November 21, 2005 4:00 AM PST

What makes a rootkit?

Related Stories

Sony's rootkit fiasco

November 21, 2005

New Sony CD risk identified

November 18, 2005

Sony offers new CDs, MP3s for recalled discs

November 18, 2005

Attack targets Sony 'rootkit' fix

November 16, 2005

Sony recalls risky 'rootkit' CDs

November 15, 2005

FAQ: Sony's 'rootkit' CDs

November 11, 2005

(continued from previous page)

Antivirus software can often block known rootkits from being installed on a PC using a signature list. Incoming code is checked against this list of threats and any that matches is rejected. However, this means that new versions pose a challenge for security software companies. Also, rootkits are getting more complex, making them harder to remove, according to some experts.

"Security companies?are definitely behind the curve," said Andrew Jaquith, a senior analyst at the Yankee Group, a Boston-based research company. "I think it is inevitable that you are going to see enhanced offerings from the leading players that are targeted specifically at rootkits."

Some protective software providers are catching up. Finland's F-Secure offers a test version of its BlackLight rootkit elimination technology, and Sysinternals, one of the first to reveal the threat behind Sony's copy protection software, has a free "RootkitRevealer."

At the moment, Microsoft offers detection and removal of some rootkits in its Malicious Software Removal Tool. In addition, it plans to add protection to the upcoming Windows Defender, its revamped Windows AntiSpyware tool.

Getting rid of a rootkit is easier to do when it first lands on a PC, as opposed to after it has been installed, Symantec's Weafer said.

"Let's say one of these rootkits comes in e-mail; it is far easier to see it there than once it is on the system," he said. "The current area of research is how to detect and remove once it is in place. That's more challenging, (as is) doing so without negatively impacting the system itself."

Symantec hopes to release rootkit-fighting technology next year, Weafer said.

Telling bad from good
The task of digging out rootkits should not just be the work of security products, but also something to be dealt with in the operating system, McAfee's Telafici said.

Microsoft is taking steps. Windows Vista, the successor to the XP operating system due out next year, will have barriers that make it harder for software like rootkits to run. It is a balancing act, because some of the operating system functionality that a rootkit abuses is needed to make an OS work with third-party products, Telafici said.

"Most modern operating systems are very open architectures. The reason you can buy a PC and mix and match technologies from other companies is because the operating system makes it very easy to install devices and allow it to run software code to see those devices and communicate with it," he said.

While rootkits used for malicious purposes by far outnumber rootkits used with good intent, beneficial versions do exist, Orbeton said.

"The security department at a company I previously worked at used what would be considered a rootkit so we could log in to computers in the event the computer got compromised by an attacker," he said. "We did not want the attacker to know that we had this tool present on the system."

That particular rootkit was created internally. Orbeton does not recommend using a publicly available rootkit for administrative or security purposes, as they may have a secret backdoor.

"A rootkit is just a tool. What it is actually used for is what makes it good or evil," Orbeton said.

But Wes Ames, a computing security architect who helps manage tens of thousands PCs at airplane maker Boeing, doesn't like meddling with the innards of the operating system.

"I am very much against companies doing any kind of modification of operating system files. Those were not intended to be modified, and they contribute to the general instability of the machine," he said.

Previous page
Page 1 | 2

2 comments

Join the conversation!
Add your comment
Sorry but...
this is nothing more than a failure of security companies to protect their paying customers.
I'll bet in this rookits heyday Symantec's NIS was instructed to ignore Sony's rookit when it connected to the net to send info on the music you listened to.
That's why I use an older version of IN_CDDA.cdb in Winamp, which allows me to use the CDDB of my choice, as AOL has sold it's soul to Gracenote.
It's the main reason I never update NIS as these corporate *****$ have sold themselves to every other paying corporation. Darn near every update was to allow ads and scripts from other corporate scum access to run code on my computer.
Posted by Muddleme (99 comments )
Reply Link Flag
What make an Kentucky Shitkicker?
The porpoise of a rootkit is to supplant the system as to allow access that would otherwise not be available while maintaining the aspect of an penetrated system. Provided the interface is secure the only way this is in anyway possible is if the user runs code, script or performs an action as to invoke his privilege and presumably without his awareness sets into motion an unintended penetration.

In this case (lets assume less than fully privileged user in all accounts) places a cd into a cd-rom disc drive and as a result executes a binary file that is read there in with elevated privileges as those of an authority which can make changes to filesystems level format or otherwise. I don't mean to split hairs with you on this but the fact that unprivileged user was able to act as a privilege one (or few, whatever the case may be) is symptomatic of something know in the industry as a "superrootkit". having been present prior to the insertion of the compact diskette, so please lets not put the cart before the horse if you will.

If I may play the devils advocate, and rise to the Sony Music Corporations defence the action of storing or writting to the systems physical storage, information which pertains to content used by an application internally is so common that if it were done in a prominent location in the storage tree it would be bothersome and worst case deleterious. Files pertaining to relationship between user and content, be it software or other usage delimited materials are often written to these files to in effect force the user to comply with what the software applications engineers stipulate is the governing agreement between user and provider. As a no treaspassing sign prompts the decision to be made by traveler to circumnavigate and fence forces circumnavigation. It is not status quo for the software application to indicate it is recording such information or where it is doing so and nor does it do it in an expected location in the tree and furthermore these files are not removed by the applications co-installed for removal of the installation. None of this can be associated with "rootkit" actions. The action involving writing files to the storage media, with the file formating in question implimented on it, outside the effective tree is a function of the specification of the this particular formating, albeit, an obscure one, the formating and filesystems functions and operations need not and were not and will not be altered by the software. I cannot speak to the nature of the information recorded. I might note that such a recording, as on a nonvolatile storage device lends itself to long term retention, the nature of which is not particularly conducive to rouge application.
Posted by (10 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.