[ISN] RSA: Microsoft on 'rootkits': Be afraid, be very afraid
isn at c4i.org
Fri Feb 18 04:29:42 EST 2005
By Paul Roberts
FEBRUARY 17, 2005
IDG NEWS SERVICE
Microsoft Corp. security researchers are warning about a new
generation of powerful system-monitoring programs, or "rootkits," that
are almost impossible to detect using current security products and
could pose a serious risk to corporations and individuals.
The researchers discussed the growing threat posed by kernel rootkits
at a session at the RSA Security Conference in San Francisco this
week. The malicious snooping programs are becoming more common and
could soon be used to create a new generation of mass-distributed
spyware and worms.
With names like "Hacker Defender," "FU" and "Vanquish," the programs
are the latest generation of remote system-monitoring software that
has been around for years, according to Mike Danseglio and Kurt
Dillard, both of Microsoft's Security Solutions Group.
The programs are used by malicious hackers to control, attack or
ferret information from systems on which the software has been
installed, typically without the owner's knowledge, either by a virus
or after a successful hack of the computer's defenses, they said. Once
installed, many rootkits run quietly in the background but can easily
be spotted by looking for memory processes that are running on the
infected system, monitoring outbound communications from the machine,
or checking for newly installed programs.
However, kernel rootkits that modify the kernel component of an
operating system are becoming more common. Rootkit authors are also
making huge strides in their ability to hide their creations, said
In particular, some newer rootkits are able to intercept queries or
"system calls" that are passed to the kernel and filter out queries
generated by the rootkit software. The result is that typical signs
that a program is running, such as an executable file name, a named
process that uses some of the computer's memory, or configuration
settings in the operating system's registry, are invisible to
administrators and to detection tools, said Danseglio.
The increasingly sophisticated rootkits and the speed with which
techniques are migrating from rootkits to spyware and viruses may be
the result of influence from organized online criminal groups that
value stealthy, invasive software, said Dillard
One rootkit, called Hacker Defender, released about a year ago, even
uses encryption to protect outbound communications and can piggyback
on commonly used ports such as TCP Port 135 to communicate with the
outside world without interrupting other applications that use that
port, he said.
The kernel rootkits are invisible to many detection tools, including
antivirus, host and network intrusion-detection sensors and
antispyware products, the researchers said. In fact, some of the most
powerful tools for detecting the rootkits are designed by rootkit
authors, not security companies, they said.
There are few strategies for detecting kernel rootkits on an infected
system, especially because each rootkit behaves differently and uses
different strategies to hide itself.
It is sometimes possible to spot kernel rootkits by examining infected
systems from another machine on a network, said Dillard. Another
strategy to spot kernel rootkits is to use Windows PE, a stripped-down
version of the Windows XP operating system that can be run from a
CD-ROM, to boot a computer and then compare the profile of the clean
operating system to the infected system, according to Dillard and
Microsoft researchers have developed a tool called Strider GhostBuster
that can detect rootkits by comparing clean and suspect versions of
Windows and looking for differences that may indicate that a kernel
rootkit is running, according to a paper published by Microsoft
The only reliable way to remove kernel rootkits is to completely erase
an infected hard drive and reinstall the operating system from
scratch, Danseglio said.
Although rootkits are not unique to Windows, the popular operating
system is a rich target and makes it easy for malicious hackers to
disguise the presence of such programs, according to Jonathan Levin of
Symantec Corp.'s @stake division, who attended the presentation at the
The operating system's powerful application programming interfaces
make it easy to mask behaviors on the system. Microsoft's Internet
Explorer Web browser is also a frequent avenue for malicious hackers,
viruses and worms that could drop a rootkit on a vulnerable Windows
system, Levin said.
Better tools could be built to detect the current crop of kernel
rootkits. However, rootkit authors are adept at spotting new detection
techniques and modifying their programs to slip around them, Danseglio
said. "These people are smart. They're very smart," he said.
More information about the ISN