Talk of rootkits , favorite attacker tools for compromising computer systems without detection, has again begun percolating among security experts. The question is, "Why?" Rootkits certainly aren't new - they've been around for more than a decade, first on Unix and now primarily targeting Windows systems. And their purpose hasn't changed much either. They still give attackers root control and a backdoor into the compromised system.

But the latest buzz is how rootkits have become exceptionally stealthy, and now sometimes hide malware and subvert traditional desktop defenses. For example, rootkits found earlier this year by F-Secure's research team on Web servers in Russia were hiding the Masland family of viruses targeted at taking down Web sites operated by Chechen rebels. And the Klog rootkit uses a kernel filter driver to implement keyloggers.

Nobody can say how many computers already are owned by the stealthiest of rootkits. But the number might be surprisingly high, researchers say, given that new rootkits are so hard to detect. Since they have complete control of their hosts, rootkits hide the calls to the operating system that would normally alert security professionals to their presence. Some rootkits even turn security software off altogether.

"Once a rootkit is in your kernel, it has complete and total control of all memory and hardware. Hence, all software, including your defensive technologies, can be subverted," says Greg Hoglund, co-author of Rootkits: Subverting the Windows Kernel, and owner of rootkit.com .

Nipping rootkits in the bud

Some security experts see today's stealthier rootkits as another form of malware to be dealt with through traditional means - primarily policy-enforced endpoint security, network anomaly detection and intrusion prevention.

As a first level of protection against rootkits, corporations need to keep endpoint security patches up-to-date, particularly on the browser, says Alfred Huger, senior director of engineering for Symantec. This is important, he adds, because rootkits install most often on computers and laptops that have touched upon malicious sites. Most of these are malicious sites that use free Web-hosting services, says Websense Security Labs, which in the first half of 2005 tracked more than 2,500 personal sites and blogs hosting malware installers. More than 500 such sites were discovered in the first two weeks of July, Websense reports.