Mark Russinovich on rootkits in commercial software
What commercial software uses rootkits or rootkit-like technology? I guess it depends on how you define rootkits. Mark Russinovich of Sysinternals (he's the programmer who brought the Sony DRM rootkit into the light of day) discusses commercial software using rootkit technology. In the talkbacks on a previous post, several people disagreed with my use of the terms rootkit and rootkit technology to describe Symantec's recently publicized practice of hiding, or cloaking, the Norton Protected Recycle Bin.
In his most recent blog post, Russinovich gives his definition of "rootkit" and discusses whether or not the use of cloaking is every justifiable. Russinovich was recently quoted as saying:
When you use rootkit-type techniques, even if your intentions are good, the user no longer has full control of the machine. It's impossible to manage the security and health of that system if the owner is not in control.
In his blog, Russinovich discusses whether or not Symantec's cloaking should be classified as a rootkit and give his own definition:
Software that hides itself or other objects, such as files, processes, and Registry keys, from view of standard diagnostic, administrative, and security software.
Russinovich notes the dangers associated with cloaking techniques and the technical problems that can result. Full read here.
On a related note, Kaspersky's use of alternative data streams (ADS) in their antivirus program was also mentioned as rootkit technology by Russinovich and quoted in a PCWorld.com article.
At the Viruslist Analyst's Diary, Eugene Kaspersky explains their iStreams technology, used to speed up scanning, and why it's not a rootkit I have KAV Personal on one computer and the first time I ran Rootkit Revealer, I almost fainted because it found over 120,000 files, all named KAVICH. I immediately looked up KAVICH and found that it was not malware, but I was quite dismayed to think if I did have a rootkit, I'd have to wade through more than 120,000 results to find it. For my new computer, after uninstalling the pre-installed trial of Norton Internet Security (another subject for another blog), I installed Kaspersky Personal Pro, which has the option of not using the IStream technology. Kaspersky says the next version will not use IStream.