• United States

Rootkits aren’t doom – but keep up defenses

Apr 24, 20065 mins

Rootkits do not signal impending doom for corporate IT, but companies need to keep up their defenses as the malware tools begin to spread, experts say.

The best way to deal with rootkits is to prevent infection in the first place – which is easier said than done. Besides maintaining traditional layers of security – firewalls, anti-virus software and patching – experts recommend locking down desktops to control software installation and operating system manipulation.

“Rootkits are not an end-of-the-world situation,” says Rob Murawski, a member of the technical staff Carnegie Mellon Software Engineering Institute CERT Coordination Center (CERT/CC) in Pittsburgh, Pa. “But it is an arms race between those that create rootkits and those that create detectors.”

And that race is reaching a fever pitch. The number of rootkit attacks reported to McAfee labs in the first quarter of 2006 was up 700% compared with the same period in 2005, McAfee says.

A rootkit is malware that slips into a system and hides, and gives no indication that the system has been compromised. It can be used for any number of misdeeds, such as installing backdoors that can be used for remote access by hackers, or allowing a machine to be used as a staging point for attacks on other systems, according to CERT. Rootkits also can discover that security tools are looking for them and dodge detection.

While traditional malware tries to wreak as much havoc as possible, rootkits are being used to aim at focused targets, such as banks.

“What we’ve seen with rootkits is the transition from the notoriety-type virus writer to the for-profit virus writer,” says David Frazer, director of technologies for F-Secure, which develops an anti-rootkit tool called Blackight. “The more professional-type malware writers have R&D. They have external funding.”

Those efforts are producing custom rootkits with unique signatures that can’t be discovered by automatic detection tools, such as Hacker Defender, that use documented profiles of well-known rootkits.

Last year, the University of Connecticut found a rootkit that had been in its network for two years. The university said no data was compromised because the rootkit failed to install properly.

“The stakes are raised in this cat-and-mouse game,” says Mark Russinovich, chief software architect for Windows management vendor Winternals Software. There is now a lot of funding behind the creation of malicious code, he says, “making it lucrative to come up with innovative ways of delivering malware and keeping it on people’s machines.”

Russinovich is the developer of RootKitRevealer, one of the top rootkit detection tools, but he admits the tool is not a cure-all and that if users suspect they have a rootkit “they should run every rootkit detector they can get their hands on.”

While many rootkit detection tools are emerging, the stealth of rootkits makes discovery and eradication daunting, experts say.

In April 2000, CERT published a list of options for getting rid of rootkits, including backing up data, wiping hard drives clean and starting over with a fresh installation of an operating system. Microsoft officials raised eyebrows two weeks ago at the annual InfoSec security conference by endorsing “wipe and restart” as a solution to the problem. Users who have tried to remove rootkits say starting over fresh is the most cost-effective remedy.

“You don’t take rootkits out of Windows, not if you charge by the hour,” says Jayson Vantuyl, senior consulting partner for Confidence LC. “You end up spending a huge amount of time doing that. It’s a maze.”

Vantuyl says he has extracted about six rootkits from both Unix and Windows operating systems in the past 10 years. He sees rootkits as the natural evolution of viruses as they become more sophisticated. “A rootkit is a virus’ big brother, it’s what a virus becomes when it grows up,” he says.

Winternals’ Russinovich, however, says there is no reason to panic. “What we have to do is deploy the tools that are available and implement best practices in the security space to keep those machines clean.”

Rootkit varieties There are several rootkit classifications depending on whether the malware survives reboot or executes in user mode or kernel mode. Here is a look at the classes of rootkits:
PersistentActivates each time the system boots. The rootkit must store code in a persistent store, such as the registry or file system, and configure a method by which the code executes without user intervention.
Memory-basedHas no persistent code and therefore cannot survive a reboot.
User-modeIntercepts calls to APIs and modifies returned results. For example, when an application performs a directory listing, the return results donÕt include entries identifying the files associated with the rootkit.
Kernel-modeNot only can it intercept the native API in kernel – mode, but it also can hide the presence of a malware process by removing it from the kernelÕs list of active processes.