Stealthy, remote system access programs called “rootkits” could fuel the next big wave of malicious code, and are already beginning to influence the design of new Internet worms and viruses, according to security experts. Now security software companies are sitting up and taking notice, releasing software that can spot and remove rootkits from infected systems.
In recent weeks a handful of companies, including antivirus company F-Secure Corp., Sana Security Inc. and free software site Sysinternals released products they claim can ferret out kernel rootkit programs that manipulate Microsoft Corp.’s Windows operating system and evade security software. But the buzz about rootkits may be overblown, according to one leading malicious code expert who says that the powerful programs, while dangerous, will never become as widespread as current viruses, worms or spyware.
Rootkits are malicious programs that are designed to be invisible, often replacing core operating system functionality with a version of the same functionality that provides remote attackers with a back door into compromised systems, said Al Huger, senior director of engineering at Symantec Corp. Kernel rootkits have been around since 1994, when the first “proof of concept” program was developed that evaded detection by loading and hiding in the Solaris kernel, or core processing center, he said.
While they’re not new, rootkits have been the focus of increased energy and attention in underground malicious code-writing communities, and have begun to influence more common threats, such as e-mail viruses and worms, said Mikko Hypp