Finnish anti-virus specialist F-Secure Corp. on Thursday announced plans to add rootkit-detection features to its product suite, joining a growing list of security vendors tackling the stealthy threat.
At the CeBIT show in Hannover, Germany, F-Secure lifted the wraps off the new BlackLight Rootkit Elimination Technology, offering the tool as a free beta through Apr. 30.
After that, the company plans to integrate the rootkit-detection capabilities into its anti-virus, firewall, intrusion detection and anti-spyware products.
“This is a unique piece of technology that looks deeper into the operating system to find hidden rootkits. Weve already seen worms using rootkit functionality, so we know its a serious threat,” said Ero Carrera, a virus researcher at F-Secure.
According to F-Secures findings, at least two worms—Maslan and Myfip—have used rootkit tricks to hide their process by manipulating operating system kernel data structures.
Maslan, for example, is a multi-component stealth worm that drops an IRC (Internet Relay Chat) backdoor to a computer.
It can be controlled remotely by an attacker to hijack personal data, organize a denial-of-service attack to spread in e-mails and to remote computers by using known security vulnerabilities.
“Very soon, rootkit-detection will be a required feature in anti-virus or anti-spyware software,” Carrera said.
With BlackLight, F-Secure is promising technology to detect objects that are hidden from existing security tools while offering a simple interface for removing threats.
The company said BlackLight has the ability to ignore non-malicious objects and provide warnings only on real rootkits.
F-Secure isnt the only software vendor flagging rootkit as a growing threat.
Lab rats at Microsoft Research have released Strider GhostBuster Rootkit Detection, a prototype tool that will eventually be released as a Microsoft product.
Microsoft officials declined to comment on F-Secures BlackLight moves.
Sysinternals Freeware, a site that offers Windows utilities, also rolled out RootkitReveal, a tool capable of finding registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.