November 21, 2005 4:00 AM PST
What makes a rootkit?
- Related Stories
Sony's rootkit fiascoNovember 21, 2005
New Sony CD risk identifiedNovember 18, 2005
Sony offers new CDs, MP3s for recalled discsNovember 18, 2005
Attack targets Sony 'rootkit' fixNovember 16, 2005
Sony recalls risky 'rootkit' CDsNovember 15, 2005
FAQ: Sony's 'rootkit' CDsNovember 11, 2005
(continued from previous page)
Antivirus software can often block known rootkits from being installed on a PC using a signature list. Incoming code is checked against this list of threats and any that matches is rejected. However, this means that new versions pose a challenge for security software companies. Also, rootkits are getting more complex, making them harder to remove, according to some experts.
"Security companies?are definitely behind the curve," said Andrew Jaquith, a senior analyst at the Yankee Group, a Boston-based research company. "I think it is inevitable that you are going to see enhanced offerings from the leading players that are targeted specifically at rootkits."
Some protective software providers are catching up. Finland's F-Secure offers a test version of its BlackLight rootkit elimination technology, and Sysinternals, one of the first to reveal the threat behind Sony's copy protection software, has a free "RootkitRevealer."
At the moment, Microsoft offers detection and removal of some rootkits in its Malicious Software Removal Tool. In addition, it plans to add protection to the upcoming Windows Defender, its revamped Windows AntiSpyware tool.
Getting rid of a rootkit is easier to do when it first lands on a PC, as opposed to after it has been installed, Symantec's Weafer said.
"Let's say one of these rootkits comes in e-mail; it is far easier to see it there than once it is on the system," he said. "The current area of research is how to detect and remove once it is in place. That's more challenging, (as is) doing so without negatively impacting the system itself."
Symantec hopes to release rootkit-fighting technology next year, Weafer said.
Telling bad from good
The task of digging out rootkits should not just be the work of security products, but also something to be dealt with in the operating system, McAfee's Telafici said.
Microsoft is taking steps. Windows Vista, the successor to the XP operating system due out next year, will have barriers that make it harder for software like rootkits to run. It is a balancing act, because some of the operating system functionality that a rootkit abuses is needed to make an OS work with third-party products, Telafici said.
"Most modern operating systems are very open architectures. The reason you can buy a PC and mix and match technologies from other companies is because the operating system makes it very easy to install devices and allow it to run software code to see those devices and communicate with it," he said.
While rootkits used for malicious purposes by far outnumber rootkits used with good intent, beneficial versions do exist, Orbeton said.
"The security department at a company I previously worked at used what would be considered a rootkit so we could log in to computers in the event the computer got compromised by an attacker," he said. "We did not want the attacker to know that we had this tool present on the system."
That particular rootkit was created internally. Orbeton does not recommend using a publicly available rootkit for administrative or security purposes, as they may have a secret backdoor.
"A rootkit is just a tool. What it is actually used for is what makes it good or evil," Orbeton said.
But Wes Ames, a computing security architect who helps manage tens of thousands PCs at airplane maker Boeing, doesn't like meddling with the innards of the operating system.
"I am very much against companies doing any kind of modification of operating system files. Those were not intended to be modified, and they contribute to the general instability of the machine," he said.
2 commentsJoin the conversation! Add your comment