Beware the Rootkit, No Matter the Seemingly Small Chance of Infection


Rootkits are back in the news, after Trend Micro reported this week that it had found a potentially dangerous, if not definitely malicious, rootkit buried in Enterprise Information Security software. The unnamed Chinese vendor that created the rootkit also apparently offered it as an OEM solution, reports heise online. And of course, last month, headlines were full of stories about the so-called Obama virus, which took advantage of intense interest in political goings-on to take users to a Web site built to place a rootkit into victims' machines after they opened an infected e-mail.


A rootkit can potentially steal personal user information, after being installed on a system without the user's knowledge and then beginning its work of giving someone else administrator access to that system or install malware.


Some researchers don't think that rootkits are even a problem. Symantec recently stated that they make up less than 1 percent of the attacks that the company is currently seeing and are mostly a problem on UNIX operating systems. However, a researcher from Phion, an Australian security company, found a flaw in the Vista operating system that makes it vulnerable to a rootkit attack. A request to a certain API causes a buffer overflow and could allow a malicious code injection attack.


There are at least five rootkits that can infect your system: firmware, hypervisor, kernel, library and application level kits. Some of the more common rootkits that target Windows include AFX, Vanquish, HackDefender, SubSeven and NetBus. Linux is prone to a RootKit attack, as well. Adore, Phalanx, Knark and Rootkit 5 are just a few of the RootKits that target that operating system.


Many applications are available for detecting and removing rootkits from Windows operating systems, including RootkitRevealer, RUBotted and GMER. For Linux, there are many open source solutions, including Chkrootkit, Rootkit Hunter and rkdet. I prefer RootkitRevealer when working with Windows because it requires a manual lookup of the suspected file. This will help to eliminate the chance of removing an API or device driver.


So is there cause for worry, or not? Well, yes. IT organizations, especially those that support financial clients, for instance, need to be careful of rootkits because personal data can be stolen and accounts put at risk. This has the potential to put your support desk in a crisis because of increased call volume and your clients in a panic because of possible personal data theft.