Countering the “Rootkit” threat
Stealth malware is back and this time it's serious.
By John E Dunn | Published: 17:00, 07 March 2005
Writing a program that can hide itself on a computer so as to completely evade detection has long been considered the ultimate challenge for the malicious coder. Plenty of them have tried and gone some of the way to succeeding, but none has come particularly close to pulling it off.
One of the best-known attempts was the invention of the “stealth” virus which came along around the time MS-DOS virus numbers started to spike in the early 1990s, but these were quickly battened down by the anti-virus researchers. In fact, many of the stealth viruses didn’t replicate properly, but a warning of intent had nonetheless been posted in bright neon letters.
More recently has come spyware, which is actually a family of techniques for carrying out nosy and sometimes malevolent activity without a computer user being aware of what is going on. Despite its name, most spyware is not actually that good at hiding itself. It depends on users getting infected and not bothering to examine their PCs very closely. Any software that doesn’t bring itself to a user’s attention is stealthy in a way, but it is reassuring that the vast majority of can be easily detected if you take the time to look with simple tools.
Nonetheless, a much more dangerous type of spyware-inspired program has also emerged that appears to have stolen a march on the current crop of Windows security programs. Called “Rootkits” (or RKs), and with conceptual origins in the Linux and Unix worlds, they are programs that install themselves on PCs (specifically Windows PCs) and attempt varying degrees of stealth, depending on what they have been programmed to do. The Rootkit itself causes no damage, but it will attempt to hide the presence of other malware, such as key-logging Trojans, viruses, or Worms.
Most turn out to be pretty easy to detect, but one type, designed to subvert an operating system kernel, has caused greater alarm among researchers. These are sophisticated enough to intercept system calls and so undermine the integrity of an OS. They count as unusually stealthy as even a list of OS processes does not reveal their existence, and they can also hide files. For the first time, malware writers appear to have got some way ahead of the security industry.
Microsoft has been aware of the issue for some time, releasing a technical report last July that set out the development of a tool, Strider Ghostbuster, that it had used in a research context to defeat a number of the better Rootkits, including Hacker Defender 1.0, Aphex - AFX Windows Rootkit 2003, Vanquish, and Msvsres.dll. The technique used involved booting from a stripped-down CD-based version of XP and running a file comparison between the known version and the installed one. This problem with this technique is that it is designed to detect file-hiding Rootkits, and so is only a partial solution to the problem.
The company is believed to be working on a more comprehensive Rootkit-detection tool, but at least one rival, Finland-based F-Secure, has beaten them to it. Set for announcement at this week’s CeBIT computer Show, the new program, BlackLight, is claimed to be able to stop all Rootkits, no matter how sophisticated and stealthy their design. Security consultant Patrik Ranald is naturally cagey when it comes to explaining how the software achieves this, but is clear about what has driven the increasing sophistication of the phenomenon. “Ordinary anti-virus programs aren’t able to stop such Rootkits,” he says. There are financial gains from this. There are now companies who are able to put resources into.”
According to Ranald, Rootkits are the result of organised criminal involvement, and because they are the next wave of malware, every anti-virus company will be forced to counter them in the near future. Currently almost none do. Longer term, Ranald says that BlackLight will be integrated into the company’s mainstream anti-virus protection software as another standard feature, so its life a s a standalone product is likely to be short. From March 10th onwards, a trial beta download will be made available here.
What’s extraordinary is that more anti-virus companies haven’t thought through the marketing potential of doing what F-Secure has managed to do, but that is bound to change. This could turn out to be the year the discredited idea of stealth attacks are once again taken seriously.