The security experts have been talking about rootkit technology in spyware ever since the Sony rootkit fiasco late in the year 2005. In the early days of the Internet, individuals would put together kits to help them acquire undetected "root" privileges on the big UNIX computers of those days. On personal computers "root" privileges equates to "Administrator" or "system" privileges. Unfortunately, these techniques are now being applied to the world of personal computers. Once in place this "stealthware" can allow your computer to be used in Denial of Service attacks or allow spyware/adware people to download and install spyware whether you want it or not.
Our first encounter with this technology occurred in September 2006. A customer reported multiple problems with his computer that started rather abruptly, a sure sign of malware infection. Initial scans from a "clean boot" detected and removed numerous items, however, the symptoms remained when booting from the hard drive. After days of scouring the hard drive, googling the Internet, trial and error tweaks and working from DOS (this was a Win 98 machine) the customer finally received a clean computer or at least all the symptoms were gone.
Does this incident indicate an escalation in the use of rootkit techniques in spyware/malware? If it does we should be prepared. The first step is to find out what rootkits are. Wikipedia gives an in depth definition and if you scroll down to the "External Links" heading you will find links to Security Now Episodes 9 and 12 transcripts or mp3 down loads. Among the other links listed on the Wikipedia page AntiRootkit.com looks to be a promising site. Another informative web page for Rootkit Detection and Removal listed and reviewed a few tools for rootkit combat.
- Blacklight by F-Secure available as a Beta until offered as a commercial product
- Rootkit Revealer from SysInternals, which was bought by Microsoft, but is still freely available on Microsoft's TechNet pages - highly recommended
- Malicious Software Removal Tool from Microsoft actually for regular malware but does detect more than one of the most prevalent rootkits. We also have information on this tool on our site. The link to this resource was removed due to continuing changes at microsoft.com but can be found on the Microsoft download pages. This utility is updated monthly and is part of the "second Tuesday" critical updates package from Microsoft.
- Ice Sword A Chinese tool now available in English with a mirror site recommended for experienced users but highly regarded none the less
- Rootkit Hook Analyzer another Beta intended for commercial release however not all rootkits use hooks
Unfortunately, none of these work on Windows 95/98/ME. Computer owners with these Operating Systems will have to resort to the most cost effective method for treating rootkit infections, format the hard drive and re-install your operating system. That means you need your data backed up or have a drive image burned to CD/DVD on a regular basis, which is also good advice for owners of newer systems. Old systems and new systems alike should have a layered defense in place and updated regularly. New operating systems should have available security updates installed. Finally, practice safe browsing recommendations (see the Security page for details).
One question asked repeatedly when speaking of malware is, "Why do they want to do that stuff??!!" According to an AntiRootkit.com article a group of hackers in Russia received five thousand dollars for the Windows Metafile Exploit. That pretty much answers that question.
Update 10/16/2007
In the opening paragraph of this article, we mentioned the "Sony rootkit fiasco", which was responsible for the increased concern over rootkit technology being used in malware. This incident kicked off several class action law suits and resulted with Sony recalling products on which their rootkit had been used. We recently heard that this is a continuing story. Sony has not learned any lessons from their 2005 blunder and are still releasing products with rootkit technology included. This time they are using a different third party as the source of their rootkit. The use of a different third party will not stop the bad guys from using this technology as happened in 2005. However good their products may be, I for one am not inclined toward risking my data or equipment and no longer purchase anything produced by this company until I know that it is safe and rootkit free. The reason for this stance stems from the encounter with a rootkit on a customers machine outlined in the second paragraph of this article. Most shops would have done a format and reinstalled the OS and would have been done in a few hours. The shorter repair time comes at the expense of any and all data the customer may have accumulated on their hard drive. This data loss may mean nothing to Sony or typical repair shops but it does mean a lot to the customer. This "data" can represent photographs that are irreplaceable, which makes this data priceless.
Microsoft, Microsoft Office, Windows, Windows XP and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names have been included in the above text that are trademarks of the respective companies.
