Companies lining up to root out rootkits

Companies are beginning to introduce rootkit detection tools, as interest in the stealth programs increases.

Stealthy, remote system access programs called "rootkits" could fuel the next big wave of malicious code, and are already beginning to influence the design of new Internet worms and viruses, according to security experts. Now security software companies are sitting up and taking notice, releasing software that can spot and remove rootkits from infected systems.

In recent weeks a handful of companies, including antivirus company F-Secure, Sana Security and free software site Sysinternals released products they claim can ferret out kernel rootkit programs that manipulate Microsoft's Windows operating system and evade security software. But the buzz about rootkits may be overblown, according to one leading malicious code expert who says that the powerful programs, while dangerous, will never become as widespread as current viruses, worms or spyware.

Rootkits are malicious programs that were designed to be invisible, often replacing core operating system functionality with a version of the same functionality that provided remote attackers with a back door into compromised systems, senior director of engineering at Symantec, Al Huger said. Kernel rootkits have been around since 1994, when the first "proof of concept" program was developed that evaded detection by loading and hiding in the Solaris kernel, or core processing center, he said.

While they are not new, rootkits have been the focus of increased energy and attention in underground malicious code-writing communities, and have begun to influence more common threats, such as email viruses and worms, said Mikko Hyppenen of F-Secure.

Two recent viruses, Myfip.H and Maslan.A, both had stealth features borrowed from rootkits, Hyppenen said.

Maslan.A hides files and folders it needs to run, so that they cannot be seen from within Windows by an administrator. Myfip.H manipulates the Windows kernel to hide the memory process used by the virus, according to F-Secure.

Those features made it very difficult for most antivirus products, including F-Secure's, to spot the programs, because antivirus software typically relied on telltale virus "signatures," such as executable file names, memory processes, or folders that were evidence of infection, Hyppenen said. To counter the new threats, F-Secure released an evaluation version of a rootkit detection program called BlackLight on March 10.

The software program looks for telltale rootkit behavior, such as programs that are attempting to hide processes, files, folders or configuration settings, he said.

F-Secure is planning to roll BlackLight into its consumer and enterprise antivirus products, which will allow the company to spot rootkits before they are installed on customer systems, and detect infections on machines that have already been compromised, Hyppenen said.

Another free program, named RootkitRevealer, takes a similar approach to BlackLight, chief software architect of Winternals Software, Mark Russinovich, said. The company operated the SysInternals free software site.

RootKitRevealer analyses instructions from application program interfaces (APIs) at the kernel level and in the Windows user environment, and then compares the results of those scans.

The approach was designed to spot rootkits by recognising when they manipulate system data at either location, he said.

Sana Security said the latest version of the Primary Response intrusion prevention system technology can spot rootkits. Primary Response 3.0 uses technology called Active Malware Defense Technology (Active MDT) that analyses the behavior of memory processes or applications on a machine over time and flags malicious behavior, or software that was trying to evade detection, the company said.

However, there are limitations to some of the new detection programs, said Jamie Butler, director of engineering at HBGary, and author of the FU rootkit and VICE rootkit detection programs.

For example, Rootkit Revealer couldn't detect instances of FU, because it looked only for manipulated Windows registry entries and hidden files, not the temporary memory processes where FU runs, Butler said.

F-Secure's BlackLight coulddetect FU, but not for long, Butler warned.

A new version of FU would counter BlackLight's detection mechanism and force F-Secure to go deeper into the kernel to spot FU installations, he said. "It's a chess game. Right now, F-Secure has beaten FU, but I'll come up with a better technique and that will make them get better," he said.

But not everybody is convinced that rootkits are a major threat worthy of new products.

"If we have seen an increase in [rootkit infections] it's not significant enough to warrant attention," Symantec's Huger said.

Unlike spyware or Trojan horse programs, rootkits were typically used in targeted attacks on systems that malicious hackers hope to control for a long time, not scatter-shot virus or worm attacks, Huger said.

Symantec's antivirus software could spot many different kinds of rootkits, but treated them the same as other kinds of malicious code, and could remove some kinds of rootkit infections, he said.

"At the end of the day, if you have a piece of malicious code on your system that you don't want there, its all the same thing to us. We'll find it, remove it, and keep you safe," Huger said.

Russinovich of Sysinternals agreed that rootkit infections were not widespread.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?