless they accessed it just right.

This kind of stuff is the real scary (albeit, almost unheard of) kind. Since effectively it's impossible to remove by an end user once it's taken over the firmware.

Are there any rootkits out there that actually try to do that though? I'd guess the spread of such things would be terribly inefficient (every new hard disk you encounter, or motherboard, or whatever, would need new firmware) for the work involved (particularly given firmware is more complicated, with a higher rate of bricking).

Well, I have heard of an "in the wild" malware that lived in "marked bad" sectors of a hard disk (and the "mark bad" lives in the hard disk firmware). So a naive scan wouldn't pick up (most of?) the malware.

[hintss]

there was once a virus that could copy itself to BIOS on some computers, though that wasn't its main method of spreading.