Anti-spyware Battles Rootkits with Rootkit Tactics

The anti-spyware products are raising red flags from analysts about instability in Windows and conflicts with anti-virus programs that also work at the kernel level.

Anti-spyware software companies are adding features to their products that spot rootkits and other malicious programs that operate at the Windows "kernel," or core processing center.

The new kernel-mode features are a response to new, sophisticated spyware.

However, they have raised warnings from security analysts about instability in Windows and conflicts with anti-virus programs that also work at the kernel level.

Aluria Software of Lake Mary, Fla., became the latest anti-spyware vendor to add kernel-mode features.

The company, which is owned by EarthLink Inc., announced Active Defense Shield on Monday.

The technology installs a kernel driver that hooks into a computers system driver, which controls the processes executing on that machine, Aluria said in a statement.

The software can spot malicious code, no matter how it enters a computer, and can stop programs before they install, said Rick Carlson, a vice president for sales and marketing at Aluria.

"Were hooking into the OS and monitoring every read and write command given to the file system by the operating system," he said.

Aluria is responding to a new generation of spyware that uses kernel rootkit features to avoid detection.

"The latest threats, like Cool Web Search, use rootkits. Theyre polymorphic and self healing. They install at eight different points in the file system," Carlson said. "The complexity of coming up with a removal routine could take a week or two," he said.

Eric Howes, a spyware analyst at the University of Illinois, says he agrees.

He says he began seeing rootkit features in spyware like Cool Web Search around 12 months ago.

Cool Web Search spyware used Windows kernel-level interactions to hide executable files and other telltale signs, he said.

Now those rootkit-style features are common, not just in Cool Web Search, but also in quasi-legal programs like EliteBar, advertising software from Internet Media, and ContextPlus, another form of spyware that uses rootkit techniques to hide, Howes said.

"Its not some black hat hacker. These are businesses in the advertising industry that generate revenue by selling ad space to legitimate companies," he said.

With rootkit features to disguise their whereabouts, adware like EliteBar wreaks havoc on the computers of those unlucky enough to install the program, Howes said.

"[EliteBar] is an incredibly destructive program," he said. "This stuff is hidden, and it blankets desktop with pop-up ads."

And because the program interacts with the kernel, an extremely sensitive area of the operating system, EliteBar also causes many Windows machines to crash unexpectedly, resulting in a "blue screen," he said.

"Victims who have this stuff are ready to jump out the window," Howes said.

/zimages/2/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Law enforcement is beginning to take notice. The FTC filed a complaint against Enternet Media Inc., the company that distributes EliteBar, in November.

Anti-spyware software like Spy Sweeper from Webroot Software in Boulder, Colo., and SpyCatcher from Tenebril Inc. of San Mateo, Calif., already work at the kernel level to detect rootkits and other programs, and to avoid being disabled by other programs.

Thats a similar approach to the one anti-virus vendors have used for years to fortify their applications.

Sunbelt Software Inc. is also planning to integrate kernel-level hooks into its anti-spyware program in coming months, Howes said.

In some cases, those programs have run afoul of a new breed of security program: rootkit detection programs such as Black Light from F-Secure Corp. in Helsinki and Root Kit Revealer, by SysInternals, part of Winternals Software Inc. of Austin, Texas.

Anti-virus and anti-spyware programs like SpyCatcher are showing up as rootkit infections on scans run by these programs, confusing and scaring users.

Recent news stories about rootkit technology installed with Sony BMG media player technology to do digital rights management have raised awareness about the rootkit threat among rank and file computer users.

/zimages/2/28571.gifClick here to read more about the Sony BMG rootkit problem.

But those users often lack the sophistication to pick through the output from Black Light, Root Kit Revealer and other programs, Howes said.

A bigger danger is that more programs interacting with the kernel are will make Windows unstable, Howes said.

Writing code that works at the kernel level requires far more sophistication than programs that work higher in the operating system at the application level, he said.

"Its like operating a race car at 180 mph. Theres very little room for error," he said.

Major anti-virus vendors like Symantec Corp. of Cupertino, Calif., have already voiced concerns about anti-spyware programs interfering with their anti-virus programs.

However, anti-spyware vendors like Aluria defend their work, and say it works fine alongside software from other companies.

"We have deployments well into the hundreds of thousands through EarthLinks Protection Control Center and our Aluria Security Center, and we havent had any problems whatsoever," Carlson said.

Still, with malicious code moving to the kernel, anti-spyware vendors have no choice but to start working at the kernel level themselves to stop the new wares.

"You cant put the genie back in the bottle, said Howes.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.