The Trouble with Rootkits
While much spam does come from those sources, a new spamming technique is to use ordinary people as unwitting spammers. One such recent attack, Storm Worm, seeks to turn poorly secured PCs into occasional spam servers.
Many users in Europe downloaded Storm Worm early this year when they clicked on an email attachment claiming to contain information about wind storms that ravaged the continent. In the U.S., users were infected when they opened an email with a subject line reading U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel. The email contained an attachment purporting to be a video of the event.
Whats troubling about this attack isnt the delivery method, which is standard social engineering, but what happens next. Rather than launching a DDOS (distributed-denial-of-service) attack or spreading a virus or worm, Storm Worm drops a kernel-mode rootkit onto the recipients computer.
A set of software tools that give an intruder administrator access to a PC, Rootkits typically hide themselves from end users. The rootkit can then provides ongoing access to the system, allowing attackers to install spyware, monitor user keystrokes, or use the compromised computer as part of a spam botnet, which is what Storm Worm does.
Storm Worms botnet sends out so-called pumpndump stock spamspam used to inflate a stocks price, which the spammers own and then dump after it gets high enough. Fortunately, Storm Worm appeared to be rushed. It was a fairly primitive rootkit, which standard antivirus scanners can detect.
The user community is lucky in this case. A better designed rootkit can persist long after a signature has been developed for it. The problem is that people believe they are uninfected. Theyve kept their security up to date and run their scans, but the rootkit has avoided detection and is working in the background, said Neil MacDonald, VP and fellow at the research firm Gartner.
Rootkits more advanced than Storm Worm make themselves invisible to antivirus scanners, often even disabling them. They also hide themselves from Windows Task Manager, which shows a PCs running processes. The end result is they are extremely difficult to detect after the initial infection, and an infection can last indefinitely, all without the end user suspecting a thing.
Attacks as Investments
Rootkits are on the rise because hackers have different goals today. The motivations of hackers have switched, MacDonald said. Taking down a million machines for fame and glory isnt the motive anymore. Now its profit. The goal of attackers today is to use a compromised system over the long haul.
For todays organized cyber-criminals, an infected machine is an investment, and they seek to leverage that investment over time.
Even if you cant see the process running in your Task Manager, wouldnt you notice a system slowdown? Not necessarily. Most users expect performance degradation over time, and attackers are smart about hiding their activities.
One thing many attackers do is target times when usage is low. Many PCs stay on all the time, so an attacker will schedule activities for late at night, MacDonald said.
Rootkits exploit a key flaw in many operating systems: The fact that standard users are granted administrator privileges. If end users dont have administrator privileges, the threat is less significant, MacDonald said.
One of the key security improvements in Microsoft Vista is its User Account Control (UAC). Activities such as surfing the web, sending email, and using productivity applications do not require special privileges, so UAC automatically limits the power of a users account, even an account with administrative privileges, when doing those activities, said Stephen Toulouse, security program manager at Microsoft.Similarly, IE7 in Windows Vista operates by default in protected mode. In this mode, IE7 cannot modify user or system files and settings without user consent, helping shield users from compromised websites.
For workstations running the 64-bit version of Vista, Kernel Patch Protection (KPP) is included. KPP is designed to prevent attackers from modifying or extending the kernel, through techniques such as rootkits, Toulouse said.
It also prevents changes through undocumented, non-supported methods, further hardening the kernel. Future versions of Microsoft's Longhorn server software will include similar features, and both versions will emphasize driver signing as well.
Rootkits are nothing new, but since malware detection has become standard, given away for free on new PCs or with broadband subscriptions, attackers have placed a greater emphasis on being stealthy.
Part of the trouble with rootkits is similar techniques are used for legitimate purposes. Antivirus vendors, such as Symantec and Kaspersky, have used rootkit techniques and both have been criticized for doing so, although their intentions were legitimate. The intended to hide important security files, so users wouldnt accidentally delete them.
Then there is the case of the Sony BMG rootkit that was distributed on music CDs. According to Gartners MacDonald, theres a big difference between what Sony and the security vendors did.
Sony used rootkit technology to hide their DRM software from tampering, whereas security vendors hid processes for legitimate reasons, he said. Sonys rootkit also contained a spyware component that tracked user behavior.
Users never opted in to having rigid DRM protection, nor were they aware the Sony rootkit created a gaping hole in their security profile. The US Federal Trade Commission (FTC) sued Sony over its rootkit, and Sony ended up settling; agreeing to pay customers who bought rootkit-invested CDs up to $150.
The settlement may not be the end of the story, though. It didnt take long for hackers to develop worms targeting the vulnerability created by the Sony rootkit, and it shows how even legitimate vendors that end users have no reason not to trust can compromise security.
Technology is highly integrated. From operating system integrations to smartphones to networked ATMs, devices are interacting with each other on a larger scale than ever before, said Philippe Honigman, COO of SkyRecon Systems, a security company that is currently developing anti-rootkit technologies. SASSER, for instance, thrived because of interoperability. The treat for major havoc is alive and well because of our complex and integrated networks.
Another troubling thing about rootkits is how difficult they are to remove. In the past, viruses and worms caused great trouble, but most were easily removed once antivirus vendors caught up with them. With rootkits being so tightly tied to low-level OS processes, many security experts argue that removal means starting from scratch. You have to reformat your drive to ensure that sophisticated rootkits is gone.
Some vendors advocate simply renaming and quarantining files to effectively disable them, but its debatable as to whether that approach is viable. Users could accidentally rename the wrong file or miss other files that allow the rootkit to persist.
Obviously, this places a premium on not being infected in the first place.
In an enterprise setting, avoiding infection means that the enterprise must be in control of whats being installed on company PCs, Honigman said. Users should never be given administrator status, which is easier said than done since most organizations give employees control over their own settings and downloads, exposing them to many threats.
Rootkit detectors have hit the market, though they are in the early stages of development. SkyRecon Systems will launch a rootkit detector specifically designed for Vista later in the year, while detectors are also offered by F-Secure, Sophos, and Microsoft, among others.
The rootkit threat again points to the need for layered security.
Put in good end-point security beyond signature-based security solutions and firewalls, and stay current with patches. A personal firewall is not enough anymore since it cannot control what users do. Network access control is critical, as well, but its best left to the pros, Honigman said.