'Rootkits' - just when you thought viruses were a pain!

A New Threat

Well, it could only be a matter of time before hackers and virus writers got round the latest security technologies to start messing with people's PCs again. Just when we thought we were safe with our anti spyware programs, virus scanners and firewalls, a new threat looms on the horizon, and what's worse is that the companies we rely on to keep us secure aren't really prepared for it. So, what is this new threat? It's something called "Rootkits"

Basically a hacker finds a way into someone's PC in the normal way, through vulnerabilities in the operating system (ie: Windows, Linux, etc) or by taking advantage of lax security. Once inside, they install a set of applications, some of which are disguised as programs that the operating system needs to run. This in itself is quite common: many Windows-based viruses disguise themselves as important system processes which fools Windows itself, meaning you can't shut them down because Windows thinks they're Microsoft products. However, rootkits also include scripts (files containing computer code) which cover their tracks by removing any reference to their being there.

A couple of tools exist to help you monitor if and when your operating system files have changed. In the past, when a file was overwritten by a virus or other such program, the file's creation date would match the date at which the file was downloaded to that PC. Now, files installed by rootkits use the same creation date as the original files, making them almost undetectable. I say almost of course, and that brings me onto the tools you can use. One of these is Tripwire, which - among other things - examines your files for integrity and lets you know whether they pass or not. The problem with this is that it's for big-bucks business and so will be very expensive. Another of these tools is an open-source project called AIDE. Because it's open source it's free, but also it may be difficult to get comprehensive support, so be wary.

Rootkits exist in order to allow the hacker to return to the compromised machine at any time, without worrying about security or being detected. The programs they install can be controlled using a system called Telnet (the name may vary from system to system), which is a protocol for sending text commands from one machine to another. The command is sent as a standard string of text (it may be encrypted or compressed, but it's still just text), and interpreted and actioned by the receiving machine.

So What's the Fuss?

Once the hacker has gained access to your machine, you are almost completely vulnerable. Your files can be downloaded, viewed, edited and even deleted, your personal information can be ransacked and your operating system corrupted.

The problem as I stated at the beginning of this article is that software developers have been largely blind to this new technology for some time, and are now only starting to make movements towards finding a solution. The problem with Windows is that it is almost fundamentally insecure, and some people are using this to fuel the argument that Microsoft should start releasing the source code for Windows, so that developers outside of the software giant can fix the problem for themselves.

What Can I do?

I've not written this with a view to giving you comprehensive, step-by-step solutions to the problem. Instead I'm hoping this will raise your eyebrows and help you to be a little more wary about the security you have in place. If you'd like to discuss your security setup, why not raise it on the Uplink, our e-mail community, at uplink@msomedia.com.

There is some good news if you use Microsoft's fledgling AntiSpyware package: they're already researching ways to incorporate rootkit detection into their software. If you've got anti-virus software in place, visit their website to find out what they're doing about rootkits. Below are some possible points of interest for you:

• Rootkit Q&A - Getting a Handle on Rootkit Detection
• Norton AntiVirus - Hacktool.Rootkit (Symantec have added some rootkit detection into their virus definition files)
• Microsoft's Strider GhostBuster Rootkit Detection (a little info about the MS research project)

Article kindly provided by Mark Steadman - MSO Media - Web Solutions that Work