Layered IT security prevents rootkits

Rootkits do not signal impending doom for corporate IT, but companies need to keep up their defences as the malware tools begin to spread, experts say.

The best way to deal with rootkits is to prevent infection in the first place — which is easier said than done. Besides maintaining traditional layers of security — firewalls, anti-virus software and patching — experts recommend locking down desktops to control software installation and operating system manipulation.

“Rootkits are not an end-of-the-world situation,” says Rob Murawski, a member of the technical staff in the U.S. Computer Emergency Response Team (CERT) Coordination Center. “But it is an arms race between those that create rootkits and those that create detectors.”

And that race is reaching a fever pitch. The number of rootkit attacks reported to McAfee labs in the first quarter of 2006 was up 700 per cent compared with the same period in 2005, McAfee says.

A rootkit is malware that slips into a system and hides, and gives no indication that the system has been compromised. It can be used for any number of misdeeds, such as installing backdoors that can be used for remote access by hackers, or allowing a machine to be used as a staging point for attacks on other systems, according to CERT. Rootkits also can discover that security tools are looking for them and dodge detection.

While traditional malware tries to wreak as much havoc as possible, rootkits are being used to aim at focused targets, such as banks.

“What we’ve seen with rootkits is the transition from the notoriety-type virus writer to the for-profit virus writer,” says David Frazer, director of technologies for F-Secure, which develops an anti-rootkit tool called Blackight. “The more professional-type malware writers have R&D. They have external funding.”

Those efforts are producing custom rootkits with unique signatures that can’t be discovered by automatic detection tools, such as Hacker Defender, that use documented profiles of well-known rootkits. Last year, the University of Connecticut found a rootkit that had been in its network for two years. The university said no data was compromised because the rootkit failed to install properly.

“The stakes are raised in this cat-and-mouse game,” says Mark Russinovich, chief software architect for Windows management vendor Winternals Software. There is now a lot of funding behind the creation of malicious code, he says, “making it lucrative to come up with innovative ways of delivering malware and keeping it on people’s machines.”

Russinovich is the developer of RootKitRevealer, one of the top rootkit detection tools, but he admits the tool is not a cure-all and that if users suspect they have a rootkit “they should run every rootkit detector they can get their hands on.”

While many rootkit detection tools are emerging, the stealth of rootkits makes discovery and eradication daunting, experts say.

In April 2000, CERT published a list of options for getting rid of rootkits, including backing up data, wiping hard drives clean and starting over with a fresh installation of an operating system.

Microsoft officials raised eyebrows a week ago at the annual InfoSec security conference by endorsing “wipe and restart” as a solution to the problem. Users who have tried to remove rootkits say starting over fresh is the most cost-effective remedy.

Winternals’ Russinovich, however, says there is no reason to panic.

“What we have to do is deploy the tools that are available and implement best practices in the security space to keep those machines clean.”

QuickLink: 068029

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now