Rootkits are driving Dan Kaminsky crazy. Kaminsky, a security analyst who runs DoxPara Research, an independent research firm, spends a good deal of time opining about rootkits on the firm's Web site. In a recent interview, he was even more animated about why rootkits are ruining lives.
"We are computer people," he said. "We tell people their lives will be better by using computers. Rootkits and spyware destroy that experience."
Kaminsky is not alone in his frustration. Rootkits have become a hot topic in IT security. And Windows, the most popular operating system, is a favorite target of the hackers.
One bright light for Kaminsky is Vista, Microsoft's next desktop operating system. "Vista is really trying hard to address this," he said "They are going to be cryptographically signing everything in the core of the OS."
Kaminsky is referring to a new policy in Vista that will require digital signatures on all kernel mode software running the OS on x64 bit-based computer systems. All unsigned drivers will be blocked. The idea is that blocking will stop the spread of rootkits and other malicious programs.
Microsoft is ready to fight
Rootkits have certainly caught the attention of Microsoft security officials. Researchers with the software company hosted a session on the dangers of rootkits at the RSA conference in San Francisco earlier this month, and they promise Vista will provide protection against the hidden programs.
In addition to the digital signatures, Vista will offer another rootkit shield in the form of an integrated product called Windows Defender, formerly called Microsoft AntiSpyware. Windows Defender is in a second beta but it is not unique to Vista. It is already a free download for Windows XP SP2, Windows 2000 SP4 and Windows Server 2003 SP1 customers. The technology detects and removes threats posed by spyware and other potentially unwanted software.
These security measures are a start, said Kaminsky. But Greg Hoglund, who runs the Web site Rootkits.com and has written a book on the subject, is skeptical.
"Almost everything is eventually going to be undone by some hacker," Hoglund said. "Just because they are signed doesn't mean they are secure."
Hoglund said he has seen enough rootkits to know that the threat is severe and progressing, and commercial tools will never be ahead of the problem. He noted that there is plenty of initiative in the security world to develop the right products. He pointed to several examples, such as a chip in development from Intel Corp. The processor will notify users when they are downloading a rootkit to their computers. But Hoglund said these steps may prove simply to be small victories in the war against rootkits.
Mark Russinovich, a Windows and rootkit expert, agrees, and notes that rootkit technology may be too smart to ever outwit.
"There are no guarantees, no final move, no win-win on either side," he said. "The only way to guarantee is to keep malicious programs off."
Russinovich's freeware Web site, Sysinternals.com, is about to release a product called Protection Manager, which gives organizations the ability to specify what programs can or cannot run. He said the technology can aid Windows managers because it will prevent the end user from bringing products from home and downloading them into a computer.
Too little, too late?
But, what if a rootkit is already on your system? The snooping programs are becoming more sophisticated and hard to find. There are only a few rootkit detection tools on the market. Among the offerings is BlackLight Rootkit Elimination Technology from Finnish security vendor F-Secure Corp. Russinovich's Sysinternals makes one called Rootkit Revealer.
Now, Microsoft may get into the detection game. According to the Microsoft research site, the software maker is developing a new prototype tool named Strider GhostBuster, an offline scanning tool. It compares files on a potentially infected system to files created by a separate, uncompromised system. Microsoft would not comment further about the technology. A spokesperson said the company does not have plans to announce a release date for Strider at this time.
Hoglund had a suggestion for enterprise managers who cannot wait for commercially available technology to catch up.
"Hire someone to write a rootkit detection system for you," he said. "And don't make it public. It's security through obscurity."