Home alone after school one day, Tommy scans through the latest blogs and teen Web sites, stopping for a chat or two. Somewhere along the way, the computer's browser hits a site that instantly and silently loads a fourth-generation rootkit onto his system. Without anyone's knowledge, the anti-virus application no longer updates or scans for viruses, the firewall opens ports it shouldn't and, when Tommy's father later logs on to his online bill-paying application, the logon data is automatically transmitted to a server belonging to an identity theft cartel.

Fourth-generation rootkits are so good at hiding themselves that detection and removal goes beyond the capability of home network users and existing signature-based security technologies.

"It's very feasible for attackers to merge rootkits with information-gathering tools and with covert channel tools for stealth communication over firewall-protected networks," says Joanna Rutkowska, rootkit researcher and administrator of www.invisiblethings.org . "By definition, it's much more difficult to detect rootkit-protected attacks from attacks that aren't protected by rootkits. As such, I think the number of [rootkit] infections in the wild is underestimated."

Security vendor F-Secure has identified several rootkit-hidden spyware and Trojan horse programs, including EliteToolbar, ProAgent, Probot SE, Berbew/Padodor and Feutel/Hupigon. F-Secure also identified rootkits inside of worms, including the Myfip.h and the Maslan family. The only clues a home network user has of a rootkit install on his system might be lagging performance, or in cases of poorly written rootkits, users might experience blue screen reboots. Home firewall applications that scan outbound traffic, such as Sygate/Symantec or Zone Labs/CheckPoint, also might alert users that something's going on when the rootkit or malware becomes active.

If your users are experiencing latency problems or outbound alert messages, and the spyware/virus scans turn up nothing, you should run a rootkit detection scan against the PC (which you should do every time you do any administration for your home network users). F-Secure is the only vendor that offers a remotely user-friendly rootkit detector called BlackLight Revealer, which is integrated into F-Secure's Internet Security Suite 2006 - making it the first product users can run themselves.

Whitepapers

• Boost Productivity While Cutting Costs with Next-generation Collaboration
• Deploying Virtualized NetWare on Linux Whitepaper
• Driving Business Success Through Workgroup Choice and Flexibility
• Toward More Flexible, Next-Generation Collaboration Solutions
• Collaboration Tools and Organizational Success Whitepaper
• The ROI and TCO Benefits of Data Deduplication for Data Protection in the Enterprise

View more SECURITY whitepapers

Webcasts

• Creating a high performance workplace with wireless networking
• Harnessing the power of communications to increase workplace performance
• Making data centers the IT strategic focus
• Protecting assets and employees with IP Video Surveillance
• Stay out of the headlines: Detecting and preventing network intrusions
• Transforming the Enterprise WAN Edge: Video from Cisco

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• IP address management in 2008 - six things to know
• The self-managed network

View more SECURITY special reports