Legitimate 'rootkits' soften Vista security

Rootkits are powerful programs that alter -- or patch -- the kernel of an operating system. This allows them to hide the existence of certain files or applications from the underlying OS. This practice dates back to UNIX systems in the mid 1980s but it is now commonly being used by malware authors to hide viruses and spyware from Windows-based security applications.

In April, antivirus firm McAfee said the number of rootkits found by its emergency response team in the first quarter of this year was up 700 percent compared to the same period last year.

This growing threat has driven security companies to develop rootkit detection techniques and forced Microsoft to develop methods for protecting the kernel of its operating system.

In a phone interview, Austin Wilson, director of product management for Windows Vista Security, told ZDNet Australia on Thursday that the software giant has developed a number of defences against rootkits. But, the most effective will not be included in the most common versions of Windows Vista.

Two techniques -- Kernel Patch Protection and driver signing -- will be available in 64-bit versions of Windows Vista, which are mostly used in servers rather than desktops, so most users will miss out, admitted Wilson.

The most powerful technique is Kernel Patch Protection, which basically blocks any application from altering the Vista kernel.

"Kernel patching is exactly what a load of rootkits do," said Wilson, who explained that rootkits alter the kernel to hide malware. "It changes the kernel so that if you do something like a directory command and look in Explorer, what you get returned back isn't really there."

"Basically, the rootkit will patch the kernel so they can hide and you can't find them when Windows is running. In 64-bit versions [of Windows Vista] we don't allow software to patch the kernel at all," he said.

When asked why kernel patch protection will not be available in 32-bit versions of Vista, he said: "In the 32-bit version it is something we would like to do in the longer term ... there are many legitimate applications out there today ... that do some kind of kernel patching."

However, Wilson said Microsoft is encouraging software vendors to move away from this technique.

"We are working with the vendors of those applications today so they can successfully port those to 64-bit and not use the kernel patching techniques.

"Kernel patching is something that is used for good things by legit software vendors but it is also something that is used by rootkit authors as well. We need to disable kernel patching to stop rootkit authors from patching the kernel," said Wilson.

Wilson did stress that the 32-bit version of Vista will include alternatives features to reduce the risk of rootkit infestation -- such as User Account Control, where users do not work in administrator mode and Internet Explorer protected mode, where the browser is not given enough privileges to install malware.

• Related stories

• Alerts

Add your opinion

1. Microsoft have let users down once again antirootkit.com -- 09/06/06

   The fact that the strongest rootkit protection is only available on server versions of vista shows that Microsoft are not really trying to make life easier for the ordinary user. I have a strong sense of deja-vu when it comes to Microsoft and security.

   • Reply to comment
   • Report offensive content

2. Microsoft doesn't understand operating systems Anonymous -- 13/06/06

   If Microsoft had any architect or developer qualified to design or write operating systems, they'd know that allowing anyone other than the owner (ie themselves) to tamper with the kernel of an OS is one of the biggest no-nos.

   • Reply to comment
   • Reply to story
   • Report offensive content

   1. Microsoft does understand ... Andy Goss -- 16/06/06

      that if they annoy software vendors those vendors will be more interested in porting their products to other OSes. Microsoft also knows that if corporate users think they may not be able to run their favourite software on Vista they will look more seriously at the non-MS options. But Microsoft does not worry about losing individual Windows users as most are unaware that there are problems with Windows or viable alternatives, and the few who have heard will probably go anyway.

      • Reply to comment
      • Report offensive content

3. Vista premium 64bit Withheld -- 12/08/08

   I have the 64bit Premium version of Vista. I have attempted to install a rootkit I have built that works in XP. The root kit did the following.
   Knocked Toshiba�s Ping service off line.
   Knocked AVG�s watchdog service off line.
   Removed some services from operating on the machine.
   Failed to patch the kernel
   Failed to patch TCPIP
   Failed to path the registry
   Knocking some services off line was a side affect of failing to patch the process.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Hot Spot - What's Important

Driving Business Growth Through Enterprise IT Management
Dig deeper by clicking here »

Achieve continuous availability with high performance NonStop blade technology

Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.

When chief information officers and other technology managers talk about their priorities, security is always high on the list.

Principles for a successful business

Reader Services

Popular Topics

Essentials