Microsoft on 'rootkits': Be afraid. Be very afraid.

Microsoft security researchers are warning about new system monitoring programs that are almost impossible to detect.

Microsoft security researchers are warning about a new generation of powerful system monitoring programs, or "rootkits," that are almost impossible to detect using current security products and that could pose a serious risk to corporations and individuals.

The researchers discussed the growing threat posed by kernel root kits at a session at the RSA Security Conference in San Francisco on Tuesday. The malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.

With names like "Hacker Defender," "FU" and "Vanquish," the programs are the latest generation of remote system monitoring software that has been around for years, according to Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group.

The programs are used by malicious hackers to control, attack or ferret information from systems on which the software has been installed and are typically installed on a machine without the owner's knowledge, either by a virus or following a successful hack of the computer's defenses, they said.

Once installed, many rootkits simply run quietly in the background but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs.

However, kernel rootkits, which modify the kernel, or core request processing, component of an operating system, are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio.

In particular, some newer rootkits are able to intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer's memory, or configuration settings in the operating system's registry, are invisible to administrators and to detection tools, said Danseglio.

The increasingly sophisticated rootkits and the speed with which techniques are migrating from rootkits to spyware and viruses may be the result of influence from organized online criminal groups that value stealthy, invasive software, said Dillard

One rootkit, called Hacker Defender, which was released about one year ago, even uses encryption to protect outbound communications and can piggyback on commonly used ports such as TCP (Transmission Control Protocol) port 135 to communicate with the outside world without interrupting other applications that communicate on that port, he said.

The kernel rootkits are invisible to many detection tools, including antivirus, host and network intrusion detection sensors (IDS) and antispyware products, the researchers said.

In fact, some of the most powerful tools for detecting the rootkits are designed by rootkit authors, not security companies, they said.

There are few strategies for detecting kernel rootkits from an infected system, especially because each rootkit behaves differently and uses different strategies to hide itself.

It is sometimes possible to spot kernel rootkits by examining infected systems from another machine on a network, said Dillard. Another strategy to spot kernel rootkits is to use Windows PE, a stripped-down version of the Windows XP operating system that can be run from a CD-ROM, to boot a computer, then comparing the profile of the clean operating system to the infected system, according to Dillard and Danseglio.

Microsoft researchers have even developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences that may indicate a kernel rootkit is running, according to a paper published by Microsoft Research. (See: http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775.)

Still, the only reliable way to remove kernel rootkits is to completely erase an infected hard drive and reinstall the operating system from scratch, Danseglio said.

Although rootkits are not unique to Windows, the popular operating system is a rich target and makes it easy for malicious hackers to disguise the presence of such programs, according to Jonathan Levin, of Symantec's @stake division who attended the presentation at RSA.

The operating system's powerful APIs (application programming interfaces) make it easy to mask behaviors on the system. The company's popular Internet Explorer Web browser is also a frequent avenue for malicious hackers, viruses and worms that could drop a rootkit on a vulnerable Windows system, Levin said.

Better tools could be built to detect the current crop of kernel rootkits. However, rootkit authors are adept at spotting new detection techniques and modifying their programs to slip around them, Danseglio said.

"These people are smart. They're very smart," he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?