The term rootkit is an increasingly familiar one in the IT community, especially for Windows managers. Rootkits...
can hit any operating system, but Windows popularity in the enterprise makes it a common target for hackers.
What is a rootkit? According to Mark Russinovich, a rootkit is simply a cloaking device. Russinovich, a Windows expert, Microsoft MVP and founder of Winternals Software, in Austin, Texas, outlines rootkits on his freeware Web site, Sysinternals.com. According to the site, the term rootkit describes the mechanisms and techniques malware uses to hide its presence in a system. Persistent rootkits activate each time a system boots. Memory-based rootkits have no persistent code and do not survive a reboot.
"The very powerful kind live in the kernel," Russinovich said. "They can cloak anything they want."
What is more alarming about these system-monitoring programs is that they are often invisible to many detection tools, including antivirus and antispyware products.
"They are raising the bar for security threats," Russinovich said. "You can't perform a security audit of things you can't see."
It is an arena in which the antivirus and antispyware vendors need to catch up. "The AV and antispyware market is reactionary," he said. "The more we see, the more we wake people up to it."
Good guys, bad guys or both?
Just what are the vendors trying to do about it? Are all rootkits a problem? That question made headlines earlier this year after Sony BMG installed rootkit-style copy protection software in some of its products. The move was so controversial that Sony was forced to recall millions of CDs. The state of Texas is now suing the company over the software.
Security vendor Symantec Corp. was also criticized recently for rootkit-like software in one of its products. The Symantec rootkit, unlike Sony's, could be turned on or off and it could easily be uninstalled by the user.
The fact that the rootkits came from well-known companies raises the issue of whether or not some rootkits are harmless. No way, said Dan Kaminsky, a security analyst who runs DoxPara Research, an independent research firm.
"The fundamental issue for AV companies is deciding whether they want to go after just hackers or duly registered corporations as well," Kaminksy said.
The issue with Sony boils Kaminsky's blood. He said he thinks the idea that the music-giant's rootkit did not pose a problem is laughable.
"This software didn't just sit there," he said. "It actively made decisions about what you could and could not do with your computer."
Russinovich agrees with Kaminsky's view. "Any type of rootkit produces security and reliability risks," he said.
Products for fighting the threat
Kaminsky said he believes rootkits stand to render more damage to computing than spyware has over the years. According to him, the first spyware code became public in the year 2000, but it took three years for the major security vendors to release an antispyware product.
"AV has barely gotten a handle of spyware," he said. "Rootkits are just another thing they are responding to slowly."
There are products out there to detect rootkits, but there are not many. For example, Finnish security vendor F-Secure Corp. makes a product called BlackLight Rootkit Elimination Technology. Russinovich's Sysinternals makes one called Rootkit Revealer. There are a handful of others on the market as well.
Ted McCarthy, is a contract systems technician for a government agency and a Microsoft MCSE who has used Rootkit Revealer. McCarthy sought out the product himself because of his concern over the threat the rootkit programs pose.
"I know that there have not really been any major problems yet with rootkits, but the issue with Sony was a wake up call to everyone -- that they should be checking for these things," McCarthy said in an e-mail.
A second report looks at what Microsoft is doing to address the threat of rootkits and examines rootkit-fighting technologies that are planned for Vista.