Wednesday, November 02, 2005

Rootkits

Rootkits: Subverting the windows kernel is supposed to be the most happening book now-a-days. But, what are rootkits?

Rootkits fall in malware category, software that tries to take control of a system by hiding registry entries, files, etc. A term loosely applied to cloaking techniques used against security software like anti-virus, anti-spyware, etc. They are categorized based on the OS mode they leverage - user mode or kernel mode.

As the name suggests, malware is bad and we know it in some of its various forms as follows:
- Viruses try to spread by attaching themselves to files or programs and doesn't focus on hiding stuff.
- Worms are more known for spreading across systems, scanning networks, etc. Unlike viruses, worms can spread on their own.
- Spyware generally demonstrates a behavior analogous to more of spying user information, etc. This term has been loosely used along with un-consented installation of adwares.
- Trojan horses are destructive programs that fake themselves as good citizens promising attractive software. It can be virus or worm packaged such way.

Given the growth rate of spyware itself, big corporations are concerned about the threat posed by rootkits. Especially, given that most of rootkits cannot be eradicated without re-formatting the system. Windows has a bigger threat surface as opposed to other operating systems for obvious reasons.

Application-rootkits can be written easily in comparison to kernel-rootkits as the latter requires an in-depth knowledge of how device drivers are written, kernel mode APIs, etc. Also, a bug in a kernel-rootkit would cause a BSOD. That would mean bad for a rootkit author as detection is last thing that should happen from a hacker's perspective.

F-Secure has released a beta version of some early rootkit eliminator. One can find a very interesting read here where SONY apparently is distributing a rootkit along with some of its music CDs. Scary!

No comments: