Ever felt like your IT system is not quite behaving as it should be, but all your anti-virus and detection tools come out clean?
There’s a high probability that the root of your IT evils is a rootkit. Rootkit is a cloaking tool that can hide files and directories, registry keys and other system objects and can evade most currently available detection tools, according to Brian Bourne, president of Toronto-based IT security firm CMS Consulting. Bourne was a speaker in a rootkit symposium at the InfoSecurity Canada conference held in Toronto last month.
A rootkit installed in a system remains dormant, but it can help an attacker maintain access to the system. As it gets “weaponized” and allows a hacker to gain full access and control of the network, it becomes a real danger, said Bourne. Using rootkit, a hacker can obtain confidential information for financial gains, or use network resources to send out spam e-mails.
Rootkit has created opportunities for virus writers by taking parts of rootkit technology so viruses become “much more stealthy and much more difficult to detect,” Bourne said.
Rootkit needs administrator access to enable a hacker to perform malicious deeds, so the objective is to install it on the administrator’s desktop, explained Bourne. And installing a rootkit can be done through some form of social engineering tactics or through a vulnerability exploit, he added.
Hackers may not be the only ones that have found use for rootkit technology. A class-action lawsuit was launched last year against record firm Sony-BMG for the undisclosed “content protection software” installed on several of its music CDs.
In an open letter to Sony-BMG, the Electronic Frontier Foundation (EFF) expressed concern over the inclusion of the XCP Protection Software on a number of Sony-BMG’s music CD releases, which EFF said “appears to have been designed to have many of the qualities of a rootkit.”
While denying the allegations, Sony-BMG has proposed settlement with the claimants, according to the company’s Web site. Bourne suggested some “well-known but not well-practiced” defenses against rootkits.
“The best defense against the rootkit is not to let it get [into your system] in the first place,” he said.
He recommended locking down desktops, including disabling autorun functions to prevent users from installing any software on the desktop.
A higher level of protection should be enforced on the administrator’s workstation as it enjoys access to all areas of the network, he added.
While it is generally difficult to detect a rootkit, there are a few commercially available detection tools that can be successful, in one way or another, in detecting rootkits.
Based on tests conducted by CMS, some of the more effective rootkit detectors are F-Secure Blacklight, GMER, Rootkit Revealer and IceSword.
Bourne cautioned, however, that “none of the detection tools are what I’ll call ready for primetime. Some of [the detection tools] were even less stable than the rootkit itself.”