Companies lining up to root out rootkits

Stealthy, remote system access programs called "rootkits" could fuel the next big wave of malicious code, and are already beginning to influence the design of new Internet worms and viruses, according to security experts. Now security software companies are sitting up and taking notice, releasing software that can spot and remove rootkits from infected systems.

In recent weeks a handful of companies, including anti-virus company F-Secure, Sana Security and free software site Sysinternals released products they claim can ferret out kernel rootkit programs that manipulate Microsoft's Windows operating system and evade security software. But the buzz about rootkits may be overblown, according to one leading malicious code expert who says that the powerful programs, while dangerous, will never become as widespread as current viruses, worms or spyware.

Rootkits are malicious programs that are designed to be invisible, often replacing core operating system functionality with a version of the same functionality that provides remote attackers with a back door into compromised systems, said Al Huger, senior director of engineering at Symantec.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Stealthy, remote system access programs called "rootkits" could fuel the next big wave of malicious code, and are already beginning to influence the design of new Internet worms and viruses, according to security experts. Now security software companies are sitting up and taking notice, releasing software that can spot and remove rootkits from infected systems.

In recent weeks a handful of companies, including anti-virus company F-Secure, Sana Security and free software site Sysinternals released products they claim can ferret out kernel rootkit programs that manipulate Microsoft's Windows operating system and evade security software. But the buzz about rootkits may be overblown, according to one leading malicious code expert who says that the powerful programs, while dangerous, will never become as widespread as current viruses, worms or spyware.

Rootkits are malicious programs that are designed to be invisible, often replacing core operating system functionality with a version of the same functionality that provides remote attackers with a back door into compromised systems, said Al Huger, senior director of engineering at Symantec.

Kernel rootkits have been around since 1994, when the first "proof of concept" program was developed that evaded detection by loading and hiding in the Solaris kernel, or core processing center, he said.

While they're not new, rootkits have been the focus of increased energy and attention in underground malicious code-writing communities, and have begun to influence more common threats, such as e-mail viruses and worms, said Mikko Hyppönen of F-Secure.

Two recent viruses, Myfip.H and Maslan.A, both have stealth features borrowed from rootkits, Hyppönen said. Maslan.A hides files and folders it needs to run, so that they cannot be seen from within Windows by an administrator. Myfip.H manipulates the Windows kernel to hide the memory process used by the virus, according to F-Secure.

Those features make it very difficult for most antivirus products, including F-Secure's, to spot the programs, because antivirus software typically relies on telltale virus "signatures," such as executable file names, memory processes, or folders that are evidence of infection, Hyppönen said.

To counter the new threats, F-Secure released an evaluation version of a rootkit detection program called BlackLight on March 10. The software program looks for telltale rootkit behavior, such as programs that are attempting to hide processes, files, folders or configuration settings, he said.

F-Secure is planning to roll BlackLight into its consumer and enterprise anti-virus products, which will allow the company to spot rootkits before they are installed on customer systems, and detect infections on machines that have already been compromised, Hyppönen said.

Another free program, named RootkitRevealer, takes a similar approach to BlackLight, said Mark Russinovich, chief software architect of Winternals Software LP of Austin, Texas, which operates the SysInternals free software site.

The IDG News Service is a Network World affiliate.