Chapter 1 / Empty Cup Mind
Why Use Stealth Technology? Aren't Rootkits Detectable?
Some people might wonder why rootkits are necessary. I've even heard some
security researchers assert that "in general using rootkits to maintain control
is not advisable or commonly done by sophisticated attackers because root-
kits are detectable." Why not just break in and co-opt an existing user account
and then attempt to blend in?
I think this reasoning is flawed, and I'll explain why using a two-part re¬
sponse.
First, stealth technology is part of the ongoing arms race between Black Hats
and White Hats. To dismiss rootkits outright, as being detectable, implies that
this arms race is over (and I thoroughly assure you, it's not). As old conceal¬
ment tactics are discovered and countered, new ones emerge.
I suspect that Greg Hoglund, Jamie Butler, Holy Father, Joanna Rutkowska,
and several anonymous engineers working for defense contracting agencies
would agree: By definition, the fundamental design goal of a rootkit is to
subvert detection. In other words, if a rootkit has been delected, it has failed
in its fundamental mission. One failure shouldn't condemn an entire domain
of investigation.
Second, in the absence of stealth technology, normal users create a conspicu¬
ous audit trail that can easily be tracked using standard forensics. This means
not only that you leave a substantial quantity of evidence behind, but also
that this evidence is of fairly good quality. This would cause an intruder to
be more likely to fall for what Richard BejtHch has christened the Intruder's
Dilemma:��
The defender only needs to detect one of the indicators of the intruder's
presence in order to initiate incident response within the enterprise.
If you're operating as a legitimate user, without actively trying to conceal
anything that you do, everything that you do is plainly visible. It's all logged
and archived as it should in the absence of system modification. In other
words, you increase the likelihood that an alarm will sound when you cross
the line.
16. http://taosecurity.blogspot.eom/2009/05/dcfendcrs-dilcmma-and-intrudcrs-dilemma.hTml.