Security firms develop anti-rootkit tools

Trend eyes network for rootkit protection
Written by Munir Kotadia, Contributor

Antivirus firms Trend Micro and Sophos have developed new tools to discover rootkit infections but both are attacking the problem from a slightly different angle.

Rootkits are powerful programs that alter the kernel of an operating system, which allows them to hide certain files or applications from the underlying OS. In April, antivirus firm McAfee said the number of rootkits found by its emergency response team in the first quarter of 2006 had increased by 700 percent compared to the same period in 2005.

Australia's Computer Emergency Response Team (AusCERT) claims that once a rootkit has been installed on a PC "re-installation of the operating system from the original installation media is the only way to be confident that all traces of the malware has been removed".

In an interview with ZDNet Australia in Sydney on Tuesday, Trend Micro's CTO David Rand admitted that traditional antivirus applications are useless against PCs that have been compromised by a "properly designed rootkit".

Rand said the best method of defence against such a threat is to avoid infection in the first place: "If you have got a rootkit on your machine then all bets are off ... a properly designed rootkit cannot be detected and cannot be removed by any host level software."

"Ultimately we need to change how we are doing the analysis. We are trying to elevate it to look at the behaviour of machines," he said. "We are going to look at the network level for the behaviour -- you can't do that from the host. One of the reasons you can't do that is because of the rootkit."

"What we are trying to do is prevent the introduction of that code in the first place," said Rand, who suggested that the most effective method of discovering unknown threats -- including rootkits -- is by scanning PCs for suspicious behaviour from the network level.

Rival security vendor Sophos on Wednesday unveiled a free tool that can scan computers for suspicious processes.

Rob Forsyth, managing director of Sophos APAC, told ZDNet Australia that the anti-rootkit tool is able to spot rootkit activity rather than the actual rootkit.

-[Sophos Anti-Rootkit] doesn't per say reveal the rootkit but it says 'I have discovered a process that was attempting to hide itself therefore that is bad'. It approaches the problem in a different way.

-If a rootkit exists it will spot the processes that are hidden rather than having to reveal the rootkit itself. Then it can backtrack and discover the actual rootkit itself," said Forsyth.

Although both Sophos and Trend Micro seem to be trying to detect rootkits in a similar fashion -- by identifying suspicious behaviour -- Trend is looking at the problem from a network level.

Trend Micro claims the best way to protect desktops against rootkits is from the network layer -- not from the desktop, where traditional antivirus applications usually reside.

Trend Micro's Rand hinted that a new product being developed by the company, which will be unveiled in the coming months, will rely on network-based scans rather than client-based protection.

"The ability to look at the behaviour of network elements I think is going to be critical in the future to secure the infrastructure ... it is a departure in thinking from protecting a given computer to protecting an environment.

"I think you will see some very interesting products from us in the next few months," he said.

Protecting embedded OSs and non-Windows systems
Another advantage of network-based scanning, according to Rand, is that it is able to protect non-PC clients running operating systems such as Unix, Linux, OS X as well as embedded operating systems.

"We also see attacks against things like print servers ... service equipment like oscilloscope and logic analysers -- which run various versions of Windows. In many cases these pieces of hardware are un-upgradeable. You cannot upgrade them or change the code.

"Anything we do on a network level will be applicable to many different platforms," he added.

Editorial standards