Long before Mark Russinovich blew the whistle on Sony BMGs use of stealthy, rootkit-style techniques to cloak its DRM scheme, spyware researchers recall seeing traces of the controversial XCP technology on infected Windows machines.
Only one problem—they had no idea what it was.
“People had stumbled across this rootkit months and months ago, but we just couldnt figure out where it was coming from,” said Eric Howes, a regular on the anti-spyware forums. “No one was able to connect the dots that led to Sony.”
In fact, as Russinovich himself explained in a fascinating blow-by-blow account of his findings, the detection of the Sony rootkit was not a straightforward task.
Russinovich, you could say, wrote the book on rootkit detection. His company, Winternals Software Inc., created the RootkitRevealer tool that initially pinpointed the hidden directory and cloaked drivers associated with Sonys rootkit.
Yet, even for Russinovich, it required the use of seven utilities, all custom-created, to figure out who the culprits were.
Today, existing security applications are ill-prepared to deal with the threat from offensive rootkits.
Finnish anti-virus specialist F-Secure Corp. is the first to add a rootkit detection engine in its security suite, but for other big-name anti-virus vendors—including Symantec Corp., McAfee Inc. and Trend Micro Inc.—true rootkit detection/removal capabilities are nonexistent.
“You could say the average end user is a sitting duck,” said Jamie Butler, director of engineering at HBGary Inc. and author of FU, one of the first proof-of-concept rootkits.
“Security has become a risk-management game, and thats unfortunate. People are trying to mitigate the biggest threats, but, sometimes, the small things creep up on you. When I wrote FU more than two years ago, no one was paying an ounce of attention to rootkits. I guess it takes malicious people doing malicious things to get the industrys attention,” Butler said in an interview with Ziff Davis Internet News.
Butler isnt surprised that spyware writers have latched onto the value of using rootkits to hide nasty programs on Windows machines. “That has been apparent for a while, but no one seemed to be paying too much attention. Now that rootkits have commercial value to the spyware guys, it will only get worse.
“We really dont know the extent of rootkit penetration. But it wont surprise me to find out that its a bigger problem today than we think it is. This will become an even bigger story if a bank or a federal agency discovered that a rootkit has been deeply nested and has been hiding its presence for months. At that point, all hell will break loose,” Butler added.
Dan Kaminsky, a security engineer for DoxPara Research, has already seen evidence of the Sony DRM rootkit installed in places it should not be.
“There are networks that Sony got into that nobody should get into. I cant say where. But theres evidence that it [the Sony rootkit] got into some places where it doesnt belong. Now you have a real question of the collateral damage it can cause,” Kaminsky said in an interview just moments after releasing statistics to show that at least 568,200 nameservers were collecting DNS queries related to the calling-home feature on the Sony.
Even more worrying, Kaminsky argued, is the fact that a legitimate company like Sony would attempt to legitimize the use of rootkits.
“Its no longer about detection and removal when the big companies with the big lawyers get involved. The difference between a good anti-spyware application and a bad one is whether your vendor will stand up to the lawyers. I dont know if we realistically can stand up to Sonys lawyers,” Kaminsky said.
“The biggest vulnerability we have with malware has nothing to do with technology. The technology only gets them into the computer. Its terrifying that when they get in, they dont want to get out, even if you want them out of your system.
“Its the equivalent of a big, bad guy turning up at your door, walking in and plopping down on your couch and refusing to leave. Youre asking him to leave, pleading with him, screaming at him, and he just sits there and refuses to move. Thats astonishing. Its really terrifying,” Kaminsky added.
Microsoft hustles to develop
detection and removal capabilities”>
Kaminsky is pleased to see Microsoft Corp. reacting aggressively to the threat from spyware and other malicious software hidden in rootkits.
“Spyware spooked Microsoft. When they realized how big a problem it had become [for Windows users], they were genuinely spooked into reacting,” said Kaminsky, who actively participated in the companys “Blue Hat” events, where hackers talk to Redmond developers about security.
Microsoft has been paying close attention to rootkits. Lab rats at the companys Strider research unit have shipped a prototype rootkit detection tool, and the consumer-facing security tools—Windows Defender, Windows OneCare, Windows Live Security Center and the malware removal utility—will all have some form of rootkit detection/removal very soon.
Security experts say its inevitable that security vendors will follow Microsoft and add easy-to-use rootkit clean-up capabilities into existing anti-virus/anti-spyware applications.
Shane Coursen, a senior technology consultant at Kaspersky Labs U.S. unit, acknowledged that security vendors are playing catch-up with rootkits, much like the industry was late to react to the spyware scourge.
“Technically, rootkit technologies are more difficult to understand because it isnt actually the virus or the malware. The rootkit is just the tool to put the malware in a place where it cant be found. Its the logical next step to defeat security software,” Coursen said.
Coursen said the company is in final stages of preparing a significant refresh of the Kaspersky Anti-Virus 6.0 software, an upgrade that will include “true rootkit detection.”
A beta is expected within the month ahead of a full-scale rollout in February 2006.
“The industry is catching up. The idea is to have true rootkit detection seamlessly integrated into the anti-virus software. The end user has to be able to use it, or its just meaningless,” Coursen added.
“Well have the ability to detect the rootkit after its been installed on a system. Regardless of how it tries to hide itself, well be able to find it, either real-time or through on-demand scans,” he explained.
“This isnt some obscure, theoretical threat. This is legitimate. This is the next level the malware writers have gone to defeat existing security systems. Were not there yet in terms of catching up, but were getting there.”
Eric Howes, a rabid anti-spyware activist who does consulting for Sunbelt Software, agrees its only a matter of time before anti-malware applications will feature rootkit detection/removal capabilities.
“Its clear that its now a very serious threat. Were seeing actual evidence of some nasty forms of spyware hiding in rootkits,” he said.