Rootkits: The next big enterprise threat?

When packaged with malware, Rootkits can facilitate deeply compromising security breaches undetected

Late at night, a system administrator performed a routine check of a crashed server, one of 48 systems comprising a major online infrastructure that generated about US$4 million per month in revenue. He was a bit surprised that the system had gone down, as it had been humming for months without any indication of being prone to crashing. The check uncovered three encrypted files. The administrator called on MANDIANT to analyse them.

What MANDIANT found was that an unauthorized kernel modification had caused the system to become unstable, and that the modification had compromised the system's security as well. To determine the extent of the breach, each of the 48 servers needed to be taken offline, booted in a controlled environment, and analyzed for three to five hours each. About half had the crack installed, forcing the company to assume that all credit card information had been compromised. What had first seemed routine resulted in a financial nightmare -- one that many companies are leaving themselves exposed to, unaware of the increasing pervasiveness of rootkits.

Every organization is aware of the importance of securing core systems, networks, and end-user equipment in an increasingly mobile and malware-saturated world. But what most may not realize is the growing threat of malicious software intended to keep its presence hidden from administrators and traditional anti-virus software. Termed after early Unix packages designed to replace commands that would otherwise alert admins to the presence of intruders who had "root" or admin access to systems, rootkits are on the rise among those seeking to steal corporate and personal information for financial gain.

Rootkits alone, of course, are not inherently malicious. But when packaged with malware, they can facilitate deeply compromising security breaches undetected, especially as they become increasingly popular for attacks on non-Unix systems, specifically Windows. And with Forrester Research recently estimating that security breaches cost companies between US$90 and US$305 for each record lost, who can afford to turn a blind eye to what may invisibly be leaching sensitive data from their network?

The rise of rootkits

Rootkits date back to the earliest years of the Internet, when crackers created cloaked variants of Unix commands to ensure their deeds on compromised systems would go undetected. A concern mainly of system administrators for Net-connected Unix systems, rootkits remained relatively low-profile for many years, until Sony BMG Music Entertainment's Windows rootkit DRM (digital rights management) boondoggle of 2005.

In an attempt to enforce copyright protection, Sony BMG developed a rootkit that surreptitiously installed XCP (Extended Copy Protection) or MediaMax CD-3 software when music CDs were played on a PC. Poorly designed, the software opened holes in the Windows OS, facilitating infection by viruses and causing other system problems. Mark Russinovich, now a technical fellow at Microsoft, discovered the rootkit's behavior, which he then announced on his blog. The resulting furor and further illustrations of the fallout of the rootkit led Sony BMG to recall the CDs and issue a removal program. Unfortunately, the removal program was equally poorly designed, leading to additional privacy and security concerns, as documented by Russinovich.

This incident awoke two groups to the potency of Windows rootkits: crackers and professional criminals who break into computers on the one side, and the companies who create software to protect systems on the other. Already entrenched in a high-stakes battle over malware, the two camps now had a new, potentially more damaging front on which to contend. The Computer Economics 2005 Malware Report, the organization's latest, put the cost of malware in 2005 at $US14.2 billion. The ability of malware authors to hide their scripts from anti-virus software's capability of automatically detecting, protecting, and eradicating most malware would only serve to escalate the stakes, especially as malware authors' motivation "continued to shift from a general desire to inflict damage to an intent to gain financially, through theft of personal information such as credit card data or by gaining access to financial accounts," according to the survey.

The greater emphasis on mobility in the enterprise has certainly contributed to the increasing likelihood of infection with cloaked malware. So too are the various unpatched security holes in Microsoft Windows and related products, which provide access for automated rootkit installation. The proliferation of rootkits -- which are used to cloak files on disks, system hooks, and processes running on systems -- is alarming, as spyware developers and malware authors are creating bot networks that use rootkits to evade detection, hiding not only the malware but also what information is being obtained. Some of the more sophisticated rootkits even modify and corrupt Windows APIs. (For more detailed information on rootkits, visit rootkit.com or read Greg Hoglund and Jamie Butler's Rootkits: Subverting the Windows Kernel.)

Part of what's fueling the proliferation of rootkits is the ease with which they can be implemented.

"It has definitely ramped up over the last year and a half to two years," says Butler, principal software engineer at MANDIANT. "It has gotten very easy for malware authors to cut and paste these technologies into their code set to maintain a presence on the machine."

For the time being, malware rootkit use remains crude. "Many of the attacks are unsophisticated," Butler says. "We're not seeing leading-edge rootkit technologies." But the dynamics of intrusion and response that are the hallmarks of the security industry are fast pushing the use of rootkits in innovative directions.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Steve Hultquist

InfoWorld
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?