By Ellen Messmer
Rootkits are becoming more prevalent and difficult to detect, and
security vendor McAfee says the blame falls squarely on the open
In its "Rootkits" report being published today, McAfee says the number
of rootkits it has collected as malware samples has jumped ninefold
this quarter compared with the same quarter a year ago. Almost all the
rootkits McAfee has identified are intended to hide other code (such
as spyware or bots) or conceal processes running in Windows systems.
"The predominant reason for the growth in use of stealthy code is
because of sites like Rootkit.com," says Stuart McClure, senior vice
president of global threats at McAfee
Rootkit.com's 41,533 members do post rootkit source code anonymously,
then discuss and share the open source code. But it's na=EFve to say the
Web site exists for malicious purposes, contends Greg Hoglund, CEO of
security firm HBGary and operator of Rootkit.
"It's there to educate people," says Hoglund, who's also the co-author
with James Butler of the book Rootkits: Subverting the Windows Kernel.
"The site is devoted to the discussion of rootkits. It's a great
resource for anti-virus companies and others. Without it, they'd be
far behind in their understanding of rootkits."
No one with a profoundly malicious intent would post his rootkit on
the site, because it would be publicly analyzed for detection
purposes, Hoglund says. He concedes, however, that out of the tens of
thousands of Rootkit participants, there are bound to be those whose
intent is to exploit rather than learn.
Anti-virus vendor Trend Micro says the Rootkit Web site cuts both
"We need those open source people," says David Perry, global director
of education at Trend Micro. "They uncover things. It's a laboratory
of computer science. They demand the intellectual right to discuss
That said, Perry notes there are a lot of hacker wannabes who would be
drawn to using the Rootkit site "as one-stop shopping for them to pick
up the tools."
Designing a rootkit is a complex programming process. Hoglund says
there are probably no more than 20 or 30 main types today, along with
a wide number of variants.
Detecting rootkits has become a software research frontier, but
eradicating them and what they hide is proving even more difficult.
"I don't think it's fair to say Root kit.com is abetting the spread of
rootkits. They were present before Rootkit.com," says co-author
Butler, CTO at Komoku. Komoku is getting ready to release a
rootkit-detector code-named Gamma.
Butler says Rootkit.com has made it easier to use such software.
"Technology being deployed today is now more sophisticated than it was
two years ago. It's very advanced," he says.
"Eradication is extremely difficult to do in 100% of the cases, while
restoring a system and keeping it stable," Butler says. Some rootkits
that can get into the [basic input/output system] might make it
advisable "to throw the computer away" if you want to be sure you got
rid of the rootkit, he says.
A Microsoft official offered similar advice two weeks ago at the
InfoSec Conference in Orlando.
Rootkits with names including HackerDefender, AFXRootkit, PWS-Progent
and FURootkit are cited by McAfee as among the most prevalent today.
The trend is toward embedding stealth technologies with varying forms
of spyware and malware, such as Backdoor-CEB, AdClicker-BA, W32/Feebs,
Backdoor-CTV, Qoolaid, PWS-LDPinch, Opanki.worm, and W32/Sdbot.worm.
This makes it harder to detect and eradicate spyware, adware and other
unwanted code, McAfee's McClure says.
The growing fear in the security world is that it won't be long before
someone creates a worm that can scan networks for vulnerabilities and
then effectively deliver a malicious payload - such as something that
can wipe out files, change data or spy on organizations - that can be
kept hidden by a well-made rootkit.
"It's quite possible, once you've got a piece of code on someone's
computer," Perry says.
All contents copyright 1995-2005 Network World, Inc.
InfoSec News v2.0 - Coming Soon!