The hacker equivalent of a cloak of invisibility may cause serious problems for users and anti-virus vendors, a security expert says.
The hacker equivalent of a cloak of invisibility may cause serious problems for users and anti-virus vendors, a security expert said Thursday.
Rootkits, which hark back to Unix, are tools used by hackers to cover their tracks. Rootkits -- even the name comes from Unix, for it refers to the term for the OS's super-user, the root user -- can hide the existence of other malware on a computer by modifying file data, Windows registry keys, or active processes, all of which are used by malicious code detection software to spot worms, viruses, and spyware that's been installed on a PC.
They're commonly used by spyware writers who, after all, try to play as stealthy as possible, but they're now gaining popularity among virus writers, say some security analysts.
According to Panda Software's research director, rootkits for Windows are proliferating. " Even though they're not new, rootkits have re-emerged as a kind of malware that could let hackers discreetly carry out numerous malicious actions," said Luis Corrons in a statement. "In fact, we've seen that they're being used in combination with backdoors to take remote control of computers."
Microsoft, too, has picked up on the rootkit wave. Earlier this week, it released an updated version of its Windows Malicious Software Removal Tool, and for the first time, included a rootkit among the malware it seeks out and destroys.
Hackdef -- also known as Hack Defender -- and one of the most popular rootkits among hackers, "creates, alters, and hides Windows system resources on a computer that it has infected," said the Redmond, Wash.-based developer in its online brief. "[It] can hide proxy services and backdoor functionality. It can also conceal use of TCP and UDP ports for receiving commands from attackers."
"Hack Defender's a perfect example of a rootkit, and the trend of malicious code to conceal itself," said Ken Dunham, the director of malicious code research for Reston, Va.-based security intelligence firm iDefense.
"It's a little like a port knocker in that it doesn't open a new port, but monitors server traffic coming in on other ports, such as TCP port 80, which is used by Internet Explorer. "Good luck trying to figure out what's legitimate and what's not on port 80."
But Dunham's not as convinced as others that rootkits for Windows are that big of a deal. "I think it's a growing trend, but it's really hard to identify [the scope]. There just aren't a lot of stats."
He's a lot more sure of the success of that malware writers are having in cloaking their wares and covering their tracks. "Hackers are becoming very successful in concealing themselves."
Anti-virus firms, said Dunham, are at the front of the battle against rootkits, since by definition, AV software "has to detect before it can destroy, doesn't it?" Dunham noted.
Helsinki-based anti-virus vendor F-Secure, for instance, said that it's monitored posts on a spammer and virus writer blog where the author of Hacker Defender claims his rootkit as not only invisible to current AV software, but also to rootkit-specific detection tools, such as F-Secure's own Blacklight. The license for Hacker Defender, said F-Secure, costs about $500.
Blacklight, which is still in beta testing, is a rootkit detector and eliminator. Until May 1, the free beta can be downloaded from the F-Secure Web site.
It all, said Panda's Corrons, poses a "serious threat" to Windows users, at least in the short term.
In general, Dunham agreed. "As malicious code gets more complicated, it's harder to identify," he concluded.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.