Rootkits: Invisible Assault on Windows
These clever attacks are not new, but they pose a growing threat to Windows PCs.
Scott Spanbauer
From the June 2005 issue of PC World magazine
According to Microsoft, a type of malware common to
Unix-based computers is now becoming more common and more sophisticated in the Windows world. The Trojan-horse-like programs--called rootkits--are extremely hard to detect and can grant a hacker complete control over your PC. Microsoft first warned of them at a security conference in February. Then utility vendor Sysinternals released a rootkit detector called RootkitRevealer, and antivirus vendor F-Secure launched a beta of Blacklight, a rootkit detector and remover that it plans to build into upcoming versions of its security products.
Like Trojan horse programs, rootkits install themselves by exploiting flaws in your PC's network security or by piggybacking onto e-mail messages or downloaded programs. They often open back doors for their remote puppet masters, who may be looking for credit card numbers, a broadband-connected spamming platform, or the simple thrill of the hack. But unlike standard Trojan horses, rootkits infiltrate the operating system at a deeper level, using security privileges to better hide themselves.
Detection Work
Like detecting viruses and worms, trapping rootkits is a cat-and-mouse game. Shortly after F-Secure released Blacklight, the author of a rootkit called Hacker Defender posted a video demonstrating a new version of his rootkit defeating Blacklight and several other defensive tools, including RootkitRevealer.
Since rootkits can work with spyware, viruses, and other malware in blended threats, security vendors are sharpening the tools they'll need for detecting them. According to Russ Cooper, who founded and moderates the NTBugtraq newsletter, looking for the kinds of techniques that rootkits use is a good idea. But Cooper doesn't think that rootkit infections are on the rise. "Rootkits are no more prevalent now than they've ever been," he believes. And as for rootkit removal tools, Cooper remarks that "only a person with very little knowledge would try to remove a rootkit," adding that the one certain cure is to wipe the hard disk and reinstall the OS. Mikko Hypponen, F-Secure's director of antivirus research, mostly concurs with Cooper, but points out that Blacklight can address situations where no known good backup is available.
Rootkit detectors and antivirus programs will continue to look for ways to outhack the hackers. But for now, standard security tools such as a good firewall and up-to-date antivirus protection are the best defense against rootkits.
Linear Mode
