NOW READ THIS
("Security Advisory")

Go Back

Submitted by: Bill Hickey
NCVA List Master

NRT-0110 Traditional Security Software Ineffective Against Sophisticated Rootkits:


Some security experts are saying that Trojan, spam, and malware protection software cannot adequately prevent system compromises by increasingly sophisticated rootkits. Rootkits are used to conceal the presence of Trojans, hacker backdoors, and botnets by cloaking their files and processes through modifying the output of comon operating sytem routines. They grant admin access to a system after a hacker intalls them typically through obtaining user level access by exploiting known vulnerabilities. Rootkits can be classified in four ways:

  1. kernel-mode, which intercept kernel interface calls and alter OS kernel data to conceal rootkits from process lists;
  2. persistent, which use the system registry to execute on boot;
  3. user-mode, which can use keyloggers and infect or masquerade as OS commands;
  4. memory-based, which rely on manual user execution to operate.

The most critical rootkits exist in unpatched exploits in common applications. "Rootkits are being dynamically inserted on the fly, which means they can sit invisibly in a web page's source code using a Windows cloaking function, and download on to your machine without raising any attention because they disable download warnings and spyware applications from flagging them," said a security analyst, who argues that even trusted platform module (TPM) chips are useless against advanced rootkits.

Infection by on-the-fly rootkits depends on whether a browser's security module allows manipulation of the operating system, and once on a system, they permanently compromise all its files because of rootkit backups. "You can clean up after a rootkit by re-imaging, but you can't ever trust it because it compromises parts of the system that everything is tied to."

There will never be a universal rootkit detector; however, the most powerful alternatives will be online-offline comparison scanners that integrate with anti-virus programs," said one analyst. "At the moment, traditional security applications are as useful as a wooden frying pan."

(www.computerworld.com 30MAR07)



Last Modified: Sunday, 08-Apr-2007 13:47:19 EDT