More Dangerous Rootkits May Lurk On Horizon - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


More Dangerous Rootkits May Lurk On Horizon

Rootkits aren't inherently evil. But malcontents are getting better at using them, and rootkits are getting harder to detect.

As the argument rages over whether rootkits can serve a useful purpose, new types of rootkits are emerging that require new methods of detecting and removing them.

Rootkits hide processes, files, and network connections and can be written to perform like a device driver on any operating system. Most people associate rootkits with the questionable practices of some of those who use them. They've carried a negative connotation ever since one was found in the software Sony shipped to protect the intellectual property on its artists' CDs.

But don't blame the technology. "A rootkit is not inherently malicious, although they are used for malicious purposes. The technology is separate from the intent," Greg Hoglund, CEO of software security service provider HBGary, said last week at the Software Security Summit in Baltimore.

Rootkits are difficult to detect, and new, more dangerous types may be on the horizon. The University of Michigan and Microsoft researchers in March published a paper that describes virtual-machine based rootkits that can cloak malware that monitors and controls software-based virtual servers running on a hardware-based server. Whereas more conventional rootkits "are faced with a fundamental tradeoff between functionality and invisibility," a virtual-machine based rootkit can "completely hide all its state and activity from intrusion detection systems running in the target operating system and applications," the researchers reported. Virtual-machine based rootkits are more difficult to install than conventional malware and require a reboot before they can run.

One technique that's used to infiltrate systems with rootkits is to disguise them as printer drivers, which are generally not well managed, Hoglund says. In this manner, a rootkit carrying a malicious payload has a path straight into the system's kernel. Another technique is to install a rootkit using a USB-pluggable drive or via a PCM slot.

Or it can be done the Sony way, which is to include rootkits on CDs that people buy and play on their computers. Late last year, Sony was fingered for including First 4 Internet digital-rights management software on its artists' CDs after Mark Russinovich, chief software architect and co-founder of Windows repair and recovery software maker Winternals Software, discovered a rootkit on his PC. First 4 Internet's software installed the rootkit to ensure that Sony's intellectual property—its artists' songs—couldn't be illegally copied. While most people agreed with Sony's right to protect its works, some criticized its use of rootkits. "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall," Russinovich wrote in his Oct. 31 Sysinternals blog entry.

A federal judge in May approved the settlement of a class-action lawsuit filed by consumers against Sony. Under the settlement, anyone who purchased, received, or used CDs containing the DRM software after Aug. 1, 2003, can file a claim and receive new unprotected replacement CDs, free music downloads from a selection of 200 titles, or cash payments of $7.50.

The uproar over Sony's use of rootkit technology to embed DRM software was so strong that, months later, when security researchers discovered that the Norton Protected Recycle Bin, or NProtect, directory found in Symantec's Norton SystemWorks software was invisible to Windows, they accused Symantec of using rootkit technology. Symantec vehemently denied it was using a rootkit and then altered SystemWorks to make NProtect visible to Windows. "The Sony thing had just happened, so people had a bad image of stealth," Hoglund says. "Symantec wasn't creating any danger to the system, but it was a [public relations] nightmare."

A better example of what system admins have to fear from rootkits was revealed in May, when security researchers found that the online gaming site was distributing a program known as RBCalc.exe that covertly stored gamblers' information for possible theft. The executable file was being used to create a backdoor to offer illegal remote access to an infected user's computer, and it used a rootkit to conceal its presence, security research firm F-Secure reported. With this in place, the tool's author could access login information from a user's computer for various online poker Web sites and seriously hurt that user's financial situation.

While there are products that can be used to detect rootkits, including F-Secure's BlackLight and Sysinternals' RootkitRevealer, software-based responses to rootkits are less effective the closer the rootkit is installed to the system's operating system kernel. A better offense against rootkits is a strong defense. Hoglund suggests closing off paths into the computer's operating system, adding, with a bit of humor, "When you see people who've glued closed their ports; those are people who understand rootkits."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Can Cloud Revolutionize Business and Software Architecture?
Joao-Pierre S. Ruth, Senior Writer,  1/15/2021
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
How CDOs Can Build Insight-Driven Organizations
Jessica Davis, Senior Editor, Enterprise Apps,  1/15/2021
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll