Rootkits are on the rise! We define a rootkit as a component that uses stealth to maintain an undetectable presence on a computer. Above and beyond that, the actions performed by a rootkit are done without end-user consent or knowledge.
Open source offers ready-to-use rootkit applications that are widely available to anybody using the Internet. Even an inexperienced rookie would be able to use a rootkit without having to understand how it works. These hi-tech criminals are money hungry and want to hide their actions and presence on any system they get on. Rootkits are perfect to help them commit fraud and identity theft by granting the attackers unauthorized access to privileged and proprietary information, and launching and hiding other malicious applications on the system. Above all, it leaves the hi-tech criminal with a back door to be able to continue to harm the victimized machine. As well, a large proportion of spyware and adware programs that use rootkits are leveraging these stealth techniques.
We commissioned Thompson Cyber Security Labs to do an assessment of anti-rootkit capabilities across antivirus/antispyware vendors in September, 2006. The results? Symantec dominated this test in both detection and removal of rootkits. (Please have a look at the graph below.)
So, what makes the difference in terms of handling these nasty rootkits? It is attributed to the integration of VxMS (Veritas Mapping Service—a Veritas technology) into our Symantec products. This user-mode component allows us to bypass the Windows File System APIs and directly access the raw NTFS volume. This is important because the Windows File System is designed to have exclusive access to the volume. As such, any direct modification can be unsafe while the system is running. To avoid harming system integrity, Symantec’s native application renames the driver and then reboots the system, allowing removal and clean up of the rootkit from the system. This method protects against kernel-mode rootkits and is at the lowest level within the operating system.
The 20 rootkit samples used in the study were randomly chosen and obtained from live Web sites by Thompson Cyber Security Labs. Thompson specifically chose threats that are representative of the current real-world situation, which led to a mix of commercial spyware, adware, and rootkits:
• Haxdoor-gp
• CommonName
• QoolAid
• DollarRevenue trojan
• Feebs
• Pcacme standard
• HaxSpy.ab
• Look2Me
• Sony XCP
• Goldun
• Adlogix
• PcQuick/Hoosmi
• SearchNet
• Spybot
• Haxdoor-ie
• OrderGun.A
• Graybird/Hupigen
• Teros-B
• Frogexer
• Rustok.B
For more specifics on the testing methodology, please follow this link: http://www.symantec.com/enterprise/security_response/toughsecurity/index.jsp and navigate to the Appendix section.