Have rootkits defeated the security industry?

Rootkits, which alter the kernel of an operating system and allow malicious code to hide from security software, seem to have stumped the security industry.

Earlier this week, I managed to grab the general manager of AusCERT, Graham Ingram, for a short video interview.

Among other subjects, I asked him about rootkits, and how the security industry was going to deal with them in the future.

His answers should send chills down the spine of any chief security officer.

In this video, he said: "Zero-day exploits allow the infection to get on the machine in the first place. Then you invoke some sort of kernel-mode rootkit, where the ability to detect or remove it is severely limited.

"It is going to be a very difficult future that we face," said Ingram.

I mention Haxdoor, which is a particularly nasty trojan that uses rootkit technology. It first appeared more than a year ago and Ingram claims that modern attacks have got better -- or worse, depending on your point of view.

In a previous blog entry, this is what I wrote about Haxdoor:

According to AusCERT, Haxdoor spreads via e-mail and uses rootkit technology to hide from security applications. When it was first released, it was undetectable by most antivirus software because it was almost certainly tested against the most popular brands.

So how could you tell if you were affected? The simple answer is, you couldn't.

On its Web site, AusCERT warned that "due to the stealthing (rootkit) and antivirus disabling capabilities of this malware, a clean scan with an antivirus product may not guarantee that you are free from infection".

So even if you had an updated antivirus product, once Haxdoor has installed a rootkit and hidden behind it, AusCERT advised that "re-installation of the operating system from the original installation media is the only way to be confident that all traces of the malware has been removed".