Rootkit Creators Turn Professional

pete richards writes "Signalling a trend towards increased 'outsourcing' of some elements of malware creation, worm authors are increasingly turning to commercially available rootkits to help their creations slip past virus detection engines. Those root kits in the mean time are becoming more professional. Antivirus vendor F-Secure reported last week that it had detected a first rootkit designed to bypass detection by most of the modern rootkit detection engines."

Virus writers go by their own rules.

[geo_2677]

Virus writers go by their own rules. The anti virus business has a reactionary approach. Unless the anti virus engines have the updated signatures they can't stop the virus from spreading.
Doesn't this again bring up the question which was discussed a while ago. 'Why should Operating systems have a policy of default accept? Run programs only which you trust.' Not that this will solve the problem in one shot but it will make the problem more manageable. By the way things are going and the speed with which new viruses are created, i guess the day is not far when we will need huge databases to store the signatures for the viruses on each machine.

Misuse of the term

[$RANDOMLUSER]

From TFA:

A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

Wrong. A "rootkit" is a series of hacks to the underlying operating system, which make a running process harder to detect. In other words, a rootkit will keep your process from turning up in the Windows Task Manager, or a Linux "ps".

Definition from the Jargon File.

Re:Misuse of the term

[ArsenneLupin]

There is more to a root kit than just a replacement ps, but of course that is a critical element.

Not necessarily. There are rootkits which are based on kernel modules (so that the kernel API are not reporting the process either, just in case the sysadmin brings in a statically compiled ps, or manually digs through /proc).

It's the primitive rootkits that only replace some common utilities such as ps, ls, and netstat. Many of these don't even bother to doctor md5sum or rpm, so they can be trivially detected by an rpm -qa --verify.

The good ones on the other hand do a much more thorough job, and can only be detected by booting from a known-good media (i.e. a Knoppix CD)

Re:Easy prey?

[prichardson]

There probably isn't a law against rootkits, and there shouldn't be. There should be a law against using them to break into systems that you are not authorized to enter, and there is a law against that.

A law against rootkits would be very problematic. Is VNC a rootkit? If there's a bug in SSH that is exploitable to gain root access I bet it would suddenly fall under the domain of being labeled a rootkit by any law banning them, should the mainatainers of SSH be prosecuted because of that?

It really comes down to liberty though. If I want to hack my own computer I should be allowed to do so. If I want to write a virus I should be allowed to do so, but I should not be allowed to release it into the wild.

Rootkits can be used for good.

[digitalstruct]

Rootkits are not nessesarily bad. They have good purposes such as in the enterprise world to watch what you are doing/logging what you are doing without you being able to find and terminate that process. You have to remember everything has a level of good and can be turned bad in an instant.

It is like a formatting tool, when used properly it deletes what you want but if someone wrote a program to access the formatting tool and run it on a drive that you wanted things on now it has just been turned into something bad.

There is a legitimate use to everything :)