Malware and rootkits team up for mayhem

Security Chief By Deb Radcliff, NetworkWorld.com
December 05, 2005 12:02 AM ET

Home alone after school one day, Tommy scans through the latest blogs and teen Web sites, stopping for a chat or two. Somewhere along the way, the computer's browser hits a site that instantly and silently loads a fourth-generation rootkit onto his system. Without anyone's knowledge, the anti-virus application no longer updates or scans for viruses, the firewall opens ports it shouldn't and, when Tommy's father later logs on to his online bill-paying application, the logon data is automatically transmitted to a server belonging to an identity theft cartel.

Fourth-generation rootkits are so good at hiding themselves that detection and removal goes beyond the capability of home network users and existing signature-based security technologies.

"It's very feasible for attackers to merge rootkits with information-gathering tools and with covert channel tools for stealth communication over firewall-protected networks," says Joanna Rutkowska, rootkit researcher and administrator of www.invisiblethings.org . "By definition, it's much more difficult to detect rootkit-protected attacks from attacks that aren't protected by rootkits. As such, I think the number of [rootkit] infections in the wild is underestimated."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Home alone after school one day, Tommy scans through the latest blogs and teen Web sites, stopping for a chat or two. Somewhere along the way, the computer's browser hits a site that instantly and silently loads a fourth-generation rootkit onto his system. Without anyone's knowledge, the anti-virus application no longer updates or scans for viruses, the firewall opens ports it shouldn't and, when Tommy's father later logs on to his online bill-paying application, the logon data is automatically transmitted to a server belonging to an identity theft cartel.

Fourth-generation rootkits are so good at hiding themselves that detection and removal goes beyond the capability of home network users and existing signature-based security technologies.

"It's very feasible for attackers to merge rootkits with information-gathering tools and with covert channel tools for stealth communication over firewall-protected networks," says Joanna Rutkowska, rootkit researcher and administrator of www.invisiblethings.org . "By definition, it's much more difficult to detect rootkit-protected attacks from attacks that aren't protected by rootkits. As such, I think the number of [rootkit] infections in the wild is underestimated."

Security vendor F-Secure has identified several rootkit-hidden spyware and Trojan horse programs, including EliteToolbar, ProAgent, Probot SE, Berbew/Padodor and Feutel/Hupigon. F-Secure also identified rootkits inside of worms, including the Myfip.h and the Maslan family. The only clues a home network user has of a rootkit install on his system might be lagging performance, or in cases of poorly written rootkits, users might experience blue screen reboots. Home firewall applications that scan outbound traffic, such as Sygate/Symantec or Zone Labs/CheckPoint, also might alert users that something's going on when the rootkit or malware becomes active.

If your users are experiencing latency problems or outbound alert messages, and the spyware/virus scans turn up nothing, you should run a rootkit detection scan against the PC (which you should do every time you do any administration for your home network users). F-Secure is the only vendor that offers a remotely user-friendly rootkit detector called BlackLight Revealer, which is integrated into F-Secure's Internet Security Suite 2006 - making it the first product users can run themselves.

Because F-Secure uses several approaches to detect hidden processes, Rutkowska considers BlackLight to be highly effective at catching today's rootkits, although it still lags behind new rootkit hiding techniques, including Shadow Walker (PDF ) and NTFSHider. The best protection from well-hidden malware programs that could steal user identities is still prevention. You can start by promoting user behavior modification.

1. Remind your users of the dangers of clicking links in unsolicited e-mail, and surfing random Web sites and blogs, which experts say account for the lion's share of rootkit and other malware installs.
2. Give them numbers - Gartner says phishing and keystroke logging Trojans account for $2.75 billion in yearly losses. Not to mention the time it takes to recoup a credit identity once it has been stolen.
3. Keep browsers patched and updated, especially Internet Explorer and Mozilla Firefox, which are both vulnerable to rootkit installs if not kept current. To Microsoft's credit, Internet Explorer is easier for home users to keep patched, thanks to automated updates and its alert service. If your users are on Firefox, then you'll have to watch the news for updates and send your home users to the Firefox site for the latest releases.
4. Check out PivX preEmpt ($30 individual, $60 for a three-pack), which automatically closes new vulnerabilities as they're discovered, often ahead of Microsoft's patch schedule.
5. Set browser security to block ActiveX, the most dangerous mobile code because it runs with administrator privileges, says Lance Cotrell, president and founder of Anonymizer, an Internet privacy company. None of your Windows home users should be running as administrator, but rather as non-privileged users with unique passwords so that when they touch a Web site trying to load a rootkit to the kernel, it would prompt them to type a password and thus alert them that something's trying to load.
6. Remind users to keep anti-virus and anti-spyware scanners up to date. Signature-based and pattern recognition technologies will develop around some of the most common malware-rootkit packages to emerge, and more suites such as F-Secure's will expand to handle these new types of blended threats.

Radcliff is a freelance writer and educator on computer security for corporations and home network users.