Have rootkits defeated the security industry?

Have rootkits defeated the security industry?

Summary: Rootkits, which alter the kernel of an operating system and allow malicious code to hide from security software, seem to have stumped the security industry.


Rootkits, which alter the kernel of an operating system and allow malicious code to hide from security software, seem to have stumped the security industry.

Earlier this week, I managed to grab the general manager of AusCERT, Graham Ingram, for a short video interview.

Among other subjects, I asked him about rootkits, and how the security industry was going to deal with them in the future.

His answers should send chills down the spine of any chief security officer.

In this video, he said: "Zero-day exploits allow the infection to get on the machine in the first place. Then you invoke some sort of kernel-mode rootkit, where the ability to detect or remove it is severely limited.

"It is going to be a very difficult future that we face," said Ingram.

I mention Haxdoor, which is a particularly nasty trojan that uses rootkit technology. It first appeared more than a year ago and Ingram claims that modern attacks have got better -- or worse, depending on your point of view.

In a previous blog entry, this is what I wrote about Haxdoor:

According to AusCERT, Haxdoor spreads via e-mail and uses rootkit technology to hide from security applications. When it was first released, it was undetectable by most antivirus software because it was almost certainly tested against the most popular brands.

So how could you tell if you were affected? The simple answer is, you couldn't.

On its Web site, AusCERT warned that "due to the stealthing (rootkit) and antivirus disabling capabilities of this malware, a clean scan with an antivirus product may not guarantee that you are free from infection".

So even if you had an updated antivirus product, once Haxdoor has installed a rootkit and hidden behind it, AusCERT advised that "re-installation of the operating system from the original installation media is the only way to be confident that all traces of the malware has been removed".


Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • And how exactly is this new ?

    "Rootkit"... ROOT kit...a "kit" that gives you "root". This is a *nix term and has been around for years.

    What they're really saying is they're stumped by WINDOWS "rootkits". Personally I'm amazed that it took so long to port them to windows anyway. Think about it....windows security was (is) so bad for so long that it wasn't worth the effort of writing a Windows rootkit when much simpler code was all that was needed to pwn the Windows box. Now it takes SLIGHTLY more effort in some cases, hence the advent of rootkits for Windows. This suggests that the best Windows security is only now scraping up to the lower levels of *nix security.
    As for the "reinstallation from known good media" bit...duhhhhhhh.....once your box is compromised then you can't trust the system binaries so yeah..complete wipe and re-install of the whole disk is the only way to go...
    Hello Windows - Security World, welcome to 1991 !
  • Rootkits in Corporate Espionage

    Here is a blog entry called "Rootkits in Corporate Espionage" from antirootkit.com that shows how Corporations with a lot at stake can use rootkits. http://www.antirootkit.com/blog/2006/11/30/rootkits-in-corporate-espionage/
    Because it may be an individual within a corporation that is targetted via a zero day vulnerability and using a new rootkit, it will be by luck that it would be found.
  • Do we need to say more...


  • Welcome to 2005

    This is not news. The University of Minnesota has been requiring reinstallation for all virus infections on student-owned computers since Microsoft confirmed the intractible nature of rootkit infections in the spring of '05. I'm glad you guys are writing about it, but the fact of the matter is that once a machine is infected, it isn't _worth your time_, much less the risk, to do anything BUT reinstall. We don't rely on desktop scans to identify compromised hosts, but use network monitoring tools that alert us to the computerized equivalent of a guy walking down the street, trying to open every car door.
  • re-install will fail too

    Beneath the newly re-formatted hard disk drive
    is the hardware mapped bad sectors marked
    unavailable. Marking a chunk of disk space as
    'bad' means only that the operating system and
    all software tools cannot fix what it cannot access
    portions of the spinning platters. A linked list of
    several gigabytes can exist without knowing it is

    Use of unmapped disk space as unavoidable
    and perhaps impossible to prevent