HelpWithWindows | Windows Forum | RoseCitySoftware




HelpWithWindows - Home

• March 31, 2005 •

"Rootkits" Emerge as New Thread on Windows

Windows Longhorn Security researchers are warning Microsoft users that so-called "rootkits" - powerful system-monitoring programs - are posing an increased security risk to computer users.

On UNIX (type) systems rootkits have been around for years, but the latest versions of the most popular ones - with names such as "Hacker Defender", "Vanquish" and "FU" - are now more then capable of "infecting" Windows computers. On Windows the name "rootkit" isn't really appropriate if we look at the definition of it from the UNIX world. A rootkit on the UNIX platform generally describes a collection of tools to obtain or maintain root access using stealth techniques. If we look how specific tools from a rootkit are used in UNIX, we have tools to "obtain root", usually done by elevation of privilege. Next come the tools to get & maintain permanent access to the machine, and last but not least, tools to hide the presence of these tools. "Translated" to the Windows platform, the tools to gain root access would be accomplished by an 'exploit tool' on Windows, exploiting known vulnerabilities on (un-patched) systems. Maintain access would be accomplished by installing a backdoor on the Windows System. The tools that do the "hiding" on UNIX systems typically do this by replacing system binaries such as 'ps', 'netstat' and/or others. But replacing binaries on Windows is much harder, and on NT-based systems (Windows 2000 / Windows XP), nearly impossible to achieve because of Windows File Protection (WPF). So on Windows, the 'rootkit' is a separate tool, which does the 'hiding'. It can hide nearly anything you want: files, folders, user accounts, processes, registry entries, network connections. To get a 'rootkit' on a Windows machine requires the system to be compromised first. This could be done by most modern malware/spyware/adware, and that is what seems to be happening more & more. Once installed on a target machine, these programs are then used to control, or find (sensitive) information from the systems they are installed on. Many of the new rootkits will run quietly in the background on infected systems. Some of these can be easily detected, but the more advanced rootkits (kernel rootkits for example) have the ability to hide themselves from the operating system. These rootkits are invisible to most of the current detection tools such as anti-virus, network intrusion-detection and antispyware products. Microsoft researches have developed a new tool called Strider GhostBuster, which can detect rootkits by comparing clean & suspected versions of Windows. According to the researchers, Strider GhostBuster will be released either as a research prototype or as part of Microsoft products. I think it would make a good addition to Microsoft's Windows AntiSpyware product! Today, several tools to detect the presence of rootkits are available:

  • RootkitRevealer from Sysinternals [http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml ]
  • BlackLight (Beta) from F-Secure [http://www.f-secure.com/blacklight/try.shtml]
It looks as we will see an explosion of 'rootkit infections' throughout 2005. This seems to be the new industry crime rings are turning to, when proceeds of (email) spam is becoming less profitable. On the MSR Strider Project [http://research.microsoft.com/rootkit/] Web site, Microsoft researchers also list some simple steps you can take to detect some of today's "ghostware".

Give your comments on this article.

         E-mail This Page


Last Updated: March 25, 2005




HelpWithWindows RoseCitySoftware
Software Products, Spotlight of the Week, Partners, RCS newsletter, Corporate Sales, List with us