Hidden and Off the Radar, Rootkit Threat Grows

Carl Weinschenk

Rootkits, pieces of code that burrow into systems and avoid detection by security software, still are posing big problems, according to this Dark Reading piece. The story reports on test results released this week by AV-Test.org. The German organization looked at 30 active rootkits and 30 pieces of malware using rootkit techniques. The story has lots of numbers. The bottom line is that AV-Test found that security suites and Web scanners detected little more than half of all rootkits. The leading vendors were Avira AntiVir Premium Security Suite and BitDefender's Internet Security Suite 2008 11.0.13.


Most rootkits are written for Windows and are aimed at key logging and installing backdoors. Sebastian Muniz, a researcher from Core Security Technologies, claims to have written a rootkit for the Internetworking Operating System (IOS) used by Cisco routers.


If so, this is a significant and unwelcome event, since IOS is used by about two-thirds of deployed routers. Unlike other malware written for IOS, Muniz claims that this rootkit can work on several versions of the OS. The rootkit doesn't force entry into the system -- a separate delivery mechanism is necessary -- but once installed it can monitor and control the router, the story says. Threats from rootkits show no signs of abating. Hopefully, the new rootkit reported on in this PC World story isn't quite as dangerous as it sounds to a non-engineer. It likely is, however. The System Management Mode (SMM) rootkit operates in a part of the PC's memory that is off-limits and invisible to the OS. It can provide attackers with a view into the computer's memory, the story says. Built by two researchers from Clear Hat Consulting, SMM has keystroke-logging capabilities and can communicate with outside computers, presumably to transmit the information that it finds.


Last month, McAfee said that a rootkit is being used to hide keystroke logging software in machines running Windows. The infection occurs while users watch what purports to be a pro-Tibet video making fun of Chinese gymnasts. Likewise, Network World reports that Srizbi has become the biggest botnet, responsible for more than half of all spam. The malware hides within a rootkit, the piece says, and is suspected of being capable of uninstalling other rootkits.


In March, CXOtoday described Mebroot, a rootkit that attaches itself to MBR, which is in the physical sector of the hard drive that is activated when a machine first begins to boot up. Mebroot leaves no record in the registry and doesn't require any file modification. It is, according to F-Secure, perhaps the stealthiest malware available.


The dangers are resonating throughout the industry. Last month, for instance, Comodo released software designed to test whether security software is stopping real-world threats, including rootkits. In March, Beta News reported that Microsoft purchased its second company aimed at fighting the threat. The company, Komoku, was founded in 2004 and has worked extensively with the Department of Defense and the Department of Homeland Security, the story says. Its products are hardware- and software-based and geared toward large enterprises. Microsoft bought Rootkit Revealer, another rootkit company, in 2006.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.