blacklightleft_img_147x25
banner_blacklight_600x161

The Threat - Rootkits


What is a rootkit?

The term rootkit is very old and is dated back to the days when UNIX ruled the world. Rootkits for the UNIX operating system were typically used to elevate the privileges of a user to the root level (=administrator). This explains the name of this category of tools.

Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MS-DOS environment.

How dangerous is a rootkit?

The rootkit itself does typically not cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit.

The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can't remove something that it can't see. The threat from modern malware combined with rootkits is very similar to full stealth viruses that caused a lot of headache during the MS-DOS era. All this makes rootkits a significant threat.

How common is the problem?

There are currently several spyware programs and viruses that use rootkits to hide. There are also a couple of publicly reported intrusions where rootkits have been used (for example the theft of the Half-Life 2 source code).

Rootkits are already quite common in spyware programs but not as common in viruses. There is clear evidence that rootkits is a technique that works in practice. But the actual threat is still small compared to the potential of this technique.

What malware uses rootkit techniques?

First of all, "real" rootkits such as Hacker Defender and FU, of course. Then some spyware/adware programs such as EliteToolbar, ProAgent, and Probot SE. Some Trojans such as Berbew/Padodor and Feutel/Hupigon, and also some worms e.g. Myfip.h and the Maslan-family.

Shouldn't antivirus detect rootkits before they go into hiding?

Yes, and in some cases it will. However, rootkits are usually distributed in source code and that means a hacker can modify the rootkit until antivirus products no longer detect it. In fact, many rootkit and Trojan authors sell "undetection service" to their "customers". This means that for a certain amount of money they guarantee that the rootkit binary they sell is not at that point detected by any antivirus vendors. There are also some other features in modern antivirus products that may detect rootkits. For example F-Secure Internet Security 2005 has a feature we call "Manipulation Control". It is a behavioral blocking mechanism that prevents malicious processes from manipulating other processes. This will prevent the activation of some rootkits, but not all.

What's the forecast for rootkits?

Rootkits are already quite common in the spyware field and they are becoming more commonly used among virus authors as well. Virus writers of today are becoming more professional and have a business purpose for their activities. They certainly have the skills and motivation to implement the added complexity that rootkits introduce in a virus or worm.

Rootkits can make hidden backdoors or spam-relays in infected computers useful for a much longer time. There is reason to believe that the use of rootkits will increase in the future.

About F-Secure BlackLight