A vendor-neutral push to find an unambiguous way to describe rootkits has received backing from anti-virus specialist Symantec Corp., but security experts are suspicious of the plan, warning that strict definitions only serve to legitimize the use of a dangerous piece of technology.
The issue has taken center stage after Symantec admitted to using a rootkit-type feature in Norton SystemWorks to help customers avoid the accidental deletion of files. Symantec acknowledged the feature provided a hiding place for malicious hackers and shipped an update to eliminate the risk, but because the word “rootkit” was used to describe what was intended as a useful feature, the company felt it was unfairly criticized by a confused public.
Vincent Weaver, senior director of Symantec Security Response, said the public outcry over Sony BMGs use of rootkit technology in its DRM scheme has helped to raise awareness of the risks but argued that there are “considerable differences” in the way the word is used.
“We have found that trying to pin down just how to describe what constitutes a rootkit depends heavily on whom you are talking to or which particular definition, of the many varied definitions available, you are reading,” Weaver said.
Theoretically, according to Symantecs own definition, a rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer. “Actions performed by a rootkit, such as installation and any form of code execution, are done without end-user consent or knowledge.”
A Google search query for the term “rootkit + definition” returns multiple results with various descriptions. Most of the definitions available for computer and security experts tend to classify a rootkit as installed by an “intruder,” designed to be hidden and to conceal processes and files without the users knowledge. Usually, these files and processes are difficult—almost impossible—to remove once installed on a system.
“We need to really solve this problem. Too many people have too many different interpretations for what a rootkit is,” Weaver said in an interview with eWEEK. “We need a standard definition that the community can accept so when someone talks about a rootkit everyone is thinking basically the same thing. A general acceptance throughout the security community would be a very good goal.
“We need to have a very clear understanding of what were talking about. We need to figure out, what exactly is a rootkit? What is stealth? What are the risk factors that an enterprise or home users can understand? Are there legitimate reasons for using the technology?”
Even before its own rootkit flap, Symantec approached several industry groups about taking the lead to figure out the definitions and found a taker in the IT-ISAC (Information Sharing and Analysis Center), a high-level group that serves as a central repository for security-related information.
Pete Allor, IT-ISAC director of operations, said the group has started preparatory work around a common definition for “rootkit” and expects to have a workable description within four weeks.
Allor, who works as director of intelligence at Internet Security Systems Inc., fully supports the initiative and likened it to the work by the AntiSpyware Coalition to come up with clear definitions for adware and spyware. “Its always confusing for end users when the message is different. It would be nice for the industry to use the same term and all mean the same thing, whether youre a software maker, a security vendor,” Allor said.
Like Symantec, anti-virus vendor Kaspersky Lab also found itself ensnared in the rootkit scandal when Windows internals guru Mark Russinovich suggested that the companys software also used rootkit-type features.
In an interview, Kasperskys founder and head of virus research, Eugene Kaspersky, said the technology in question, called iStreams, is clearly not a rootkit. “We started using iStreams technology a couple of years ago to improve scanning performance. Basically, this means that our products use NTFS Alternate Data Streams to hold checksum data about files on the users system. If a checksum remains unchanged from one scan to another, [our] products know the file has not been tampered with and do not, therefore, require a repeat scan,” he explained.
When the anti-virus software is active, Kaspersky said the streams are hidden because they are internal data only. “Just because you cant see them either automatically or with a special tool, it doesnt mean that theyre malicious. It also doesnt mean that a product which uses and hides these streams is using rootkit technology,” he insisted.
“I think that when we talk about security we need to be clearer about the difference between malicious [or dangerous] rootkits and cloaking technologies, which cant be exploited by malware,” Kaspersky added.
But Russinovich is standing his ground. On his Systinternals blog and in an interview with eWEEK, he maintains there is “never a case” for justifiable use of rootkit technology, whatever the definition.
“If a software developer ever believes a rootkit is a necessary part of their architecture, they should go back and rearchitect their solution,” Russinovich said bluntly.
Russinovich, who along with F-Secure Corp., was credited with finding and reporting the Sony and Symantec issues, said the risks of attackers targeting third-party rootkits to hide malicious files in programs are impossible to ignore.
“The obvious risk rootkits present, which has been demonstrated by both Sonys and Symantecs implementation, is malware being able to hide beneath the cloak. Even if a vendor has ensured with certainty that thats not possible, the cloak makes it impossible for a security administrator to ensure that the cloaked objects have correctly configured security and, if they consist of executable code, are updated with the latest security patches,” Russinovich argued.
Another big problem, he explained, is the way cloaking technology changes the way Windows operates, making it difficult or impossible for users and systems administrators to understand the behavior of modified systems and to diagnose issues that arise as a result of altered behavior.
“Cloaking can make it impossible to account for resource usage like disk space, memory or CPU to perform a complete inventory of a system, to understand incompatibilities between Windows or other software and the cloaked objects, and even to make a functional backup. [A] cloaked driver that crashes a computer can cause a misdiagnosis of the problem and can be extremely difficult to remove or update,” Russinovich wrote.
Eric Howes, director of malware research at Sunbelt Software Inc., is firmly in the Russinovich camp. “The lack of malicious intent doesnt mean its not a serious security issue. Lets not lose sight of that fact,” Howes said.
Howes, a staunch anti-spyware activist who was critical of the previous effort to define spyware and adware, said the new push to define rootkits is “suspicious.”
“Definitions can be helpful, but this one feels like theres an agenda to legitimize the use of what is a dangerous piece of technology. My great worry is that we will define rootkits in such a narrow way that the whole definition will come down to malicious intent. Companies will hide behind the disclosure loophole,” Howes argued.
“Once we get caught up in hard-and-fast definitions, consumers have lost the game. Weve been down this road with adware and spyware. They provide the minimum amount of disclosure to be on right side of the law, and consumers end up losing. We know how notice and disclosure are handled in practice.”