If reports issued by several well-known anti-virus companies are on the money, IT administrators will continue to face new and sophisticated forms of malware that challenge the security industrys ability to stay ahead of emerging threats.
Based on a new study released by software maker McAfees Avert Labs group, the technology used to cloak many different forms of malware, especially rootkits, is becoming increasingly complex and harder to detect.
Factoring into the issue, and the continued maturation of malicious attacks on enterprise systems, is the growing tendency toward collaboration among hackers, according to the report.
McAfee said its research indicates that the use of so-called “stealth technologies” has jumped by over 600 percent during the last three years.
The number of rootkit attacks being reported to McAfees labs was up by 700 percent during the first quarter of 2006, compared with the same period in 2005.
A rootkit is used to modify the flow of a software programs kernel to hide the presence of an attack on a machine. It gives a hacker remote user access to the compromised system while avoiding detection from anti-virus scanners.
“The growth has been extraordinary and the use of rootkits that we are seeing is far more complex than any examples weve seen in previous years; the stealth aspect of these attacks is making them very hard to find,” said Stuart McClure, senior vice president of global threats at McAfee, in Santa Clara, Calif.
“These technologies are so deeply embedded that even if you are able to remove them, you often destabilize a system quickly, and cleaning these things out remains enormously challenging,” McClure said.
Another aspect of the growing problem is that rootkits are increasingly being written to attack systems running on Microsofts Windows operating system. While rootkits previously troubled more Linux and Unix-based systems, McAfee said Windows-oriented rootkits increased by a staggering 2,300 percent between 2001 and 2005.
According to the research, that trend is spurred by both the desire to break into Microsofts proprietary software, and the fact that a larger number of machines run Windows, meaning more are available for attack.
McAfee contends that one of the primary drivers of the expanded proliferation and complexity of rootkits is growing collaboration among virus writers, including the misuse of materials published on resource Web sites dedicated to helping people fight the programs. Since some of these sites, such as Rootkit.com, contain hundreds of lines of rootkit code, and may be doing more harm than good, McClure said.
“The threats are constantly evolving; someone figures something out and within minutes its being distributed. The malware writers are getting much smarter and faster at sharing information and realizing the profit in this,” he said. “Rootkit.com and the others come off as wanting to educate the industry, but the problem is that posts on those Web sites are dropped directly into malware. These good guys are trying to regulate the information, but, unfortunately, its being misused.”
Jamie Butler, an administrator and malware code contributor to Rootkit.com since 2001, said people seeking the types of information available on the site could easily find it elsewhere. The people publishing malware code on Rootkit.com have often been familiar for years with the types of attacks being described there, he said.
He added that Rootkit.com doesnt have plans to stop publishing code on the site.
“Dissemination of information is always useful in the long run, and these tactics have been around and were well-known underground,” Butler said. “If anything, part of the problem remains that the people responsible for protecting against these types of attacks dont have access to the closed-door algorithms of the big vendors; those companies read the site, but they dont contribute anything.”
In a separate research report, anti-virus software maker Kaspersky Lab identified a handful of evolving threats that it said could serve to trouble IT administrators in the future.
Kaspersky, based in Woburn, Mass., said it identified specific three proof-of-concept attacks being tested out by hackers, at least one of which could pose a challenging risk to network defenders.
The program reportedly locates itself in a computers boot sector and gains control of the device prior to the launch of its operating system. Because the attack is introduced in this manner, Kaspersky said, the program is able to modify many operating system functions.
While most anti-virus applications scan a computers boot sector, the security company warned that it still be “extremely difficult” to detect any interception or substitution of system functions by the program.
Another trend highlighted in the research was the growing popularity of malicious programs being created specifically to attack Apple Computers Mac operating system.
Although Apples operating system software previously hasnt been targeted as aggressively by code writers as its rivals, Kaspersky said the emergence of the so-called Leap virus in February, and the isolation of the Inqtana worm soon thereafter, show that there is increasing interest among malware writers in attacking Apples products.