Undetectable spyware?

Undetectable spyware?

Summary: Security researchers at Microsoft warned against the possible use of rootkits by spyware manufacturers, in a Computerworld article. This tactic would make spyware nearly impossible to detect and remove.

SHARE:
TOPICS: Malware
15

Security researchers at Microsoft warned against the possible use of rootkits by spyware manufacturers, in a Computerworld article. This tactic would make spyware nearly impossible to detect and remove. Often used by hackers, rootkits need to be installed on a computer, after which they can be used to gain control at an administrator level. The only way to be really sure you've removed a rootkit is to wipe and format the hard drive. But there have been no reported instances of spyware manufacturers using rootkits. The Microsoft researchers are, as many academically inclined researchers do, hypothesizing on what could happen. Considering the nastiness of some spyware installations I've seen, and how rootkits have become more user-friendly, I wouldn't be surprised if this theory becomes reality.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

15 comments
Log in or register to join the discussion
  • The fact that...

    A RootKit can even function in Windows has to be considered a fundamental flaw in the design of the OS.
    BitTwiddler
    • Windows rootkits

      The problem isn't exclusive to Windows. But for the BSD and Linux users, I'm aware of tools to help find and eliminate rootkits.

      In Windows, I'm surprised MS would make this claim, since other anti-spyware and anti-virus vendors are listing many rootkits in their definition files. There may be some more advanced ones that are harder to identify/find; but this release sounds more like a cop-out by Microsoft, wanting to have an excuse for not building some functionality into their tools. Then they can try to make themselves look like heros later when they later "invent" (aka: reverse engineer or buyout) technology to locate and eliminate rootkits in Windows.
      ac2_z
      • LOL

        You're probably right :)

        It's called the "Scotty" method. Underpromise, overdeliver, and look like a hero :)
        BitTwiddler
    • Hmm...

      Since I had a friend have this happen to his Linux box, this statement must apply to Linux as well, eh?
      boomslang_z
      • 2 Questions.

        What the hell was your friend doing running as root.

        Where did he find spyware for Linux.

        Don't tell me he wasn't running as root, or an equivalant powered account, because that would be needed.
        nucrash
        • No it wouldn't

          [i]Don't tell me he wasn't running as root, or an equivalant powered account, because that would be needed.[/i]

          I don't run as root but I'm able to do things that only root can. When Linux pops up a dialog box saying "This action requires root privileges, please enter your password" (or something to that effect), I do it. Well, okay, I would think about it before I do what a computer program asks me to do but how many naive users would just blindly provide the root password every time they are asked? Simply because Linux defaults you to a non-root account doesn't mean that a naive user won't open the front door every time he/she is asked. At that point, *poof*, there goes your secure, unbreakable OS.
          NonZealot
          • Just goes to show...

            ...that there is no such thing as a user-proof OS. Or a user-proof anything else, for that matter...
            Real World
    • RE: The fact that...

      Wouldn't the Look2Me / VX2 variant be considered one of these rootkits? It's really a scary / nasty spyware bug that even runs in safe-mode. Which makes it even harder to remove

      ""A RootKit can even function in Windows has to be considered a fundamental flaw in the design of the OS.""
      ajapierce
  • The difference

    The difference between the virus writers and spyware makers who make rootkits is that the virus people remain anonymous.. The adware/spyware people are identifiable. Ofcourse the spyware FVCKS will still get no penalty or fine for the computers and internet they are destroying. It will just grow and grow. Why is the company making wintools TV Media spyware and coolwebsearch still alive?? They REALLY should be closed down. Better Business Bureau? Consumer Privacy Rights Group? Anyone. Government? Anyone?.. Bueller? Spyware is getting some great rights in this world.
    MIS Master
    • Indeed

      [i]Why is the company making wintools TV Media spyware and coolwebsearch still alive[/i]

      I agree.

      My department manager came to me with problems on his home PC. I gave him HijackThis! and told him to run it and save a log file and bring it back to me.

      There were FOUR PAGES of registry modifications by the WinTools scumware.

      If ever a someone was in need of a Chairman Mao, WinTools's creator is it.
      Hallowed are the Ori
  • Try this little app on for size

    [url=http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml]RootKitRevealer[/url] - It uses a clever way to expose Kernel level rootkits in Windows.
    toadlife
    • Thanks!

      Good find. I'll pass that around the office.
      Real World
    • Excellent web site!!!!

      Thanks, TL.
      tldwg04011
    • Removal

      Thanks for the tip. I downloaded and ran Rootkit Revealer and it looks like a have a problem. The program reported the following:

      C:\$AttrDef 3/16/2004 3:59 AM 2.50 KB Hidden from Windows API.
      C:\$BadClus 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.
      C:\$BadClus:$Bad 3/16/2004 3:59 AM 32.01 GB Hidden from Windows API.
      C:\$Bitmap 3/16/2004 3:59 AM 6.93 MB Hidden from Windows API.
      C:\$Boot 3/16/2004 3:59 AM 8.00 KB Hidden from Windows API.
      C:\$Extend 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.
      C:\$Extend\$ObjId 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.
      C:\$Extend\$Quota 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.
      C:\$Extend\$Reparse 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.
      C:\$LogFile 3/16/2004 3:59 AM 64.00 MB Hidden from Windows API.
      C:\$MFT 3/16/2004 3:59 AM 69.53 MB Hidden from Windows API.
      C:\$MFTMirr 3/16/2004 3:59 AM 4.00 KB Hidden from Windows API.
      C:\$Secure 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.
      C:\$UpCase 3/16/2004 3:59 AM 128.00 KB Hidden from Windows API.
      C:\$Volume 3/16/2004 3:59 AM 0 bytes Hidden from Windows API.

      3/16 is right about the time I got this computer a year ago. So now what?? From what I've gathered the only way to remove such malware is to reformat my hard drive (which is actually a RAID 0 setup so hopefully that's not too tough, I've never tried it before). Apart from using a firewall (which apparently doesn't do a lot of good if someone knows what they're doing), using the Firefox browser, suppressing attachments and graphics in e-mails, and being careful about trojaned executables, what can you do to protect yourself?

      And while we're at it why doesn't everyone know about this? Scary 21st century possibilities if we're going to become more and more reliant on these things.
      Vincero
    • Follow-up

      Forgot to ask: does anyone know of any way to ascertain the recipient (i.e., computer, ISP) of the information harvested by rootkit spyware? Some way to gather evidence as to the culprit(s) would sure be nice (and probably wishful thinking).
      Vincero