UConn Finds Rootkit in Hacked Server

The malicious program has been hiding on a server for almost two years, potentially giving hackers access to personal data, the University of Connecticut discovers.

The University of Connecticut has detected a rootkit on one of its servers, almost two years after the stealth program was placed there by malicious hackers.

The rootkit was found on a server that contains names, social security numbers, dates of birth, phone numbers and addresses for most of the universitys 72,000 students, staff and faculty, university officials confirmed Monday.

"Although there is no evidence indicating that this personal data was accessed or extracted, [we are] contacting everyone whose identity may have been put at risk," UConn said in a notice posted online.

The rootkit was first placed on the server during a system compromise on October 26, 2003, but was only detected one week ago, on June 20.

UConn said the attack took advantage of an insecure service for which no vendor patch was available, but stressed that an analysis of the computer showed that that the original compromise was incomplete.

Part of the original October attack involved the installation of a "back door" to allow the hacker to remotely control the hijacked server, but the installation failed, the school said.

"The nature of the compromise indicates that the server was breached during a broad attack on the Internet, and was not the target of a directed attack. Therefore, the attacker most likely had no knowledge of the kind of data on the server," it added.

/zimages/3/28571.gifRead more here about the dangers of rootkits.

UConn is the first high-profile institution to publicly acknowledge the presence of a rootkit on a compromised server, but security researchers believe the threat is widespread and underreported.

Mark Russinovich, chief software architect at Winternals Software LP, said the UConn discovery was not at all surprising. "My guess is that there have been other discoveries in other places but we just havent heard about this. When someone does disclose the fact they found some malware on a server, I dont always expect them to be fully upfront about what it is," Russinovich said in an interview with Ziff Davis Internet News.

Russinovich, who is also co-founder of the Sysinternals.com site, which offers a free Rootkit Revealer utility, said he believes the use of rootkits in malware attacks will "explode over the next six months."

"We already know that some pieces of spyware are already using rootkit techniques in a primitive format. This is going to be the wave of the future, where spyware programs are trying to try to look more and more like legitimate pieces of the operating system," he added.

/zimages/3/28571.gifTo read more about spyware writers using rootkit techniques, click here.

"I think, eventually, anti-spyware, anti-virus and rootkit detection will become the same thing. Thats the only way to realistically deal with it," Russinovich said.

Sam Curry, vice president of eTrust security management at Computer Associates International Inc., said UConn officials should be applauded for coming clean about the discovery.

"Im not at all surprised by this discovery. We knew this was possible," Curry said. "Its refreshing to see the way UConn handled this."

"It was a very responsible thing to come out and say what they found and share the information with the community. It is very important to see what these big institutions are dealing with," he added.

Sysinternals is not the only software vendor flagging rootkits as a growing threat. F-Secure Inc. is currently testing a tool called BlackLight and plans to integrate the tools rootkit-detection capabilities into its anti-virus, firewall, intrusion-detection and anti-spyware products.

Researchers at Microsoft have released Strider GhostBuster Rootkit Detection, a prototype tool capable of finding registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

Microsoft has also added rootkit-detection and removal capabilities to its malware zapper, which is updated every month.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.