Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Rootkits Sprout on Networks



 By: Paul F. Roberts
2005-10-17
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
The programs are becoming increasingly common on enterprise computer networks and are even being used to create undetectable download servers for pirated movies and MP3s.

Rootkits are becoming increasingly common on enterprise computer networks and are even being used to create undetectable download servers for pirated movies and MP3s, according to anti-virus experts.

Anti-virus software company F-Secure Corp., of Helsinki, Finland, has detected rootkits on the networks of numerous customers, and malicious-code authors are integrating rootkit stealth features into Internet worms, bots and Trojan horse programs, according to anti-virus researcher Kimmo Kasslin of F-Secure. Despite the surge in interest, only a small number of anti-virus companies offer dedicated rootkit detection features.

Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection. Originally developed more than 10 years ago and used on Unix machines, rootkits have been rare on Windows systems, said Mikko Hyppönen, manager of anti-virus research at F-Secure.

Read more insight here about rootkits from columnist Larry Seltzer.

However, that is beginning to change. Open-source rootkits such as FU, written by James Butler, director of engineering at HBGary Inc., in Sunnyvale, Calif., and Hacker Defender, written by a person who uses the online name "Holy Father," both work on Windows systems and can be very difficult to detect using anti-virus or IDS (intrusion detection system) software.

Resource Library:

So-called "kernel mode" rootkit programs such as Hacker Defender, which was released as an open-source product in January 2004, manipulate data as it is passed to and from the operating systems kernel and are hard to spot, said Hyppönen.

A new version of Hacker Defender, dubbed Golden Hacker Defender, was released recently and sells online for 450 euros. The product includes a feature for capturing Windows log-in information and an updatable "anti-detection engine" that can detect and evade rootkit detection programs from several vendors, said Kasslin during a presentation at the recent Virus Bulletin International Conference in Dublin, Ireland.

The program is not in widespread use. F-Secure received just two copies of Golden Hacker Defender from customers who detected the malicious program on Windows servers on their network, Hyppönen said.

Microsoft unveils a new enterprise security product and a security industry partnership. Click here to read more.

Reached by e-mail, Holy Father acknowledged that he has sold copies of Golden Hacker Defender but said that those sales are the "minority" of his business. Most versions of Golden Hacker Defender are custom creations with "private coding." However, Holy Father, who claims to live in the Czech Republic, said that he is careful to write custom versions of the program only for "[people] I know well, which mean[s] those that are no kind of bad guys."

More recently, worms such as Maslan and Myfip have incorporated rootkit stealth features, and bots such as Mytob, Rbot and Sdbot distribute recompiled drivers from rootkits such as FU and Hacker Defender that hide the programs on Windows systems.

F-Secure now ships BlackLight, its rootkit scanning and detection product, with its Internet Security product suite. Moscow-based anti-virus vendor Kaspersky Lab also plans to release a rootkit detection feature in the next full release of its product, according to Eugene Kaspersky, head of anti-virus research at the company.

Still, rootkit detection is more the exception than the rule, said Butler.

"[Anti-virus software vendors] customer base isnt clamoring for [rootkit detection]," Butler said.

Still, F-Secure researchers were besieged with requests for copies of Golden Hacker Defender at the Virus Bulletin International Conference—many from researchers at other major anti-virus vendors, Hyppönen said.

Holy Father claimed that detection tools such as BlackLight are getting better and better.

"Before, no company cared about rootkits ... but today there are ... some tools that can help administrators to secure [their] box quite well," Holy Father said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Rootkits Sprout on Networks
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}r㶲s\@♵MQGmy5eikRJEĘ"Hʶ&'?_v8x %2qIl@7Fw?I9w4ôG1%TI]"I~xhH7`\)rdxBԲ|WRjk99r zF"wx #@P9uΜ]ٜh#6Gp2 X- 0+rZA'A|5;3s!%H}8K Q;i0Eaco~=2p6{! > B4ي(qCx/wɀYǝgF [&^VZ ,GZY'[zb䅠1FE8 /4"A%9QؒI5hl5D`iR13 LeC1+;AT*9R*61-h晚G|͖|CXulAf@dnQ/*! lpq#'C\ht^䖡_ּkYo@ׁߎAuӱCأzr ˚7)heynJ bT/}޴ ޷L{`Pyݙ뭛v EU e*G,;VжD^Ԣ]q>t;=r:?'7 AڼW@m&37`jLTV*bpd" P}lCCG,B .Zs+~Q-jR;ԓ,f3} 3+i3Yڭމdni]ZWnZgG)wf٘Y JdTY2 LU5Ms%kr>nu8SɀPdjAZ|[k׷V1?x0|k2`;;RVޗ{dN:ǽ/W-2է1I|S< Y47Q[h,.s$bFrZ~@X R(7#Ǫ Mmd©$|ǚzNRo__ejS G/|@#X\w1p3Z&o*Kk ru&@Ss~$U cƪb.L2o4xJ{mR—/(&嗋uu= . If(;΀O3 BD4?CC1&pHf΋|;uK󁯚чfuќ.Ӆ]We o^#LKzcfut:>] qFAтMx>4TَM6}l2w9@;- &w&Zr4C` VPCh' 6)$@}9\Plv60-0SRP|'sZ.(twc2(%łdh3 4.gP)AH =k 99 ŌI^vR.%rP.ox0GvGW '91m0M}L"+H5 6LhHLaoc3Xu-yA\#0ouMF{aNr gv;6P0ʇCMrF9;eڷS \Лv39n(!++׬ePM 1g2)*hwsp 挆O\XbʞZO%XScX`Dw L|?v&m/n$)L`V*cc 9m _*_M md2jeV1,Vjn (M!t?&Ll6KW)թw@4="/H{k܌'hr ΦG cǏipB1e ֤PXL >Q@/ı``c7s9pJNk6qM͞&⼰#]6޹9f"@0l "=hAaiNR} д^oZUic#2R Xȏ%}\(*JLY# ԑq,Yri L*gXsM>QȚ=#a(JuѧɅiO s M~N hPU*1 "I:O4/V #G/;OQ,#؊so#2l3q&/jr|pE% y%[ȓSwz"R İT.[A^-(93F]'tNd_&>ϣј+ZN`u3hSIlp خaϼZ*9e:a'}m\c7* t+N]_&kAn}sPkw(, xg4s&DcC6 VNMFklWm"z';"#ɑNi Lk~{?I~9p, JLH-E4lqMݗ[?jKokSߊR{4@L5Y* % =EЊrcꞃCLB.]XI_TY)݊5g@Zf2U-U|'^`.R9ԃ~)rM5E;4cEi\xmb=Ǫb Tui-NnTRXUʅ7O C.;'E/Zhe~6Sfb;?ͥZ97eXsB5;yadK%2_vܖ[JL]@` y0 M\6%Q;o^ #Ԛf$S,*Nq-e FF*͐[YQkcZb()'I##f?bmy:J"q"Nܙ}5{ue{#9?pwf_3|R'9w:*%U-vWAlj%ww|L4 : *Gtɒ\'*B_0HX;HHPYx]!6p3_^a?vp5<9^KCVn e&ي ˸?3 cC7Wvvj0A EE1 Wcyʩ*| v5Y4W%p>֩O;=y>r{| 8}_pU;Az9VvvX\--0LC~ڗ'!YםO'R&8Goٷ) KvCF1n6`d+M=+ak''5/ð N{a區E:^Bh^h_t;k/[R1^Jߺ3Jfax!w - lq؀B9DLA$-ZdeafIlx0a9RJ锐']pN+'I^VR6T$UT%!T4QLNbC]B+C7g ҽj^nNpHdwoS6 mzϜGoQU21ȈmK1A/gp9[Q rǸg"6Tvlywy#K(U]s"b)1q[fxˠ Gg]yv\?O=K|, g6GN:#^4/@ O$U <{7o6 2'|K$̑8^^sϜ&ƭtov/F0ߒ)􆮹ߊǻoc$Ǯv'ݺw>ͭ84~, >Gdc: M"I^QԼکYdE)I]ۉ~{#S^;- ctEO_.lځ{:-3HNm#{zi-82{K7 x=,~wgLwUG!Gpww|}ԲH>r۝&ZD܎qu5<'{qJ%Nt}K`Ty^fm ,$.ED"fF}8EE]o\&{mef730ml[đb(N6ia_)'jځ)}6c_/4 \HtaWChς= 3 hjwd~>;>4ղR7С.˭^GNcAk/_#" hW貽c|Cx~Ӽml5i.qSm D6As;YJdw^7G<RQe=I8X0"7Ui"-LǥFw:Qsw2$g@%Rar@,3'=H}[L8g3: :;d 3^95vV*.(Z*G g3Z4e GcZtcYft*AN?ZiU, o/<<:X+U5R8(*?ybC \)-+[)ܜJ6>wR*ǧ+Y6+xYJUmV+=cHSЄ[![mJ/sWs84pv!!`e͢^7}=O,8׉I䪅r[~}rGm. : z7-bc;(w_+_{]/ ĢH[ |'e6B4M0]X W&S+%!1Bq[3+Ǝ'u11PB/(HHC"a$5w6! MMɌZȔ?! Fm;v6oWBQ*T&e0 udc%?0r:Da! H~{#z[*$ oOp]͘Gx]ԝM4$,HT)HE]1XOgB~Aͭ÷i |XhfU8;Oqa6׊z*{ٙ C$DHb<!",P W9~Hzxwwwwkr_* gwlZߝNu3O;lVeEeW~bzy4V^i$]LL WteBI~hbNE__G6s=rY{*4/+ŀym>.\UW-B$\BQcp!.Mqml}]+f݋#Jz2?S޼,9 #.} Vaј`_1=E +E0jT&`XN ^ mǓޙ`DnLVtbK EALy5]1!vQjLzyg ]QJrЀNafkcn#LF2%&4DקD@,N^oQ+WqyBZS ԰?5$!` !n1|r8 "^tIi'y{HdIGJ-*< ;,h;A{x5q&[89Bj4k6ئK µNʥ 8H喡Q DC''LĀyl搯w eR=搯Z+)!GkslzE0l˦C/Ƹnݵ4"WJ+*b!c $0rև9o^JL6 "|³؁ 8/۱]stS3B;sl^@?Rmsι}?\afYz:Yqc[VjBvDuv7H1tF4[Mm@ئwBt]Zg ?R)!_7~uzxU+sc6ڈj cӶG =ZIHpǴJ3:_%ʄ-# 1xa1aF eզٝ$x0g  ^\}¥bAv&ru Y>Et;'̢?RZ%+ S去C7)*=E-M\QI5Qzـj#E~E:tdك~NP_Mԓ= L8} kbkEіIz! -Đ@XED Quj}D~he{Z] d!Ϝ)k`-0Cߑ7=6#E+zY8>:flhrƐ`(HLBdgn Os.}x"fڽ7L> l \R,r9G]^o| Edn_fa@)p=Sq-q\R1@Q->~2&IBE< Li f-anQ"(\F$1L<ox֭)Ӧ̡lv ڋ{ў=ӾbbWn(l_;b21C|>Oc, H"`MN*@`'* s!L!%ln*77p<9>M-·nxZ;lefs-M蕴B9^Ȑp;G| LBzX\{c;k4ο5iVt?uWv;7 ZҶ+t{s9rܹrھl]]/{ƩH_smi |Q);MFYybvʔbWN#ͅfY,xjy^JU%={{J,Q^e9DU@28CuUڰ ڽ/kr8ٞ%K#CE@ЦkJc>sUN.Mo Q:oH粕k&5/(/6ρ3?Bnj_!׌kH^~Nmfw [~48ieCSi}>@?d'H:kWOrIF:>ϴ/3ҡ_ sFEF\_,@ߋ ^}.2s_dy2zgH~gd_@EF:eF^\f%eFuw@t2OK'C\\e( s?]fe__韀>egH}3sn &+&oon2/9IR8 9k^K(#keK"|)+P ~v^eйR5͐ Kܾw2~62Am_wN aq)({^Uyښhp뭦]hp]/^bZF9/֤< W4ܫ< X)rnm1=AFl2?+w;]SҤ]r{%])rXѧV{5^93>q sd¾Ⱦ6q-<͈H}#hV3.Ñp[_=ʎ?|[2xwq0#@' @9\p٭;y;r$|GG0.sOkr>u#@O8354>sqkY9 hwmV=ȾwF=Ci_Mc y^`Xv5d$}9= >Z7}`\s7tD֢#4+&DN焽HaGŶ:+2=jQwh}vWXSkeoL"mGvhP(P"cqm =Cf S/xƠ)e _i"t\зdQ9Hr$ze Ш'.6Zwe3? a'/@৯VaqZo :[1U1֜6Ogзd&%}YQ $.mhDʒv\z$t|5(H@%GbgHYw|7(6B 0wK{ $">l'6}F5+Kxo?0j;;5m^lٸ Ә0J1А8ٶ2COA#t ke[ }kc'pg!M0zc(s*>% {'޴/1$+nv[Oo 8w.dtmM!Xu(D%7` <͛5^nTV?]~ r@b]`#'`wDl .3./Y$ hUa.*e;1K P``3 ElB p#*Ԯmg ͜5ŧW<2RP+rìq;X?^ m͓p% `<fږ+zYL0\e~m=3Ӳ{(qw<,@݌F%`y @c$ivUk-EjA@8g̮h]1nB܏ gÃlvL?ctŽ6#胋' {τ 4}ju X *`*#z" G7`h1) χ"@Ԃ+"e}!IDy)/O/f((O\hƕSK.ɛwByڹI͋RI>Slm,~vm a%(U\'ߴzK;,X~S?\w>]HaF eiFђy:'4!qDw<9i_~Hfzv`ol'S g\J\UK$%Z/fFDN$ƛN wm&2)v}ml-m6C-;$