Search Quality & Cyber-Intelligence Lab (SQ-CIL)

Spam Double-Funnel: Connecting Web Spammers with Advertisers



 

Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. There are three versions of Strider GhostBusters:

1. WinPE GhostBuster:
   • It detects hidden files and Registry entries by comparing an inside-the-box infected scan with an outside-the-box clean scan (of the same infected drive) from a WinPE CD boot.
   • See our July 2004 tech report "Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files" for a quick introduction.
   • See our December 2004 submission to DSN'05 "Detecting Stealth Software with Strider GhostBuster" for more details.
   • Read Bruce Schneier's comments on Strider GhostBuster: "Simple. Clever. Elegant."
   • See the Slashdot postings:
     • http://it.slashdot.org/it/05/02/18/1920244.shtml?tid=201
     • http://it.slashdot.org/it/05/02/23/1353258.shtml?tid=172&tid=218
   • Read ComputerWorld news article
   
   
2. Inside-the-box GhostBuster
   • It detects hidden files by comparing a Win32 API scan with Master File Table parsing, detects hidden Registry entries by comparing a Win32 API scan with direct Registry hive file parsing, and detects hidden processes by comparing a Win32 API scan with direct traversals of the active process list and other kernel data structures.
   • See our December 2004 submission to DSN'05 "Detecting Stealth Software with Strider GhostBuster" for more details.
   
   
3. User-Mode GhostBuster
   • It detects hidden Registry entries and processes by comparing a Win32 API scan with an INT 2E scan.
   • See the one-page tech report "How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner" for a brief description of the technique. It describes how to detect user-mode hiding rootkits within a fraction of a second and, in particular, how to detect and take over Hacker Defender in 3 seconds. (See Figures 1-5 screenshots here.)

• SysInternals RootkitRevealer, released on February 22, 2005, implements the same hidden-file and hidden-Registry detection techniques used in the Inside-the-box GhostBuster (which includes additional hidden-process and hidden-module detection techniques).
• Simple steps you can take to detect some of today's ghostware:
  1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
  2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
  3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
  4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

• Rootkit-protected Spyware
  • "Nasty new parasite discovered", search for "f0r0r"
  • "Follow up: Nasty new parasite", search for "Hacker Defender"
• Spyware turning into Ghostware
  • "CoolWebSearch (CWS) with Shield-DLL"