Tuesday, May 03, 2005

Rootkits: The Ultimate Stealth Attack

Ever hear of a rootkit? It's a surreptitious program that is specifically designed to conceal its presence on your system, most likely toward some malicious end.

How does a rootkit evade detection? The answer is that it makes the operating system lie by intercepting calls to the system and modifying the results they send to programs. For example, when you are running a program—like Microsoft Windows Explorer—that displays the contents of a directory, that program is making calls to the operating system to retrieve the names of files in the directory. What if a program, running at a sufficiently low level, intercepted those calls, waiting and watching for the names of its own files so it could keep them out of the listing? It could even modify the total number of bytes the directory seems to use. And once it had accomplished its goal, it could go about its business, whatever that might be.

That is how rootkits work. For years, they were primarily aimed at UNIX systems. Now they're targeting Windows systems more frequently and, as with other malware, there's every reason to think that this will be where the action is from now on.

Rootkits have the potential to cause a lot of damage. Not only can they conceal their own files, they can also hide malware, such as viruses and spyware, written to work with them. The particularly scary thing about rootkits is that they're virtually invisible to users. Worse, they're invisible to traditional anti-virus programs, and easy-to-use tools for discovering their presence haven't been available.

Before you decide to turn your system off for good, however, remember that for a rootkit to run, it needs to find its way onto your system and then be executed. If you're not already being infected by viruses and Trojan horses all the time, you probably already have the sort of measures in place that would block most attempts to place a rootkit on your system.

On the other hand, it wouldn't do to be too complacent: Rootkits are growing ever more sophisticated and, once a rootkit is installed with sufficient rights on a trusted system, it can become a vector to compromise anything else on the network. Until now, detecting the presence of rootkits has been a labor-intensive task that required extensive low-level system knowledge. Luckily, new tools that ease the task of uncovering rootkits have recently been released.

These tools don't look for specific rootkits in the way that antivirus software looks for specific patterns of data to identify particular viruses. Instead, the tools scan a system for clues to the existence of rootkits.

Microsoft Research recently announced Strider GhostBuster ( http://research.microsoft.com/rootkit/ ), which works by listing all the files on the system while it's running, then listing the contents of the same drives using a different operating system, and comparing the results. Files that show up only in the second copy, known as the "offline" listing, are suspicious.

Other vendors have also come out with tools to detect rootkits. Sysinternals has one (www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml ) called RootkitRevealer, and F-Secure has a beta tool called BlackLight ( www.f-secure.com/blacklight). Both work at a very low system level to attempt to get to a point where they can detect the rootkit before it can intercept the operating-system functions.

Rootkits inspire fear, and some of that fear is justified. These tools, all free at least for now, are a welcome addition to our security arsenals.

No comments: