Why rootkits mean you must nuke your machine
Summary: At Microsoft's IT Forum 2005 event in Barcelona this week, Windows programme manager Mike Danseglio explained the only reliable method of dealing with rootkits
Rootkits hit the news earlier this month when Mark Russinovich of Sysinternals noticed odd behaviour following installation of some digital rights management (DRM) software that shipped with a Sony music CD. What he found sparked a furore that saw Sony threatened with everything from boycotts to class action lawsuits, and system administrators totally reassigning their approach to users playing what had previously been widely seen as harmless music CDs on work computers.
Rootkits may have been around for many years on Unix systems, but the Sony DRM debacle has propelled them into the consciousness of many IT managers responsible for Windows computers.
At Microsoft's IT Forum 2005 event in Barcelona this week, Windows programme manager Mike Danseglio delved into the technical aspects of rootkits. ZDNet UK was there to report what he had to say, to find out what University of Michigan students get up to with rootkits, why the only way to recover an affected machine with any level of assurance is to nuke it, and what the future holds.
What is a rootkit?
A rootkit is not an attack vector on its own. It is not a virus, and it
is not a worm. It is a cloak or a disguise — something to hide
something else. For instance an attacker might want to use a rootkit to
put a virus on your system but doesn't want you to be able see that
virus.
Is a rootkit malware?
Most people think it is, but it is not always. A sys admin might want
to use a rootkit to hide something from the user, to monitor the system
in some way. I treat rootkits neutrally — I don't want to class them as
good or bad. You have to make your decision in each case.
The rootkit is not a virus, a worm, or a Trojan horse. It is just the code that hides something. Can it hide worms and spyware etc? Absolutely it can. The issue in the Sony DRM case is whether Sony properly disclosed that it is installing a rootkit on your system. And what Sony uses is a rootkit: it hides other things.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
"root" comes from root under Unix. The term doesn't even describe sony's code. A root kit installs over system programs and generally collects data for a hacker. Sony's program is simply a stealth program that uses traditional methods of hiding processes on Windows. Thats not a root kit. If it replaced the login program, or replaces the explorer program, it would be a rootkit. Key to a rootkit is the fact that it replaces a legitimate program with its own rendition which collects some data.
Yes, Sony's "rootkit" hides itself. But any program in windows can hide itself...it doesn't have to be root to do so, and it doesn't have to replace any program on the system to do so. It simply hooks the kernel dll calls and layers itself on top. This technique has been around since windows 3.0. But its not a rootkit.
otherwise it's quite good!