Jul 07 6
Have rootkits defeated the security industry?
Posted by Munir Kotadia @ 12:24 5 comments
Rootkits, which alter the kernel of an operating system and allow malicious code to hide from security software, seem to have stumped the security industry.
In order to watch video content you need to enable javascript and install Flash player version 8 or above.
Earlier this week, I managed to grab the general manager of AusCERT, Graham Ingram, for a short video interview.
Among other subjects, I asked him about rootkits, and how the security industry was going to deal with them in the future.
His answers should send chills down the spine of any chief security officer.
In this video, he said: "Zero-day exploits allow the infection to get on the machine in the first place. Then you invoke some sort of kernel-mode rootkit, where the ability to detect or remove it is severely limited.
"It is going to be a very difficult future that we face," said Ingram.
I mention Haxdoor, which is a particularly nasty trojan that uses rootkit technology. It first appeared more than a year ago and Ingram claims that modern attacks have got better -- or worse, depending on your point of view.
In a previous blog entry, this is what I wrote about Haxdoor:
According to AusCERT, Haxdoor spreads via e-mail and uses rootkit technology to hide from security applications. When it was first released, it was undetectable by most antivirus software because it was almost certainly tested against the most popular brands.
So how could you tell if you were affected? The simple answer is, you couldn't.
On its Web site, AusCERT warned that "due to the stealthing (rootkit) and antivirus disabling capabilities of this malware, a clean scan with an antivirus product may not guarantee that you are free from infection".
So even if you had an updated antivirus product, once Haxdoor has installed a rootkit and hidden behind it, AusCERT advised that "re-installation of the operating system from the original installation media is the only way to be confident that all traces of the malware has been removed".
"Rootkit"... ROOT kit...a "kit" that gives you "root". This is a *nix term and has been around for years.
What they're really saying is they're stumped by WINDOWS "rootkits". Personally I'm amazed that it took so long to port them to windows anyway. Think about it....windows security was (is) so bad for so long that it wasn't worth the effort of writing a Windows rootkit when much simpler code was all that was needed to pwn the Windows box. Now it takes SLIGHTLY more effort in some cases, hence the advent of rootkits for Windows. This suggests that the best Windows security is only now scraping up to the lower levels of *nix security.
As for the "reinstallation from known good media" bit...duhhhhhhh.....once your box is compromised then you can't trust the system binaries so yeah..complete wipe and re-install of the whole disk is the only way to go...
Hello Windows - Security World, welcome to 1991 !