Rootkits Growing in Number and Sophistication

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft's acquisition of Komoku both gives it new tools against rootkits and another entry point into the government market.


Komoku, according to this eWeek story on the acquisition, deals with the pernicious form of malware that burrows deep into target systems and, unlike traditional viruses, does a good job of hiding itself from detection. Komoku offers hardware- and software-based products called CoPilot and Gammna, respectively.


The story says that Microsoft aims to embed Komoku in its Forefront enterprise and Windows Live OneCare consumer products. The small company -- it has only nine employees -- was started with a Defense Advanced Research Projects Agency (DARPA) grant and has a strong position with many government agencies.


Rootkits are particularly frightening in that they do their dirty work without the victim's knowledge, so any cracker advances in the field must be paid attention to (a good description of what rootkits are and how they work is available from PandaSecurity here).


And, indeed, there seems to be news. The Register reports that a new Pandex Trojan disables previously installed Trojans and replaces them with its own rootkit, which Trend Micro calls Pushu-AC. The story, which certainly proves that the axiom about the lack of honor among thieves still is relevant, provides a history of battles between malware writers. The piece links to a more general series on the topic by Trend Micro.


Malware writers and distributors are notorious for quickly abandoning exploits once they stop working in favor of more fruitful approaches. By this logic, the thieves clearly see rootkits as a growth industry, so to speak. That means that IT managers and security forces are well advised to pay attention. According to CXO Today, PandaLabs says that it detected 272 percent more rootkits in 2007 than 2006.


Though it can reasonably be assumed that rootkits are increasing, that precise percentage perhaps should be taken with a grain of salt. The main theme of the story is that PandaLabs is getting better at detecting rootkits through its new collective intelligence model. Assuming that other security vendors also are improving their approaches -- Heise Security said last week that SpyBot Search&Destroy has added rootkit detection to its anti-spyware product -- the reality may be that some of the statistical increase is due to the fact that the industry simply is getting better at detecting them.


That's no reason to relax, however. Indeed, rootkit producers are becoming more aggressive. This post describes MBR (master boot record) rootkits. The idea is simple: MBRs are the code that helps a PC find its operating system once it is switched on. By infecting at that point, the rootkit is invisible because it is up and running even before the operating system is. The post says that more than 5,000 infections have been noted in less than a month. The exploit can be successful on all versions of Windows. The piece -- which appears to excerpt another post or article but carries no attribution -- lists the names under which the major antivirus vendors refer to the exploit.