Rootkits To Mask Most Malware By 2008

In the opening quarter of 2006, said McAfee in the first of a trilogy of reports on rootkits, its Avert Labs spotted more rootkit components in worms, Trojan horses, and spyware than in all of 2005. During the past three years, the use of rootkits in malicious code has soared by more than 600 percent.

"There have been dramatic increases in the last year or two," said Stuart McClure, a McAfee vice president and the chief of Avert Labs. "This hasn't been a linear ramp-up."

Although rootkits began innocently enough -- the term originally referred to a collection of Unix utilities that gave administrator-level access (known as root access) -- they began to go dark as long ago as 1986. Most users first became aware of them much more recently; in late 2005, news broke that Sony BMG Music was using a rootkit to hide anti-piracy protection on audio CDs played on PCs.

"This is creating hardier and ever more virulent strains of malware that will continue to threaten businesses and consumers alike,” McClure said.

The trouble, he said, is not that rootkits make it much tougher to detect malware, but that they make it very difficult to completely cleanse a system of all evidence of an attack.

"When it comes to clean and detection, detection is fairly straightforward, even when the malicious code uses rootkit components," said McClure. "We can usually catch an exploit before it infects a PC.

"But it's the cleaning that's the really really tough part."

If, for instance, a rootkit-using Trojan or worm or spyware program manages to slip by defenses, or worse, infects an unprotected computer, sniffing out all the nasty pieces is an iffy proposition, even for the most advanced anti-virus software.

"We can usually detect a Trojan, but we often can't thoroughly clean it," admitted McClure, because the rootkit components have so well hidden code or cloaked processes and services that usual cleanings find and shut down. "Sometimes, when rootkit malicious code is cleaned, the PC becomes unstable."

As if that wasn't bad enough, McClure predicted that rootkits would be used even more often by malicious code writers in the future. "The absolute numbers are low," he said, "since only about 2 percent of all malware now includes rootkit components." But with the first quarter of 2006 showing a major swelling in numbers of exploits and threats equipped with rootkits, he's expecting that percentage to climb by 650 percent annually over the next two or three years.

By the end of 2006, then, users should figure that about 13 percent of all malware, or 1 in 7 threats, will be using rootkits to obfuscate their actions. If McClure's estimates prove right, by the end of 2008, an overwhelming majority -- 84 percent -- of all malicious code will be disguised by rootkits.

The reason for his gloomy outlook that malicious code writers are taking to rootkits like ducks to water is that they're sharing or selling the cloaking devices on relatively public sites.

"It's much much easier now to get their hands on rootkits," said McClure. "It's nothing like traditional virus sharing, but very out in the open, very open source. The maturation of this technology and the increase in sharing has made adding rootkits to malicious code a near cut-and-paste technique."

And they're sharing and selling/buying rootkit technologies because it's good hacker economics.

"Every day a hacker's Trojan isn't cleaned off a system," said McClure, "is another day he can make more money" from selling the system as a spam zombie or mining it for identity data.

"It's simple. If you can add just one more day to the [malware's] lifespan, you make more money."

McAfee's report can be downloaded in PDF format from the Santa Clara, Calif. company's Web site.