December 15th, 2010 – Albuquerque, NM – After so many years of silence on the Rootkit front, a brand new, fully functional yet undetectable Windows 2008/Windows 7 Rootkit was launched on Hacker Halted 2010, Miami . The rootkit, which also implements a so-called “theoretical” attack has been developed by a security professional from Hungary, Csaba Barta who is an EC-Council Certified Instructor at Netacademia. According to EC- Council current plans are to send the code to major virus scanner vendors, and then rootkit will be made available to the information security community as part of the next version of Certified Ethical Hacker V7 training.
After so many years of deep pocket investments and thorough development in the security field by many hardware and software vendors, many assume that there will be no more room for a perpetrator to implement such a code – that not only can hide itself in the computer but fool the operating system so badly that regular forensics investigations is unable to reveal it, not at least, without tedious efforts.
Csaba Barta, a Certified EC-Council Instructor of NetAcademia in Budapest, Hungary, and forensic investigator of Deloitte Hungary spent two and a half years investigating the most modern operating systems implementing a Rootkit which is able to switch logged on users’ identity, credentials and password with ease.
“My goal was to create a proof-of-concept Rootkit for training purposes only, that’s why you did not hear about it until now. It turned out later that I was able to implement attack types nobody else had done before”. – said Csaba, who is very proud of his Cached Data Attack module, which is capable of clearing and setting passwords in memory without the conscience of the operating system. He adds “This rootkit is a good example of how techniques used in widely spread forensic software could be used by malicious software in order to avoid detection. It has to be mentioned that the concept was first documented by Brendan Dolan-Gavitt in 2008.“
Some of the rootkit capabilities in a nutshell: besides of all the routine tasks that every Rootkit does (like hiding files, processes etc.), Csaba’s Rootkit is also capable of stealing access tokens from arbitrary processes, making security context change to SYSTEM and back a breeze. His proprietary implementation of Cached Data Attack reveals the inherent vulnerability of password handling of Windows. It is not only capable of setting any users’ password to any value but it does it leaving no tracks behind.
According to Sean Lim, Vice President of EC Council: “This is a two sided story. On one side, we are very proud of Csaba’s results, but the other hand it is a sad evidence of the fact that there are hidden attack that surface all the time. We plan to incorporate the Rootkit in the CEHv7 Training Material to make our students aware of the risks. We continue to draw attention to possible security threats to information technology systems and to provide solutions to these threats to ensure that such systems remain safe.”
The International Council of E-Commerce Consultants (EC-Council) is a member-based organization that certifies individuals in cybersecurity and e-commerce skills. It is the owner and developer of 16 security certifications, including Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT). Its certificate programs are offered in over 60 countries around the world.
EC-Council has trained over 80,000 individuals and certified more than 30,000 members, through more than 450 training partners globally. These certifications are recognized worldwide and have received endorsements from various government agencies including the U.S. federal government via the Montgomery GI Bill, Department of Defense via DoD 8570.01-M, National Security Agency (NSA) and the Committee on National Security Systems (CNSS). EC-Council also operates EC-Council University and the global series of Hacker Halted security conferences. The global organization is headquartered in Albuquerque, New Mexico.