Whens a Rootkit Not a Rootkit? In Search of Definitions

News Analysis: An industry initiative to find a conclusive way to describe rootkits is under way, but experts are worried that strict definitions will only legitimize the use of a dangerous piece of technology.

A vendor-neutral push to find an unambiguous way to describe rootkits has received backing from anti-virus specialist Symantec Corp., but security experts are suspicious of the plan, warning that strict definitions only serve to legitimize the use of a dangerous piece of technology.

The issue has taken center stage after Symantec admitted to using a rootkit-type feature in Norton SystemWorks to help customers avoid the accidental deletion of files. Symantec acknowledged the feature provided a hiding place for malicious hackers and shipped an update to eliminate the risk, but because the word "rootkit" was used to describe what was intended as a useful feature, the company felt it was unfairly criticized by a confused public.

/zimages/4/28571.gifClick here to read more about Symantecs use of rootkits.

Vincent Weaver, senior director of Symantec Security Response, said the public outcry over Sony BMGs use of rootkit technology in its DRM scheme has helped to raise awareness of the risks but argued that there are "considerable differences" in the way the word is used.

"We have found that trying to pin down just how to describe what constitutes a rootkit depends heavily on whom you are talking to or which particular definition, of the many varied definitions available, you are reading," Weaver said.

Theoretically, according to Symantecs own definition, a rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer. "Actions performed by a rootkit, such as installation and any form of code execution, are done without end-user consent or knowledge."

A Google search query for the term "rootkit + definition" returns multiple results with various descriptions. Most of the definitions available for computer and security experts tend to classify a rootkit as installed by an "intruder," designed to be hidden and to conceal processes and files without the users knowledge. Usually, these files and processes are difficult—almost impossible—to remove once installed on a system.

"We need to really solve this problem. Too many people have too many different interpretations for what a rootkit is," Weaver said in an interview with eWEEK. "We need a standard definition that the community can accept so when someone talks about a rootkit everyone is thinking basically the same thing. A general acceptance throughout the security community would be a very good goal.

"We need to have a very clear understanding of what were talking about. We need to figure out, what exactly is a rootkit? What is stealth? What are the risk factors that an enterprise or home users can understand? Are there legitimate reasons for using the technology?"

/zimages/4/28571.gifAnti-spyware vendors each use different criteria for classifying spyware applications, leading to chaos. Click here to read more.

Even before its own rootkit flap, Symantec approached several industry groups about taking the lead to figure out the definitions and found a taker in the IT-ISAC (Information Sharing and Analysis Center), a high-level group that serves as a central repository for security-related information.

Pete Allor, IT-ISAC director of operations, said the group has started preparatory work around a common definition for "rootkit" and expects to have a workable description within four weeks.

Allor, who works as director of intelligence at Internet Security Systems Inc., fully supports the initiative and likened it to the work by the AntiSpyware Coalition to come up with clear definitions for adware and spyware. "Its always confusing for end users when the message is different. It would be nice for the industry to use the same term and all mean the same thing, whether youre a software maker, a security vendor," Allor said.

Next Page: More rootkit scandals.