NOTA BENE

Notes, comment and buzz from Eugene Kaspersky – Official Blog

November 16, 2011

Rooting out Rootkits.

As you might guess from the title, today we’ll be talking about rootkits. At heart this is an interesting topic, but often that ‘heart’ is out of sight: in the press rootkits are rarely covered at all, and if they are the articles are filled with nothing but horror stories that have nothing in common with reality. There are of course many technical articles, but these don’t help the wider audience – the general public.

But the problem exists.

The majority of anti-virus software is making great strides towards protection from rootkits. But this isn’t necessarily a good thing, since not all of it does it properly. The ability to fight them first depends on, and is indicative of, the technological progressiveness and overall level of anti-malware expertise of the developer. And not all ‘developers’ are technologically progressive – so their so-called anti-rookit technologies aren’t up to scratch, leaving overall protection against rootkits around the world  lower than it could and should be. And let’s not forget that many botnets use rootkit technologies, and the ability to draw out this contagion is the best protection there is from cybercriminals.

So let’s go through all the salient points about rootkits in order.

We’ll start with the basics. What’s a rootkit?

First off, it’s not an extra-nasty form of malware, though it’s described as such in many a pop-article. A rootkit is simply technology designed to conceal the presence of software on a system – sadly normally malware. This camouflage is used to hide things like malware seizing system functions, changing access rights, locking files, manipulation of kernel objects and much more.

Interestingly, rootkits are not all bad/malicious. The degree of “badness” or “goodness” of a rootkit depends entirely on its author’s intentions. A bit like a kitchen knife – everything depends on how it’s used. It can be a useful home utensil for chopping vegetables, or it can be a lethal weapon. Some positive uses of rootkits are for example (at least for various media-producing industries) copyright protection systems (though it’s best not to keep such rootkits secret from users – as early on Sony BMG found out the hard way), and also emulators of different devices.

Despite the ‘good’ applications, it’s turned out that the general public has come to view this technology as a bad thing. A lot of malware (in fact, the most sophisticated and dangerous) indeed uses rootkits to hide itself from both the user and security software. For example, Stuxnet, TDSS, Sinowal and Rustock. The list goes on, and it’s very long.

For the history, classification and other technical details of rootkits, have a look at the Wikipedia page on them. I’d also recommend this overview article on the evolution of the technology. And let me take off from there.

Rootkits represent really dangerous technology. Several of them have even learned how to get around such elaborate systems of protection like Patch Guard and digitally signed drivers. I’ve no doubt that, to cyberscum, specialists in this field are worth their weight in gold. But it’s quite clear that there are very few true rootkit ‘specialists’ or rootkit ‘authorities’ out there. For example, McAfee’s superbly PR’ed  Shady RAT incident (behind which it was assumed stood a nation state) was deemed (not by me!) a crowning achievement in malware technology – but in fact it wasn’t even a rootkit!

Of course, to fight rootkits is not all together that simple. From the standpoint of integration in the operating system and the ability to control internal processes, rootkits are on an equal footing with anti-virus software! As a consequence, deleting rootkits, in particular disinfecting an infected computer, is no trivial task.

The confrontation takes place on three fronts – (i) detection of rootkit modules (prevention of infection); (ii) anti-virus self-defense (so that rootkits don’t take the anti-virus out of the memory); and (iii) full-frontal attack (exploitation of the rootkit’s imperfections to neutralize and delete it).

Kaspersky Lab general scan settings

The most unpleasant thing about rootkits is that now many anti-viruses in the fight against them confine themselves exclusively to detection. They simply add a checksum signature to the database, and in doing so permit detecting a rootkit only in an inactive state. At best they release a stand-alone utility for healing rootkits (as with the latest version of Norton). But what if the computer was already infected before the signature arrived? That’s right – up the creek without a paddle.

To detect with signatures, or, worse, to nick the detection from a neighbor via a multi-scanner, is no difficult feat requiring big brains. But to analyze sophisticated code, improve heuristics, develop generic detection on the whole rootkit family, intercept the malicious script, shut down the vulnerabilities in third-party software, and develop effective treatment – for this one needs both mega brains and mega expertise. For the cyberbaddies can be quite crafty – they can tweak a rootkit ever so slightly so it becomes undetectable by AV of inferior quality, while it opens up an entry point into your computer and allows the active infection to remain.

Recently the Anti-Malware.ru test center published the results of a very interesting test that illustrated the ability of different products to treat active rootkit infections. First, my congrats to our AMR (Anti-Malware Research) team. Keep up the great work! I’m very proud of the result, as well as with the progress compared with last year. Second, it’s easy to work out from the results who really carries out investigations, and who prefers to stick with checksum signatures to indulge different irrelevant tests. Third, the test and its results are a good excuse to say a few words about our anti-rootkit technology.

We have two of our own developed tools against rootkits.

The first is QScan – a universal pill against rootkits. The second is MARK – tailored for specific rootkits and their methods of camouflage. If QScan doesn’t cope with something, MARK comes running to its assistance, which conducts deep analysis in the memory and then returns the ‘patient’ back to QScan. Both technologies have loads of neat tricks up their sleeves. For example, QScan is able to get round a rootkit’s trick of disguising its files. QScan analyses the system registry files and assembles files sector-by-sector. I won’t go into any more detail – it gets way too complex. And then of course there would be all the know-how I’d be giving away (!), which is waiting in line patiently in the patent offices of different countries. The main thing though is the result: our products ahead of everyone on protection against rootkits!

We came up with MARK in 2008. QScan appeared a year later. Since then we’ve been constantly bettering them. Both technologies are part of our anti-malware engine and are present in our commercial (both consumer and corporate) products and free stand-alone utilities (for example the Virus Removal Tool).

Kaspersky virus removal tool

I think that as time passes the more sophisticated rootkits will get and the wider their application will be. Already we see old rootkits easily available for purchase on the black market for a few hundred dollars, which can be bolted easily onto malware. In the meantime the technology is evolving in parallel with the operating system. Rootkits have started to support 64-bit Windows (but no worries – we can catch them there too!), even despite the fact that in x64 versions they’ve improved the protection against various system intercepts and modifications. Plus the cyber-miscreants are already using bootkits (also being widely used by legit software), and BIOS-kits are already on the agenda.

IMHO, not to properly develop and progress in this field of malware – as do the majority of anti-virus companies – is wrong, short-sighted, and disrespectful to users. They get a false feeling of security: a Trojan can live ok and get along just fine on a computer ostensibly protected by a so-called effective anti-virus solution, and steal everything. Who needs that?

So just be careful with what you install on your computer.

comments 1 Leave a note

Muhammad Ahmad

My name is Ahmad and I am from Pakistan, I have tried kaspersky Internet security but uninstalled it because it slow down my system performance that is because I am using only 512 RAM. Now I am using ESET smart security latest version and it is working vey fast. But I am totally not relying on it because its malware detection is not so good as kaspersky is. That’s why I always use kaspersky virus removal tool to detect and remove viruses from my PC on weekly basis. I really like kaspersky virus removal tool due its high detection and best disinfection technology. It detects those silent malware that my ESET does not. I always use kaspersky to remove viruses from my friends PCs. My friends trust on me and I trust on Kaspersky!!

0
Reply to conversation
Trackbacks 3

Windows 8: We’re Ready Already | Nota Bene

Morris Worm Turns 25 | InsecureNet.info – The Insecure Web

I 25 anni del Worm Morris – Kaspersky Daily | Usiamo la Parola per Salvare il Mondo | Blog Ufficiale in italiano del Kaspersky Lab

Leave a note
April 28, 2015

Cool your boots, Japan.

Tired after a seemingly endless journey, the long-distance traveler normally resorts to some kind of body of water first in his/her attempt at winding down, chilling out a bit, and returning from zombie state to kinda normal state. Usually a shower, sometimes a bath – sometimes even a banya and its attendant cold pool! But […]

April 24, 2015

Singapore through the eyes of a first-timer.

Hi all! D.Z. – this is one of most distinguished and respected KLers, with us since last century (taking a brief creative break in the mid-2000s). D.Z. has also been my fellow traveler a d.z.illion times to… oh, practically everywhere on this planet – but surprisingly not to Singapore. He always takes with him a trusty […]

April 21, 2015

INTERNET-INTERPOL-2015.

I first used the term ‘Internet-INTERPOL’ somewhere around the start of the 2000s. The first time I got round to writing it down was in 2003. This year – 2015 – some 12 years later, finally, what I’ve been talking about, pushing for, advocating, promoting all these years is here: An INTERPOL division dedicated exclusively […]

April 17, 2015

On a plane to Singapore: the kino – very poor.

Hi all! Continuing a fave theme of mine here. No, not volcanoes; no, not cliffs; and no, not banya. Instead: planes, aeroplanes and airplanes… Recently we flew on an Internetted Singapore Airlines Boeing 777 to Changi. And the experience was… mixed.

April 1, 2015

Internet on a jet.

Back on the road again… Rather – up in the air. So I continue one of my fave, recurring themes – flying and planes and all that. 2015 kicked off with some serious avia action for me: I’m already on my 30th flight, having been up in the skies 130+ hours. Not that I’m complaining – […]

March 31, 2015

A hotel on the banks of the Colorado. Woh!

There are a great many beautiful and unusual towns and cities in the world, there are volcanoes, there are valleys and canyons, and islands and lakes. There are also of course rivers: loads of them – all different. There are the grandiose, like the super-wide Amazon with its adjacent jungles, anacondas, piranhas, crocodiles and other […]

More