Today's Best Tech Deals
Picked by PCWorld's Editors
Top Deals On Great Products
Picked by Techconnect's Editors
Rootkits and Viruses Partner Up
Danger level: High | Likelihood: Medium | Target: Windows users
Rootkits are a malware inventor's dream: They allow worms, bots, and other malevolent software to hide in plain sight. The files don't show up in Windows Explorer, the running processes don't display in the Task Manager, and many current antivirus programs can't find rootkit-hidden malware--which is precisely why malware writers increasingly use them to hide malicious apps.
When news broke last November that some Sony music CDs installed rootkit software to hide copy-protection files, gleeful online crooks were quick to follow with malware that exploited Sony's creation to hide their own programs. Sony's software masked any files or running processes that began with "$sys$", so the opportunistic malware writers changed their file names accordingly.
In March, Spain-based antivirus maker Panda Software reported finding variants of the virulent Bagle worm equipped with rootkit functionality. Worse, like producers of botnet programs, rootkit software makers sell tools or give away free ones, so it's even easier for malware authors to build rootkit functionality directly into long-standing software strains like Bagle, or into brand-new malicious creations.
Even as opportunistic criminals use existing rootkits, chilling new possibilities for the software are emerging. For example, security firm eEye discovered it was possible for crooks to hide files in the boot sector of the hard drive. And in January, John Heasman, security consultant for Next-Generation Security Software, announced that rootkits could hide malicious code within a PC's BIOS by using functions in the BIOS's Advanced Configuration and Power Interface feature.
A project run by Microsoft and University of Michigan researchers really blew the lid off rootkit research, devising a method to virtually "jack up" the operating system and then use software called SubVirt to run it from below. As far as the operating system knew, it was running normally, but the "virtual machine" completely controlled everything the OS saw and could easily hide itself.
Fortunately the technique can't be implemented easily, and it tends to offer the user clues, causing a slower-running system and producing certain tell-tale modified files. For now, this extreme kind of rootkit exists only as a proof-of-concept; it should be a long time before malware authors can launch such attacks.
Simply finding today's relatively less dangerous rootkits is a serious challenge for security software. The art of detection and removal is part engineering, part voodoo, and always difficult.
Detecting a rootkit on a Windows PC is not unlike shining a flashlight at objects in a darkened room, and then trying to identify each object by the shadow it casts on the wall. Specialized software, such as F-Secure's BlackLight and Sysinternals' RootkitRevealer, scans the Windows file system and memory for characteristic irregularities that rootkits leave behind.
But those tools may not work in every case. Recently, the adware program Look2Me effectively broke BlackLight by disabling a key system call. The discovery was accidental, but rootkit makers will undoubtedly pay attention to it in their next round of malware.
How It Works: Cloaked Malware Sets Up Camp on Your PC
- A Trojan horse with rootkit software invades a PC as a drive-by download.
- The malware makes deep system changes to hide from antivirus apps.
- The camouflaged Trojan horse pulls keyloggers and spyware onto your PC.
- Look for antivirus software that provides rootkit scanning and removal. Kaspersky's and F-Secure's latest applications have it now; others will likely add it soon.
- Use a rootkit detector such as Sysinternals' RootkitRevealer and F-Secure's Blacklight, both free downloads. Other scanners are becoming available; see this month's Privacy Watch for more information.
Target Promo Code
Up to 25% off sitewide - Target coupon
$10 eBay coupon for invited users
Save $50 on your order of $600 with Overstock promo code
Additional 40% off women's styles with this JCPenney promo code
Sam's Club Coupon
Sam's Club promo - 40% off 1-year membership
Get free shipping on all orders at iRobot