The Trouble with Rootkits

By Jeff Vance

(Back to article)

Have you ever wondered where all of those spam emails come from? Most people think they are sent from server farms in former Soviet-block countries, from Nigeria, or from tech-sleazes here at home who work hard to find avoid detection and find loopholes in the CAN-SPAM Act.

While much spam does come from those sources, a new spamming technique is to use ordinary people as unwitting spammers. One such recent attack, Storm Worm, seeks to turn poorly secured PCs into occasional spam servers.

Many users in Europe downloaded Storm Worm early this year when they clicked on an email attachment claiming to contain information about wind storms that ravaged the continent. In the U.S., users were infected when they opened an email with a subject line reading “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.” The email contained an attachment purporting to be a video of the event.

What’s troubling about this attack isn’t the delivery method, which is standard social engineering, but what happens next. Rather than launching a DDOS (distributed-denial-of-service) attack or spreading a virus or worm, Storm Worm drops a kernel-mode rootkit onto the recipient’s computer.

A set of software tools that give an intruder administrator access to a PC, Rootkits typically hide themselves from end users. The rootkit can then provides ongoing access to the system, allowing attackers to install spyware, monitor user keystrokes, or use the compromised computer as part of a spam botnet, which is what Storm Worm does.

Storm Worm’s botnet sends out so-called pump’n’dump stock spam—spam used to inflate a stock’s price, which the spammers own and then dump after it gets high enough. Fortunately, Storm Worm appeared to be rushed. It was a fairly primitive rootkit, which standard antivirus scanners can detect.

The user community is lucky in this case. A better designed rootkit can persist long after a signature has been developed for it. “The problem is that people believe they are uninfected. They’ve kept their security up to date and run their scans, but the rootkit has avoided detection and is working in the background,” said Neil MacDonald, VP and fellow at the research firm Gartner.

Rootkits more advanced than Storm Worm make themselves invisible to antivirus scanners, often even disabling them. They also hide themselves from Windows Task Manager, which shows a PC’s running processes. The end result is they are extremely difficult to detect after the initial infection, and an infection can last indefinitely, all without the end user suspecting a thing.

Attacks as Investments

Rootkits are on the rise because hackers have different goals today. “The motivations of hackers have switched,” MacDonald said. “Taking down a million machines for fame and glory isn’t the motive anymore. Now it’s profit. The goal of attackers today is to use a compromised system over the long haul.”

For today’s organized cyber-criminals, an infected machine is an investment, and they seek to leverage that investment over time.

Even if you can’t see the process running in your Task Manager, wouldn’t you notice a system slowdown? Not necessarily. Most users expect performance degradation over time, and attackers are smart about hiding their activities.

“One thing many attackers do is target times when usage is low. Many PCs stay on all the time, so an attacker will schedule activities for late at night,” MacDonald said.

Rootkits exploit a key flaw in many operating systems: The fact that standard users are granted administrator privileges. “If end users don’t have administrator privileges, the threat is less significant,” MacDonald said.

Buena Vista?

One of the key security improvements in Microsoft Vista is its User Account Control (UAC). “Activities such as surfing the web, sending email, and using productivity applications do not require special privileges, so UAC automatically limits the power of a user’s account, even an account with administrative privileges, when doing those activities,” said Stephen Toulouse, security program manager at Microsoft.Similarly, IE7 in Windows Vista operates by default in protected mode. In this mode, IE7 cannot modify user or system files and settings without user consent, helping shield users from compromised websites.

For workstations running the 64-bit version of Vista, Kernel Patch Protection (KPP) is included. “KPP is designed to prevent attackers from modifying or extending the kernel, through techniques such as rootkits,” Toulouse said.

It also prevents changes through undocumented, non-supported methods, further hardening the kernel. Future versions of Microsoft's Longhorn server software will include similar features, and both versions will emphasize driver signing as well.

Legitimate Rootkits

Rootkits are nothing new, but since malware detection has become standard, given away for free on new PCs or with broadband subscriptions, attackers have placed a greater emphasis on being stealthy.

Part of the trouble with rootkits is similar techniques are used for legitimate purposes. Antivirus vendors, such as Symantec and Kaspersky, have used rootkit techniques and both have been criticized for doing so, although their intentions were legitimate. The intended to hide important security files, so users wouldn’t accidentally delete them.

Then there is the case of the Sony BMG rootkit that was distributed on music CDs. According to Gartner’s MacDonald, there’s a big difference between what Sony and the security vendors did.

“Sony used rootkit technology to hide their DRM software from tampering, whereas security vendors hid processes for legitimate reasons,” he said. Sony’s rootkit also contained a spyware component that tracked user behavior.

Users never opted in to having rigid DRM protection, nor were they aware the Sony rootkit created a gaping hole in their security profile. The US Federal Trade Commission (FTC) sued Sony over its rootkit, and Sony ended up settling; agreeing to pay customers who bought rootkit-invested CDs up to $150.

The settlement may not be the end of the story, though. It didn’t take long for hackers to develop worms targeting the vulnerability created by the Sony rootkit, and it shows how even legitimate vendors that end users have no reason not to trust can compromise security.

“Technology is highly integrated. From operating system integrations to smartphones to networked ATMs, devices are interacting with each other on a larger scale than ever before,” said Philippe Honigman, COO of SkyRecon Systems, a security company that is currently developing anti-rootkit technologies. “SASSER, for instance, thrived because of interoperability. The treat for major havoc is alive and well because of our complex and integrated networks.”

Another troubling thing about rootkits is how difficult they are to remove. In the past, viruses and worms caused great trouble, but most were easily removed once antivirus vendors caught up with them. With rootkits being so tightly tied to low-level OS processes, many security experts argue that removal means starting from scratch. You have to reformat your drive to ensure that sophisticated rootkits is gone.

Some vendors advocate simply renaming and quarantining files to effectively disable them, but it’s debatable as to whether that approach is viable. Users could accidentally rename the wrong file or miss other files that allow the rootkit to persist.

Obviously, this places a premium on not being infected in the first place.

“In an enterprise setting, avoiding infection means that the enterprise must be in control of what’s being installed on company PCs,” Honigman said. “Users should never be given administrator status, which is easier said than done since most organizations give employees control over their own settings and downloads, exposing them to many threats.”

Vendor's Options

Rootkit detectors have hit the market, though they are in the early stages of development. SkyRecon Systems will launch a rootkit detector specifically designed for Vista later in the year, while detectors are also offered by F-Secure, Sophos, and Microsoft, among others.

The rootkit threat again points to the need for layered security.

“Put in good end-point security beyond signature-based security solutions and firewalls, and stay current with patches. A personal firewall is not enough anymore since it cannot control what users do. Network access control is critical, as well, but its best left to the pros,” Honigman said.