The Rap on Rootkits
Rootkits specialize in staying hidden. But while their disappearing acts make for a good game of technical hide-and-go-seek, the threats still pop up on the radar of security vendors at a steady clip. In a report on its Malware Protection Center blog, Microsoft stated that low-level rootkits account for about 7 percent of infections. Alureon, Cutwail and Rustock were the most prevalent rootkits of 2009, though that list changed somewhat when the company factored in threats that had files detected as being actively hidden on disk from Windows. The top three on that list are: Rustock, Bagle and Srizbi.
Symantec offered a similar statistic on rootkits, stating that they accounted for 10 percent of the volume of the top 50 malicious code samples in the fourth quarter of 2009.
"The most prevalent malicious code sample containing rootkit functionality in the fourth quarter of 2009 was W32.Gammima.AG," Marc Fossi, Manager of Research and Development for Symantec Security Response told eWEEK. "This is a worm that spreads by copying itself to removable media such as USB thumb drives and typically steals passwords to various online games."
"Rootkits are frequently installed as a part of some other piece of malicious code or through manual compromise of a computer," he added. "Naturally, any piece of malicious code that has the capability to download other threats could potentially install a rootkit on the compromised computer."
The most common technique for a rootkit to get active and start hiding on a computer is to modify the Windows OS kernel, Microsoft reported.
"When we examine the kernel on computers running our full antimalware client to look for signs of tampering by rootkits, we notice that a disconcerting number of computers are not running with a healthy kernel," blogged Microsoft's Randy Treit.
"We expect that malware authors will continue to seek ways to fly under the radar, just as we will continue to evolve our protection technologies to stay one step ahead of the bad guys," Treit continued. "Regardless, here are a couple tips to avoid getting hit by a rootkit:
â¢ Keep real-time protection enabled while running up-to-date antimalware software is essential, it does little good if you turn off the real-time protection feature. If you lower your defenses and a rootkit does get through, finding and removing it can be a tricky endeavor. Keep your defenses up and you're much less likely to have headaches down the road.
â¢ Run 64-bit Windows for the time being, it appears that currently, users running 64 bit Windows are less likely to be compromised by rootkits. While the threat landscape is constantly evolving, for now you can breathe a lot easier if you're running 64-bit Windows. If you have a choice, go with 64-bit."