By Ryan Naraine  |  Posted 2006-01-18 Print this article Print

Like Symantec, anti-virus vendor Kaspersky Lab also found itself ensnared in the rootkit scandal when Windows internals guru Mark Russinovich suggested that the companys software also used rootkit-type features.

In an interview, Kasperskys founder and head of virus research, Eugene Kaspersky, said the technology in question, called iStreams, is clearly not a rootkit. "We started using iStreams technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the users system. If a checksum remains unchanged from one scan to another, [our] products know the file has not been tampered with and do not, therefore, require a repeat scan," he explained.

When the anti-virus software is active, Kaspersky said the streams are hidden because they are internal data only. "Just because you cant see them either automatically or with a special tool, it doesnt mean that theyre malicious. It also doesnt mean that a product which uses and hides these streams is using rootkit technology," he insisted.

"I think that when we talk about security we need to be clearer about the difference between malicious [or dangerous] rootkits and cloaking technologies, which cant be exploited by malware," Kaspersky added.

But Russinovich is standing his ground. On his Systinternals blog and in an interview with eWEEK, he maintains there is "never a case" for justifiable use of rootkit technology, whatever the definition.

"If a software developer ever believes a rootkit is a necessary part of their architecture, they should go back and rearchitect their solution," Russinovich said bluntly.

Russinovich, who along with F-Secure Corp., was credited with finding and reporting the Sony and Symantec issues, said the risks of attackers targeting third-party rootkits to hide malicious files in programs are impossible to ignore.

Can the average end user detect and delete a malicious rootkit from a Windows system? Click here to read more. "The obvious risk rootkits present, which has been demonstrated by both Sonys and Symantecs implementation, is malware being able to hide beneath the cloak. Even if a vendor has ensured with certainty that thats not possible, the cloak makes it impossible for a security administrator to ensure that the cloaked objects have correctly configured security and, if they consist of executable code, are updated with the latest security patches," Russinovich argued.

Another big problem, he explained, is the way cloaking technology changes the way Windows operates, making it difficult or impossible for users and systems administrators to understand the behavior of modified systems and to diagnose issues that arise as a result of altered behavior.

"Cloaking can make it impossible to account for resource usage like disk space, memory or CPU to perform a complete inventory of a system, to understand incompatibilities between Windows or other software and the cloaked objects, and even to make a functional backup. [A] cloaked driver that crashes a computer can cause a misdiagnosis of the problem and can be extremely difficult to remove or update," Russinovich wrote.

Eric Howes, director of malware research at Sunbelt Software Inc., is firmly in the Russinovich camp. "The lack of malicious intent doesnt mean its not a serious security issue. Lets not lose sight of that fact," Howes said.

Howes, a staunch anti-spyware activist who was critical of the previous effort to define spyware and adware, said the new push to define rootkits is "suspicious."

"Definitions can be helpful, but this one feels like theres an agenda to legitimize the use of what is a dangerous piece of technology. My great worry is that we will define rootkits in such a narrow way that the whole definition will come down to malicious intent. Companies will hide behind the disclosure loophole," Howes argued.

Larry Seltzer claims some rootkits are worse than others. Click here to read his column. "Once we get caught up in hard-and-fast definitions, consumers have lost the game. Weve been down this road with adware and spyware. They provide the minimum amount of disclosure to be on right side of the law, and consumers end up losing. We know how notice and disclosure are handled in practice."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel