Skip Links

Network World

  • Social Web 
  • Email 
  • Close

Digging out new rootkits

These attacker tools have become stealthier than ever. Even so, they may not require specialized protection.
By Deb Radcliff , Network World , 09/26/2005
Newsletter Signup
  • Share/Email
  • Tweet This
  • Comment
  • Print

Talk of rootkits , favorite attacker tools for compromising computer systems without detection, has again begun percolating among security experts. The question is, "Why?" Rootkits certainly aren't new - they've been around for more than a decade, first on Unix and now primarily targeting Windows systems. And their purpose hasn't changed much either. They still give attackers root control and a backdoor into the compromised system.

But the latest buzz is how rootkits have become exceptionally stealthy, and now sometimes hide malware and subvert traditional desktop defenses. For example, rootkits found earlier this year by F-Secure's research team on Web servers in Russia were hiding the Masland family of viruses targeted at taking down Web sites operated by Chechen rebels. And the Klog rootkit uses a kernel filter driver to implement keyloggers.

Nobody can say how many computers already are owned by the stealthiest of rootkits. But the number might be surprisingly high, researchers say, given that new rootkits are so hard to detect. Since they have complete control of their hosts, rootkits hide the calls to the operating system that would normally alert security professionals to their presence. Some rootkits even turn security software off altogether.

"Once a rootkit is in your kernel, it has complete and total control of all memory and hardware. Hence, all software, including your defensive technologies, can be subverted," says Greg Hoglund, co-author of Rootkits: Subverting the Windows Kernel, and owner of rootkit.com .

Nipping rootkits in the bud

Some security experts see today's stealthier rootkits as another form of malware to be dealt with through traditional means - primarily policy-enforced endpoint security, network anomaly detection and intrusion prevention.

As a first level of protection against rootkits, corporations need to keep endpoint security patches up-to-date, particularly on the browser, says Alfred Huger, senior director of engineering for Symantec. This is important, he adds, because rootkits install most often on computers and laptops that have touched upon malicious sites. Most of these are malicious sites that use free Web-hosting services, says Websense Security Labs, which in the first half of 2005 tracked more than 2,500 personal sites and blogs hosting malware installers. More than 500 such sites were discovered in the first two weeks of July, Websense reports.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed