Rootkits are not a new class of technology; they've been around for decades in one form or another. But in the last couple of years, their popularity and sophistication has grown by leaps and bounds as organized crime groups have adopted them as their weapons of choice for infiltrating PCs. The tools typically are designed to be installed stealthily, hide their presence on the system and allow the attacker to access the machine at any time.
"Each generation of rootkit moves lower into the system. They're implementing them in hardware now, with virtual rootkits," said Bill Arbaugh, an assistant professor of computer science at the University of Maryland and president and CTO of College Park, Md.-based rootkit detection firm Komoku Inc.
"It's a business and they're doing a pretty decent job of it," he added. "These gangs have a QA process. They do not want their software to be detected. Malware writers are using the exact techniques that security guys have been using for years."
And the advances being made by malicious hackers are constantly pushing the envelope. A new rootkit, called Unreal, that hit the Web late last month has the ability to hide both files and drivers. It's designed specifically to bypass rootkit-detection software, Arbaugh said, and does the job quite well.
All of this has attracted the attention of a number of legitimate software companies and other corporations that are interested in preventing users from modifying or misusing their products. Some legitimate software makers have taken rootkit technology and adapted it to prevent users from reverse-engineering their applications or modifying them in unauthorized ways. In 2005, Song BMG Music Entertainment Inc. set off a firestorm of controversy and customer anger after a researcher discovered the company had included a rootkit on some of its audio CDs. The technology was meant to prevent illegal copying, and the company initially defended it, but quickly backtracked and eventually settled with both the Federal Trade Commission and consumers who had sued.
"It's legitimate to self-detect whether you're software is being modified," said Greg Hoglund, who runs the Rootkit.com Web site and is a well-known software security expert. "But a lot of this other stuff is clearly not legitimate."