How to Root Out Rootkits

If you want to know about the latest malicious rootkit, ask security researcher Dino Dai Zovi. He'll tell you all about his proof of concept rootkit called Vitriol that uses virtual machine instructions in Intel processors to hide a rootkit at the virtualization layer.

He presented this information at BlackHat 2006, the same conference at which Joanna Rutkowski demonstrated her BluePill virtual rootkit that exploited AMD processors.

The good news is that neither rootkit has shown up in the wild. And Dai Zovi says such a hack is not imminent. The bad news: Dai Zovi says these hacks haven't been unleashed on unsuspecting enterprise networks because existing rootkits are working so well, there's no need for hackers to develop these more devious attacks.

"If I'm an attacker and my user and kernel rootkits work 80% of the time, then why go create a virtual rootkit, which is infinitely harder to deploy?" asks Mike Dalton, CTO at Revelogic.

That's not to say hackers are resting on their laurels either. User and kernel-level rootkits continue to get more insidious, burrowing deeper into enterprise networks, hiding themselves in the processor, and exploiting multi-processor systems for gaming-based hacks.

And, although it's hard to say how prevalent rootkits are because they're so darn hard to find, one need only look at the rate of rootkits being used in families of profit-driven malware -- most commonly to hide remote-controllers, keyloggers, spambots and gameware.

Subscribe to the Security Watch Newsletter

Comments