Hacker News new | past | comments | ask | show | jobs | submit login

I am sure the numbers are way off, but not sure only the microcode one is. My suspicion is that against most non-intelligence targets, the DLL injection approach is quite unlikely to be found out either, at least once the initial intrusion has been accomplished. In both cases, the implants will likely only be detected if the machine in question is used to stage another attack or exfiltrate data over the network, in which case the level of the rootkit running on the host will matter very little for detection.

Admittedly, the best rootkits probably target the network equipment as well as the host.

At the host level, most organizations wouldn't be able to detect an unmasked trojan running as its own separate user process unless its signature was already known or its behavior caught by a blacklist-based IDS.

The problem doing DLL injections is you are dropping things directly to the disk which is a great way to get AVs attention. Heuristics based detection can be a pain in the ass here and you want your rootkit to be able to be 'unique' for every installation if possible.

Also rootkits are way overrated. What you do when you compromise an organization is you open a connection to your C&C on a few machines to keep your foothold if any reboot. If you need to get in you just connect to one of those boxes and just continue on. You never have to drop anything on the hard disk which makes it much stealthier.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact