Spying on Users: Getting to the Rootkit of the Matter

SAN FRANCISCO—The word “rootkit” often send chills up the spines of IT security professionals. But not all rootkits are launched by cyber-criminals bent on stealing personal information, industry experts said at a panel discussion at the RSA Conference here Feb. 6.

Stealthy technology at the kernel level has moved from being the turf of cyber-criminals to companies such as Sony BMG that are looking to protect their business interests, said Gary McGraw, chief technology officer of Cigital.

Sony drew the ire of many in 2005 when the record company employed rootkit technology in the name of copyright protection. The company included software on music CDs that, if played on a computer, would install itself without the users consent and would restrict the number of times the audio files could be copied. Critics charged the software also created security gaps that could allow hackers entry into a system. The company recently entered into a settlement over the matter with the Federal Trade Commission, which charged that the company had secretly embedded the potentially damaging software.

Although Sony no longer uses the software, its attempt to use rootkit technology in the name of business signals that it is not just hackers who have an interest in using the technology.

Another company, video game maker Blizzard Entertainment, had customers crying foul when it was discovered the gaming company was using software known as the “Warden” to prevent cheating in the online role-playing game “World of Warcraft,” McGraw said.

The software, intended to check players computer memory for third-party programs that allow players to cheat, is mentioned in the service and end-user license agreement and does not gather personal information about players. But critics have called it spyware and said the software indiscriminately reads data from all open windows during game play.

/zimages/5/28571.gifWhos best and whos worst at detecting and removing stealth rootkits?Check out this study.

Of course, private companies are not the only ones using rootkit technology, as there remain those willing to exploit the capabilities of such software for criminal purposes. Bill Arbaugh, president and CTO of Komoku, noted that while malware was once the province of people simply looking to test the boundaries of technology, today it is the exclusive province of cyber-criminals.

“You have people now whose job it is to figure out how to write this stuff,” Arbaugh said. “In security, there is no such thing as the complete solution.”

There was a huge increase in kernel-thread-based rootkits at the end of 2005, according to James Butler, principal software engineer at Mandiant. The rootkits, he said, operate at a level below the regular network stack to thwart detection when active.

Rootkits allow an outsider persistent access to an affected system, said Greg Hoglund, CTO of Rootkit.com. Once a rootkit is running in a system, the computer can no longer be trusted and its programs should be reinstalled, he advised.

McGraw said computer users need to keep up with the latest threats in order to battle cyber-criminals launching rootkits attacks.

“When you are working at this low level, it really is an arms race,” he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.