Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Networking

    Security Vendors Clueless Over Rootkit Invasion

    By
    Ryan Naraine
    -
    November 16, 2005
    Share
    Facebook
    Twitter
    Linkedin

      Long before Mark Russinovich blew the whistle on Sony BMGs use of stealthy, rootkit-style techniques to cloak its DRM scheme, spyware researchers recall seeing traces of the controversial XCP technology on infected Windows machines.

      Only one problem—they had no idea what it was.

      “People had stumbled across this rootkit months and months ago, but we just couldnt figure out where it was coming from,” said Eric Howes, a regular on the anti-spyware forums. “No one was able to connect the dots that led to Sony.”

      In fact, as Russinovich himself explained in a fascinating blow-by-blow account of his findings, the detection of the Sony rootkit was not a straightforward task.

      Russinovich, you could say, wrote the book on rootkit detection. His company, Winternals Software Inc., created the RootkitRevealer tool that initially pinpointed the hidden directory and cloaked drivers associated with Sonys rootkit.

      Yet, even for Russinovich, it required the use of seven utilities, all custom-created, to figure out who the culprits were.

      Today, existing security applications are ill-prepared to deal with the threat from offensive rootkits.

      Finnish anti-virus specialist F-Secure Corp. is the first to add a rootkit detection engine in its security suite, but for other big-name anti-virus vendors—including Symantec Corp., McAfee Inc. and Trend Micro Inc.—true rootkit detection/removal capabilities are nonexistent.

      “You could say the average end user is a sitting duck,” said Jamie Butler, director of engineering at HBGary Inc. and author of FU, one of the first proof-of-concept rootkits.

      /zimages/4/28571.gifRead more here about “Shadow Walker,” a prototype that pushes the envelope for stealth rootkits.

      “Security has become a risk-management game, and thats unfortunate. People are trying to mitigate the biggest threats, but, sometimes, the small things creep up on you. When I wrote FU more than two years ago, no one was paying an ounce of attention to rootkits. I guess it takes malicious people doing malicious things to get the industrys attention,” Butler said in an interview with Ziff Davis Internet News.

      Butler isnt surprised that spyware writers have latched onto the value of using rootkits to hide nasty programs on Windows machines. “That has been apparent for a while, but no one seemed to be paying too much attention. Now that rootkits have commercial value to the spyware guys, it will only get worse.

      “We really dont know the extent of rootkit penetration. But it wont surprise me to find out that its a bigger problem today than we think it is. This will become an even bigger story if a bank or a federal agency discovered that a rootkit has been deeply nested and has been hiding its presence for months. At that point, all hell will break loose,” Butler added.

      Dan Kaminsky, a security engineer for DoxPara Research, has already seen evidence of the Sony DRM rootkit installed in places it should not be.

      “There are networks that Sony got into that nobody should get into. I cant say where. But theres evidence that it [the Sony rootkit] got into some places where it doesnt belong. Now you have a real question of the collateral damage it can cause,” Kaminsky said in an interview just moments after releasing statistics to show that at least 568,200 nameservers were collecting DNS queries related to the calling-home feature on the Sony.

      /zimages/4/28571.gifRead more here about Kaminskys research into the Sony DRM rootkit.

      Even more worrying, Kaminsky argued, is the fact that a legitimate company like Sony would attempt to legitimize the use of rootkits.

      “Its no longer about detection and removal when the big companies with the big lawyers get involved. The difference between a good anti-spyware application and a bad one is whether your vendor will stand up to the lawyers. I dont know if we realistically can stand up to Sonys lawyers,” Kaminsky said.

      “The biggest vulnerability we have with malware has nothing to do with technology. The technology only gets them into the computer. Its terrifying that when they get in, they dont want to get out, even if you want them out of your system.

      “Its the equivalent of a big, bad guy turning up at your door, walking in and plopping down on your couch and refusing to leave. Youre asking him to leave, pleading with him, screaming at him, and he just sits there and refuses to move. Thats astonishing. Its really terrifying,” Kaminsky added.

      Next Page: Microsoft hustles to develop detection and removal capabilities.

      Microsoft hustles to develop


      detection and removal capabilities”>

      Kaminsky is pleased to see Microsoft Corp. reacting aggressively to the threat from spyware and other malicious software hidden in rootkits.

      “Spyware spooked Microsoft. When they realized how big a problem it had become [for Windows users], they were genuinely spooked into reacting,” said Kaminsky, who actively participated in the companys “Blue Hat” events, where hackers talk to Redmond developers about security.

      Microsoft has been paying close attention to rootkits. Lab rats at the companys Strider research unit have shipped a prototype rootkit detection tool, and the consumer-facing security tools—Windows Defender, Windows OneCare, Windows Live Security Center and the malware removal utility—will all have some form of rootkit detection/removal very soon.

      Security experts say its inevitable that security vendors will follow Microsoft and add easy-to-use rootkit clean-up capabilities into existing anti-virus/anti-spyware applications.

      Shane Coursen, a senior technology consultant at Kaspersky Labs U.S. unit, acknowledged that security vendors are playing catch-up with rootkits, much like the industry was late to react to the spyware scourge.

      “Technically, rootkit technologies are more difficult to understand because it isnt actually the virus or the malware. The rootkit is just the tool to put the malware in a place where it cant be found. Its the logical next step to defeat security software,” Coursen said.

      Coursen said the company is in final stages of preparing a significant refresh of the Kaspersky Anti-Virus 6.0 software, an upgrade that will include “true rootkit detection.”

      /zimages/4/28571.gifRead more here about Microsofts plans to remove the Sony DRM rootkit.

      A beta is expected within the month ahead of a full-scale rollout in February 2006.

      “The industry is catching up. The idea is to have true rootkit detection seamlessly integrated into the anti-virus software. The end user has to be able to use it, or its just meaningless,” Coursen added.

      “Well have the ability to detect the rootkit after its been installed on a system. Regardless of how it tries to hide itself, well be able to find it, either real-time or through on-demand scans,” he explained.

      “This isnt some obscure, theoretical threat. This is legitimate. This is the next level the malware writers have gone to defeat existing security systems. Were not there yet in terms of catching up, but were getting there.”

      Eric Howes, a rabid anti-spyware activist who does consulting for Sunbelt Software, agrees its only a matter of time before anti-malware applications will feature rootkit detection/removal capabilities.

      “Its clear that its now a very serious threat. Were seeing actual evidence of some nasty forms of spyware hiding in rootkits,” he said.

      /zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×