Rootkits emerge as a maturing IT threat
- By William Jackson
- Aug 02, 2006
LAS VEGAS'Rootkits are emerging as an increasingly stealthy method of insinuating malicious code in target IT systems. Interest in them has exploded in the last year'so much so that rootkits now warrant a track of their own at this week's Black Hat Briefings, with no fewer than six presentations on new techniques for deploying them and methods for countering them.
The threat is not the wholesale infection carried out by broadcast viruses, but targeted attacks that fly under the radar and remain hidden once they have penetrated the defenses.
A rootkit is code surreptitiously installed and running on a computer that typically burrows deep enough into the operating system kernel that it is not easily detected.
The basic technology is not necessarily evil, said John Heasman, principal security consultant for NGS Software Ltd. in the United Kingdom. When used in antivirus tools and personal firewalls, this ability to lie quietly in the kernel and watch what is going on in the operating system and applications is valuable. But the term 'rootkit' generally refers to a malicious application of the technology, Heasman said.
Sometimes the distinction is blurred, as when Sony Corp. used the technology
on some of its music CDs to hide digital rights management tools on customers' computers. Most customers were unhappy about this once it became known, and hackers managed to exploit some of the computers by using the Sony code to hide malware.
One of the most significant developments in rootkits is the use of virtualization features being built into computer hardware, enabling them to run multiple operating systems at the same time.
'The rootkit is running at a lower level,' Heasman said, and the lower it burrows, the more stealthy it can be.
Intel's VT-x virtualization extension already is supported by processors shipping in notebook PCs and will be available in desktop and server processors later this year. According to Dino Dai Zovi, principal with Matasano Security LLC, rootkit authors can use VT-x to install the malicious code that is inaccessible to the running operating system, hiding and controlling access to blocks on a disk.
As cyberattacks become more focused on financial gain rather than bragging rights, the ability to accurately target, hide and maintain a compromise is becoming more valuable to hackers. Heasman earlier this year described a proof-of-concept technique for placing a rootkit in a computer's BIOS, where it would be able to survive reboots, reinstallation of operating systems and even replacement of the hard drive.
Putting a rootkit in the BIOS would be difficult, requiring the hacker to burn new code onto the computer motherboard, and the code would have to be tailored to the specific chipset on the board. There are no known instances of a BIOS rootkit in the wild'at least for now, Heasman said.
'A few weeks after I gave the talk I found a link to a guy who had done a proof of concept for it,' he added.
Despite his interest in it, Heasman said he did not see the BIOS rootkit as a major vulnerability.
'You would have to do some work to turn it into a working rootkit that could be installed on a machine,' he said. 'I don't see that as a malware threat.'
But on the other hand, 'If people are using it, then it is unlikely to come to the public's knowledge. Just because there hasn't been public disclosure doesn't mean it hasn't been used.'
Heasman has been playing with the ability to use the Advanced Configuration and Power Interface specification for power management functions in most computers to copy data from the BIOS to the operating system.
'It continues to surprise me what you can do with it,' he said.
Another emerging area for rootkit development will be Microsoft's new Vista operating system
. Joanna Rutkowska, a senior researcher at COSEINC, a Singapore-based security company, demonstrated how to bypass policies allowing only digitally signed code to be loaded into the kernel of Vista Beta 2.
'It will be interesting to see Vista rootkits,' Heasman said.
William Jackson is a Maryland-based freelance writer.