Rootkits galore: part I

If anything good has come from the Sony DRM rootkit debacle, it's an increased awareness of the peril of rootkits. How many people knew what a rootkit was? Or heard of a rootkit?

If anything good has come from the Sony DRM rootkit debacle, it's an increased awareness of the peril of rootkits.  How many people knew what a rootkit was? Or heard of a rootkit? Outside of security circles, not many.  If you're still not sure what a rootkit is, here's a definition from Wikipedia:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows.

In anti-spyware/malware circles, rootkits have been noted to be on the rise in recent months. In May, eWeek discussed the use of rootkits with trojans, in particular the Rbot backdoor-trojan-virus-worm.  Take your pick; it's been called all of those by antivirus and security vendors. In June CoolWebSearch (CWS) infections were being found in conjunction with rootkits. Since then the use of rootkit technology with spyware and adware has been seen with increasing frequency.  With remote control trojans like Rbot, the rootkit is used to hide the presence of malware so the attacker can take control of the machine and do evil deeds without detection. With spyware and adware, the rootkit serves to keep the computer infected longer and make the spyware more difficult to remove.  If the infected machine is spawning frequent pop-ups and the user is clicking them, the affiliate behind that installation, along with all the members of the financial chain, (see Spyware tricks: follow the money trail) are making a few cents with each click, it's easy to see the motivation, especially if the number of infected machines is in the thousands or hundreds of thousands. A rootkit in conjunction with spyware/adware/trojans/keyloggers that are stealing passwords and confidential information could be quite lucrative for the perpetrators.

The recent incident of a botnet generating big cash was not noted to use rootkit technology, but it serves as an example of how money is made through the use of backdoors/trojans controlling machines. In this case a Los Angeles man was arrested for infecting nearly half a million machines with the rxbot trojan and turning them into a network of bots to disseminate adware that caused pop-ups and thereby brought him a generous income. Spyware pushers at Enternet Media were recently busted by the FTC for their deceptive practices used to distribute and install SearchMiracle/Elitebar, known to use rootkit technology to hide.

We also saw the AOL Instant Messenger attack using a rootkit and backdoor, along with adware.  Now this is really dirty business. Speculation was that the adware was used as a decoy to help distract the victim from noticing the trojan/rootkit and attribute machine malfunctions to the adware. See The art of stealth, using a 16-wheel juggernaut.

Now Facetime, the same company that made that gruesome discovery, has found an even more disturbing situation:  the rootkit powered botnet. Press release here.  If that isn't bad enough, this rootkit-trojan combo has been found to have ties with world-wide network of bots controlled by a group in the Middle East. Technical details of the infection can be found in the Facetime press release, at and Wayne Porter's blog at ReveNews. Remember the file names "lockx.exe" and "ster.exe"  The case has been turned over to the FBI for investigation, so not much information is available at present, but I expect this will be a huge story and likely the most widespread malicious use of rootkit technology yet.

This is planned to be a series of posts on rootkits. There is a lot more to talk about including rootkit technology, real world examples of rootkit infections seen in spyware removal help forums, rootkit detection tools, known rootkits and rootkit authors, and what to do if you are infected with a rootkit. 

ZDNet's Matt Loney's article here has a lot of good information about rootkits and why flatlining a rootkit infected machine may be the only reasonable course of action. However, I vehemently disagree with the statements in this paragraph.

Is a rootkit malware?
Most people think it is, but it is not always. A sys admin might want to use a rootkit to hide something from the user, to monitor the system in some way. I treat rootkits neutrally. I don't want to class them as good or bad. You have to make your decision in each case.

We've already seen the attempts to legitimize adware. Are we going to legitimize the use of rootkits next?

Read about the Department of Homeland Security official's comments on Sony's use of the DRM rootkit.

"I wanted to raise one point of caution as we go forward, because we are also responsible for maintaining the security of the information infrastructure of the United States and making sure peoples' [and] businesses' computers are secure. ... There's been a lot of publicity recently about tactics used in pursuing protection for music and DVD CDs in which questions have been raised about whether the protection measures install hidden files on peoples' computers that even the system administrators can’t find."

In a remark clearly aimed directly at Sony and other labels, Stewart continued: "It's very important to remember that it's your intellectual property -- it's not your computer. And in the pursuit of protection of intellectual property, it's important not to defeat or undermine the security measures that people need to adopt in these days."

There is a very grave and inherent danger in the use of rootkit technology and an even greater danger in considering it "neutral".  More to come next time.