Rootkit dangers at an 'all-time high'

By Dennis Fisher, Executive Editor, SearchSecurity.com 06 Feb 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

"Rootkit capability is at an apex, an all-time high for the attackers," said Jamie Butler, director of engineering at software security firm HBGary Inc. in Chevy Chase, Md. "Once you're at ring zero, which is where all rootkits need to be in order to work well, it's impossible to block their actions. They can write executable code, hijack legitimate threads, all kinds of things."

Rootkits are not a new class of technology; they've been around for decades in one form or another. But in the last couple of years, their popularity and sophistication has grown by leaps and bounds as organized crime groups have adopted them as their weapons of choice for infiltrating PCs. The tools typically are designed to be installed stealthily, hide their presence on the system and allow the attacker to access the machine at any time.

Rootkit capability is at an apex, an all-time high for the attackers.  Jamie Butler Drector of Engineering, HBGary Inc.

As their use has grown in recent years, rootkits have steadily moved down deeper into the guts of PCs, from the operating system kernel all the way to the hardware. This, the panelists said, is a good indication of just how serious the problem now is.

"Each generation of rootkit moves lower into the system. They're implementing them in hardware now, with virtual rootkits," said Bill Arbaugh, an assistant professor of computer science at the University of Maryland and president and CTO of College Park, Md.-based rootkit detection firm Komoku Inc.

"It's a business and they're doing a pretty decent job of it," he added. "These gangs have a QA process. They do not want their software to be detected. Malware writers are using the exact techniques that security guys have been using for years."

And the advances being made by malicious hackers are constantly pushing the envelope. A new rootkit, called Unreal, that hit the Web late last month has the ability to hide both files and drivers. It's designed specifically to bypass rootkit-detection software, Arbaugh said, and does the job quite well.

All of this has attracted the attention of a number of legitimate software companies and other corporations that are interested in preventing users from modifying or misusing their products. Some legitimate software makers have taken rootkit technology and adapted it to prevent users from reverse-engineering their applications or modifying them in unauthorized ways. In 2005, Song BMG Music Entertainment Inc. set off a firestorm of controversy and customer anger after a researcher discovered the company had included a rootkit on some of its audio CDs. The technology was meant to prevent illegal copying, and the company initially defended it, but quickly backtracked and eventually settled with both the Federal Trade Commission and consumers who had sued.

"It's legitimate to self-detect whether you're software is being modified," said Greg Hoglund, who runs the Rootkit.com Web site and is a well-known software security expert. "But a lot of this other stuff is clearly not legitimate."

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Cybercriminals invest in social networking attacks Best practices for (small) botnets Cybersecurity grant to fund research into critical infrastructure threats RSA security conference 2010: news, interviews and updates Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers US-CERT warns of BlackBerry snooping software Malware, Viruses, Trojans and Spyware Cybercriminals invest in social networking attacks Information security book excerpts and reviews The world's top 5 riskiest domains New Zeus spam poses as Social Security statements Increase in Gumblar backdoors poses FTP credential problems Hackers to sharpen malware, malicious software in 2010 iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary