Security Vendors Clueless Over Rootkit Invasion

News Analysis: Can the average end user detect and delete a malicious rootkit from a Windows system? As anti-virus vendors struggle to keep pace with malware writers, security experts worry that the answer to that question means the battle may alr

Long before Mark Russinovich blew the whistle on Sony BMGs use of stealthy, rootkit-style techniques to cloak its DRM scheme, spyware researchers recall seeing traces of the controversial XCP technology on infected Windows machines.

Only one problem—they had no idea what it was.

"People had stumbled across this rootkit months and months ago, but we just couldnt figure out where it was coming from," said Eric Howes, a regular on the anti-spyware forums. "No one was able to connect the dots that led to Sony."

In fact, as Russinovich himself explained in a fascinating blow-by-blow account of his findings, the detection of the Sony rootkit was not a straightforward task.

Russinovich, you could say, wrote the book on rootkit detection. His company, Winternals Software Inc., created the RootkitRevealer tool that initially pinpointed the hidden directory and cloaked drivers associated with Sonys rootkit.

Yet, even for Russinovich, it required the use of seven utilities, all custom-created, to figure out who the culprits were.

Today, existing security applications are ill-prepared to deal with the threat from offensive rootkits.

Finnish anti-virus specialist F-Secure Corp. is the first to add a rootkit detection engine in its security suite, but for other big-name anti-virus vendors—including Symantec Corp., McAfee Inc. and Trend Micro Inc.—true rootkit detection/removal capabilities are nonexistent.

"You could say the average end user is a sitting duck," said Jamie Butler, director of engineering at HBGary Inc. and author of FU, one of the first proof-of-concept rootkits.

/zimages/4/28571.gifRead more here about "Shadow Walker," a prototype that pushes the envelope for stealth rootkits.

"Security has become a risk-management game, and thats unfortunate. People are trying to mitigate the biggest threats, but, sometimes, the small things creep up on you. When I wrote FU more than two years ago, no one was paying an ounce of attention to rootkits. I guess it takes malicious people doing malicious things to get the industrys attention," Butler said in an interview with Ziff Davis Internet News.

Butler isnt surprised that spyware writers have latched onto the value of using rootkits to hide nasty programs on Windows machines. "That has been apparent for a while, but no one seemed to be paying too much attention. Now that rootkits have commercial value to the spyware guys, it will only get worse.

"We really dont know the extent of rootkit penetration. But it wont surprise me to find out that its a bigger problem today than we think it is. This will become an even bigger story if a bank or a federal agency discovered that a rootkit has been deeply nested and has been hiding its presence for months. At that point, all hell will break loose," Butler added.

Dan Kaminsky, a security engineer for DoxPara Research, has already seen evidence of the Sony DRM rootkit installed in places it should not be.

"There are networks that Sony got into that nobody should get into. I cant say where. But theres evidence that it [the Sony rootkit] got into some places where it doesnt belong. Now you have a real question of the collateral damage it can cause," Kaminsky said in an interview just moments after releasing statistics to show that at least 568,200 nameservers were collecting DNS queries related to the calling-home feature on the Sony.

/zimages/4/28571.gifRead more here about Kaminskys research into the Sony DRM rootkit.

Even more worrying, Kaminsky argued, is the fact that a legitimate company like Sony would attempt to legitimize the use of rootkits.

"Its no longer about detection and removal when the big companies with the big lawyers get involved. The difference between a good anti-spyware application and a bad one is whether your vendor will stand up to the lawyers. I dont know if we realistically can stand up to Sonys lawyers," Kaminsky said.

"The biggest vulnerability we have with malware has nothing to do with technology. The technology only gets them into the computer. Its terrifying that when they get in, they dont want to get out, even if you want them out of your system.

"Its the equivalent of a big, bad guy turning up at your door, walking in and plopping down on your couch and refusing to leave. Youre asking him to leave, pleading with him, screaming at him, and he just sits there and refuses to move. Thats astonishing. Its really terrifying," Kaminsky added.

Next Page: Microsoft hustles to develop detection and removal capabilities.