All the latest UK technology news, reviews and analysis
|
|
|
19 Oct 2005
Signalling a trend towards increased 'outsourcing' of some elements of malware creation, security experts are reporting a surge in the level of professionalism and commercialisation in the creation of so-called rootkits.
A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.
Antivirus vendor F-Secure reported last week that it had detected a new rootkit designed to bypass detection by most of the modern rootkit detection engines.
Traditionally a rootkit would be designed to evade only one security product, such as Symantec's or F-Secure's antivirus scanners.
"The professionalism of these rootkits is coming to another level," said Allen Schimel, chief strategy officer at StillSecure, a developer of intrusion detection, vulnerability management and network access control applications.
"These rootkits just cranked it up a notch in their ability to evade multiple antivirus products."
Adding a rootkit to a virus increases its chances of avoiding detection because modern antivirus applications do not just look for specific code, but incorporate behavioural analysis to catch worms.
A rootkit can also help a worm to remain undetected even after antivirus vendors have created signatures to catch the malware.
Rootkits go back to the early days of computer hacking, forming applications that open a backdoor into a user's system. This allows the hacker to access the computer remotely.
Such a tool was useful because it enabled hackers to use the computer as a launch-pad for new break-ins, or to store sensitive information without leaving a trail back to the hacker.
Rootkits are also being identified by most malware detection applications, so rootkit creators constantly update their wares in an effort to stay ahead of their opponents.
Latest stories from Security
Related articles
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
A global consultancy is looking for a technical IT infrastructure...
External Technical Engineer, Rochdale This Lancashire...
Contract: L3 Solaris Administrator - Stockholm, Sweden...
C# or VB.NET Senior Developer / Team Leader x 2- Manchester...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Steps to Counter Infection
Ok, instead of commenting on this article, I would like to leave some information regarding security measures and software available to help deal with this problem. Take a look at: http://research.microsoft.com/rootkit/ where you will find various products available to help deal with possible rootkit compromise on your system. You might want to visit symantec.com and look at what they have as well. Overall, take the following precautions to maximize your protection against malicious code: 1. Install an antivirus product (Symantec, MacAfee, F-secure.....) and obtain updates everyday (Anti-virus signatures). 2. Always install security patches when they become available from your Operating System provider (MS, Linux, etc...). 3. Patch all applications (e.g. MS Office...) 4. Don't run any services and/or protocols on your machine that you don't need (Webserver, database, ftp, tftp, smtp, ....). These few steps will significantly tighten your risk for infection by malicious code.
Posted by: Kevin Stone 22 Oct 2005
Definition of "rootkit" inaccurate
A rootkit is not used as described in this article - at least not by every definition of the term I've ever seen. A rootkit is a "kit" that a script-kiddie, or sometimes a virus or worm, installs on a system to provide a back-door into the system - typically with elevated privileges (ie: "root" on an Unix system, hence the name). Rootkits have many forms, but the intent is the same: to mask their _own_ presense (not the presense of a virus) and to provide invisible entry into the system for the attacker. A rootkit _is_ the payload, the article describes it as being the opposite. For more info and tools used to scan for them (on Unix systems), see: http://www.rootkit.nl/ http://www.chkrootkit.org/
Posted by: Kevin 21 Oct 2005
confused
Quote from the article: "A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work." Seems a little confusing to me. As far as my understanding goes about the rootkits, the worm penetrate the system and then rootkit is installed on the system.
Posted by: k 21 Oct 2005
Research?
If this is the best F-secure researchers can do, I do hope the quality of their products is much better than the quality of their research. "F-Secure does not have any information on its geographic origin" --- it most likely originates from Czech Republic, and some easy Google searches even suggest the name of the author (Jaromir?).
Posted by: Infected Again 21 Oct 2005
That is NOT a rootkit
Rootkits allow a person to hide their presence on a machine after they already have access. It is NOT a "wrapper around a virus."
Posted by: Anonymous Coward 21 Oct 2005