[ISN] RSA: Microsoft on 'rootkits': Be afraid, be very afraid

InfoSec News isn at c4i.org
Fri Feb 18 04:29:42 EST 2005


By Paul Roberts
FEBRUARY 17, 2005 

Microsoft Corp. security researchers are warning about a new 
generation of powerful system-monitoring programs, or "rootkits," that 
are almost impossible to detect using current security products and 
could pose a serious risk to corporations and individuals. 

The researchers discussed the growing threat posed by kernel rootkits 
at a session at the RSA Security Conference in San Francisco this 
week. The malicious snooping programs are becoming more common and 
could soon be used to create a new generation of mass-distributed 
spyware and worms. 

With names like "Hacker Defender," "FU" and "Vanquish," the programs 
are the latest generation of remote system-monitoring software that 
has been around for years, according to Mike Danseglio and Kurt 
Dillard, both of Microsoft's Security Solutions Group. 

The programs are used by malicious hackers to control, attack or 
ferret information from systems on which the software has been 
installed, typically without the owner's knowledge, either by a virus 
or after a successful hack of the computer's defenses, they said. Once 
installed, many rootkits run quietly in the background but can easily 
be spotted by looking for memory processes that are running on the 
infected system, monitoring outbound communications from the machine, 
or checking for newly installed programs. 

However, kernel rootkits that modify the kernel component of an 
operating system are becoming more common. Rootkit authors are also 
making huge strides in their ability to hide their creations, said 

In particular, some newer rootkits are able to intercept queries or 
"system calls" that are passed to the kernel and filter out queries 
generated by the rootkit software. The result is that typical signs 
that a program is running, such as an executable file name, a named 
process that uses some of the computer's memory, or configuration 
settings in the operating system's registry, are invisible to 
administrators and to detection tools, said Danseglio. 

The increasingly sophisticated rootkits and the speed with which 
techniques are migrating from rootkits to spyware and viruses may be 
the result of influence from organized online criminal groups that 
value stealthy, invasive software, said Dillard 

One rootkit, called Hacker Defender, released about a year ago, even 
uses encryption to protect outbound communications and can piggyback 
on commonly used ports such as TCP Port 135 to communicate with the 
outside world without interrupting other applications that use that 
port, he said. 

The kernel rootkits are invisible to many detection tools, including 
antivirus, host and network intrusion-detection sensors and 
antispyware products, the researchers said. In fact, some of the most 
powerful tools for detecting the rootkits are designed by rootkit 
authors, not security companies, they said. 

There are few strategies for detecting kernel rootkits on an infected 
system, especially because each rootkit behaves differently and uses 
different strategies to hide itself. 

It is sometimes possible to spot kernel rootkits by examining infected 
systems from another machine on a network, said Dillard. Another 
strategy to spot kernel rootkits is to use Windows PE, a stripped-down 
version of the Windows XP operating system that can be run from a 
CD-ROM, to boot a computer and then compare the profile of the clean 
operating system to the infected system, according to Dillard and 

Microsoft researchers have developed a tool called Strider GhostBuster 
that can detect rootkits by comparing clean and suspect versions of 
Windows and looking for differences that may indicate that a kernel 
rootkit is running, according to a paper published by Microsoft 

The only reliable way to remove kernel rootkits is to completely erase 
an infected hard drive and reinstall the operating system from 
scratch, Danseglio said. 

Although rootkits are not unique to Windows, the popular operating 
system is a rich target and makes it easy for malicious hackers to 
disguise the presence of such programs, according to Jonathan Levin of 
Symantec Corp.'s @stake division, who attended the presentation at the 
RSA conference. 

The operating system's powerful application programming interfaces 
make it easy to mask behaviors on the system. Microsoft's Internet 
Explorer Web browser is also a frequent avenue for malicious hackers, 
viruses and worms that could drop a rootkit on a vulnerable Windows 
system, Levin said. 

Better tools could be built to detect the current crop of kernel 
rootkits. However, rootkit authors are adept at spotting new detection 
techniques and modifying their programs to slip around them, Danseglio 
said. "These people are smart. They're very smart," he said. 

More information about the ISN mailing list