More Dangerous Rootkits May Lurk On Horizon

Rootkits hide processes, files, and network connections and can be written to perform like a device driver on any operating system. Most people associate rootkits with the questionable practices of some of those who use them. They've carried a negative connotation ever since one was found in the software Sony shipped to protect the intellectual property on its artists' CDs.

But don't blame the technology. "A rootkit is not inherently malicious, although they are used for malicious purposes. The technology is separate from the intent," Greg Hoglund, CEO of software security service provider HBGary, said last week at the Software Security Summit in Baltimore.

Rootkits are difficult to detect, and new, more dangerous types may be on the horizon. The University of Michigan and Microsoft researchers in March published a paper that describes virtual-machine based rootkits that can cloak malware that monitors and controls software-based virtual servers running on a hardware-based server. Whereas more conventional rootkits "are faced with a fundamental tradeoff between functionality and invisibility," a virtual-machine based rootkit can "completely hide all its state and activity from intrusion detection systems running in the target operating system and applications," the researchers reported. Virtual-machine based rootkits are more difficult to install than conventional malware and require a reboot before they can run.

One technique that's used to infiltrate systems with rootkits is to disguise them as printer drivers, which are generally not well managed, Hoglund says. In this manner, a rootkit carrying a malicious payload has a path straight into the system's kernel. Another technique is to install a rootkit using a USB-pluggable drive or via a PCM slot.

Or it can be done the Sony way, which is to include rootkits on CDs that people buy and play on their computers. Late last year, Sony was fingered for including First 4 Internet digital-rights management software on its artists' CDs after Mark Russinovich, chief software architect and co-founder of Windows repair and recovery software maker Winternals Software, discovered a rootkit on his PC. First 4 Internet's software installed the rootkit to ensure that Sony's intellectual property—its artists' songs—couldn't be illegally copied. While most people agreed with Sony's right to protect its works, some criticized its use of rootkits. "Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall," Russinovich wrote in his Oct. 31 Sysinternals blog entry.

A federal judge in May approved the settlement of a class-action lawsuit filed by consumers against Sony. Under the settlement, anyone who purchased, received, or used CDs containing the DRM software after Aug. 1, 2003, can file a claim and receive new unprotected replacement CDs, free music downloads from a selection of 200 titles, or cash payments of $7.50.

The uproar over Sony's use of rootkit technology to embed DRM software was so strong that, months later, when security researchers discovered that the Norton Protected Recycle Bin, or NProtect, directory found in Symantec's Norton SystemWorks software was invisible to Windows, they accused Symantec of using rootkit technology. Symantec vehemently denied it was using a rootkit and then altered SystemWorks to make NProtect visible to Windows. "The Sony thing had just happened, so people had a bad image of stealth," Hoglund says. "Symantec wasn't creating any danger to the system, but it was a [public relations] nightmare."

A better example of what system admins have to fear from rootkits was revealed in May, when security researchers found that the online gaming site Checkraised.com was distributing a program known as RBCalc.exe that covertly stored gamblers' information for possible theft. The executable file was being used to create a backdoor to offer illegal remote access to an infected user's computer, and it used a rootkit to conceal its presence, security research firm F-Secure reported. With this in place, the tool's author could access login information from a user's computer for various online poker Web sites and seriously hurt that user's financial situation.

While there are products that can be used to detect rootkits, including F-Secure's BlackLight and Sysinternals' RootkitRevealer, software-based responses to rootkits are less effective the closer the rootkit is installed to the system's operating system kernel. A better offense against rootkits is a strong defense. Hoglund suggests closing off paths into the computer's operating system, adding, with a bit of humor, "When you see people who've glued closed their ports; those are people who understand rootkits."