Rootkits are becoming increasingly common on enterprise computer networks and are even being used to create undetectable download servers for pirated movies and MP3s, according to anti-virus experts.
Anti-virus software company F-Secure Corp., of Helsinki, Finland, has detected rootkits on the networks of numerous customers, and malicious-code authors are integrating rootkit stealth features into Internet worms, bots and Trojan horse programs, according to anti-virus researcher Kimmo Kasslin of F-Secure. Despite the surge in interest, only a small number of anti-virus companies offer dedicated rootkit detection features.
Rootkits are programs that are used to give a remote user access to a compromised system while avoiding detection. Originally developed more than 10 years ago and used on Unix machines, rootkits have been rare on Windows systems, said Mikko Hyppönen, manager of anti-virus research at F-Secure.
However, that is beginning to change. Open-source rootkits such as FU, written by James Butler, director of engineering at HBGary Inc., in Sunnyvale, Calif., and Hacker Defender, written by a person who uses the online name “Holy Father,” both work on Windows systems and can be very difficult to detect using anti-virus or IDS (intrusion detection system) software.
So-called “kernel mode” rootkit programs such as Hacker Defender, which was released as an open-source product in January 2004, manipulate data as it is passed to and from the operating systems kernel and are hard to spot, said Hyppönen.
A new version of Hacker Defender, dubbed Golden Hacker Defender, was released recently and sells online for 450 euros. The product includes a feature for capturing Windows log-in information and an updatable “anti-detection engine” that can detect and evade rootkit detection programs from several vendors, said Kasslin during a presentation at the recent Virus Bulletin International Conference in Dublin, Ireland.
The program is not in widespread use. F-Secure received just two copies of Golden Hacker Defender from customers who detected the malicious program on Windows servers on their network, Hyppönen said.
Reached by e-mail, Holy Father acknowledged that he has sold copies of Golden Hacker Defender but said that those sales are the “minority” of his business. Most versions of Golden Hacker Defender are custom creations with “private coding.” However, Holy Father, who claims to live in the Czech Republic, said that he is careful to write custom versions of the program only for “[people] I know well, which mean[s] those that are no kind of bad guys.”
More recently, worms such as Maslan and Myfip have incorporated rootkit stealth features, and bots such as Mytob, Rbot and Sdbot distribute recompiled drivers from rootkits such as FU and Hacker Defender that hide the programs on Windows systems.
F-Secure now ships BlackLight, its rootkit scanning and detection product, with its Internet Security product suite. Moscow-based anti-virus vendor Kaspersky Lab also plans to release a rootkit detection feature in the next full release of its product, according to Eugene Kaspersky, head of anti-virus research at the company.
Still, rootkit detection is more the exception than the rule, said Butler.
“[Anti-virus software vendors] customer base isnt clamoring for [rootkit detection],” Butler said.
Still, F-Secure researchers were besieged with requests for copies of Golden Hacker Defender at the Virus Bulletin International Conference—many from researchers at other major anti-virus vendors, Hyppönen said.
Holy Father claimed that detection tools such as BlackLight are getting better and better.
“Before, no company cared about rootkits … but today there are … some tools that can help administrators to secure [their] box quite well,” Holy Father said.