Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

More Dangerous Rootkits May Lurk On Horizon

As the argument rages over whether rootkits can serve a useful purpose, new types of rootkits are emerging that require new methods of detecting and removing them.

Rootkits hide processes, files, and network connections and can be written to perform like a device driver on any operating system. Most people associate rootkits with the questionable practices of some of those who use them. They've carried a negative connotation ever since one was found in the software Sony shipped to protect the intellectual property on its artists' CDs.

But don't blame the technology. "A rootkit is not inherently malicious, although they are used for malicious purposes. The technology is separate from the intent," Greg Hoglund, CEO of software security service provider HBGary, said last week at the Software Security Summit in Baltimore.

Rootkits are difficult to detect, and new, more dangerous types may be on the horizon. The University of Michigan and Microsoft researchers in March published a paper that describes virtual-machine based rootkits that can cloak malware that monitors and controls software-based virtual servers running on a hardware-based server. Whereas more conventional rootkits "are faced with a fundamental tradeoff between functionality and invisibility," a virtual-machine based rootkit can "completely hide all its state and activity from intrusion detection systems running in the target operating system and applications," the researchers reported. Virtual-machine based rootkits are more difficult to install than conventional malware and require a reboot before they can run.

One technique that's used to infiltrate systems with rootkits is to disguise them as printer drivers, which are generally not well managed, Hoglund says. In this manner, a rootkit carrying a malicious payload has a path straight into the system's kernel. Another technique is to install a rootkit using a USB-pluggable drive or via a PCM slot.

  • 1