How to beat the rootkit

(19/04/2007)

The nature of the ‘Rootkit’ Beast


If you, or your clients, use a computer to browse the internet, open emails or instant messages, or to download files or programs, you are at risk of infection. And one of the most dangerous and prevalent types of infection today is the rootkit.

A rootkit is a collection of tools that enable administrator-level access to a computer or computer network. Rootkits are not inherently bad, but they can be used for malicious purposes. A rootkit is often used to hide utilities such as “backdoors”, which can help an attacker access a system surreptitiously. Rootkits serve as a platform for spyware, Trojans, phishing software and other malware.

Rootkits became a hot topic in Autumn 2005 when it was revealed that Sony BMG was secretly distributing rootkit software on music CDs. Sony BMG had included the rootkit as part of its digital rights management initiative in an attempt to prevent CD copying. The software was automatically installed on PCs when customers tried to play the CDs. Because the rootkit programs interfere with the normal way in which the Microsoft Windows OS plays CDs, it opened security holes allowing viruses to infect computers. Subsequently, lawsuits were filed and Sony BMG recalled the affected CDs.

Some of the most common exploits of rootkits are spyware and programs that monitor keystrokes. Rootkits are also a launching pad for worms and viruses. Their biggest danger is that they can give a remote user control over an infected system and allow full control over the computer. Whereas viruses and spyware generally are designed to do only a few things, a rootkit offers control of almost any function of the computer. This means an almost unlimited potential for mischief.

One of the problematic characteristics of rootkits is that some types can bind themselves very tightly to the operating system - so tightly, in fact, that they can be impossible to detect. Conventional anti-spyware and anti-virus programs are powerless in this situation, because they rely on the operating system for information yet the operating system itself has been compromised.

This has created some hysteria, with reports saying that rootkits are impossible to remove, that the only way to get rid of them is to reformat the disk drive and reinstall all software. While some rootkits can be very insidious, many can be detected by shutting down a computer and restarting from a bootable disk.

To beat the rootkit, one approach suggests that it can be faster to back up your files and reformat the computer, but that is an extreme solution. There are a variety of freeware and open source rootkit detectors available, but they are not completely effective. Free rootkit detectors are typically not updated as often as commercial systems are and do not scan the machine in real time, only when manually activated - thus they increase the risk of exposure. The commercial vendors best equipped to attack the rootkit problem are those with extensive experience in spyware detection and removal because rootkits are so often used as a platform for spyware.

A good rootkit detection and removal program needs to use multiple vectors to identify a problem - just looking for erratic behavior is not enough. The program should also have an up-to-date list of newly identified rootkits so that newcomers cannot slip in under the radar. This is one reason why it is so important for users to update their signature files. Also, it is important to remember that not all rootkits are bad. The software needs to be able to discriminate between good and bad rootkits as the user would not want a rootkit detector that is going to destroy any violator it finds.

Article contributed by Daniel Mothersdale, Marketing Director, EMEA, Webroot Software

Related topics:  IT Network and Computer Security   Security market sectors 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources