Coping with an evolving threat

Despite advances in prevention and removal, Steve Manzuik, senior manager of security engineering and research at Juniper, sees no end in sight to the rootkit threat. In fact, Manzuik believes that rootkit.com, Joanna Rutkowska's work on the Windows kernel, and Microsoft's resource protections for 64-bit Windows Vista are "making it more difficult for both attackers and vendors."

Manzuik sees that current approaches to rootkit discovery and removal are beginning to fail despite improvements in Windows security. Factor in the lag time before Vista protections are widely deployed, and you have a perfect breeding ground for rootkit innovation. For example, Manzuik points out that some rootkits can now bypass the security sandbox. They detect they are in the sandbox and lay low, effectively tricking the system into thinking they are legitimate apps.

MANDIANT's Butler, however, believes that Vista protections will have an impact. Not only will the protections make it more difficult for rootkit authors to break in, Butler says, but it will also require "another separate effort to conceal themselves and maintain their presence."

Manzuik and Butler do, however, agree on the importance of strict user access policies. Both view rootkits as further evidence against giving users admin-level access to systems -- especially at smaller organizations, where the practice is often promoted as a cost-cutting necessity.

"The culture in smaller companies is that they will only call the IT guys if they can't figure it out themselves, which leads to most users having admin rights on machines," Manzuik says. Any organization employing this policy -- regardless of its size -- will be compromised, Manzuik says.

Because of this, Manzuik believes policy should figure foremost as a means for protecting systems against rootkits: "Without buying special technology, [most organizations] can deal with the majority of the threats with proper security policy and management."

That said, recent attention paid to rootkits has resulted in a raft of discovery and removal tools, both free and host-based, including IceSword, RootkitRevealer, F-Secure's Blacklight, and Sophos Anti-Rootkit. Over time, these functions will be integrated into enterprise-grade anti-virus and host-based security solutions. In the meantime, however, most organizations remain unprepared -- all the more troubling, given that opportunism is pushing rootkit know-how deeper underground, out of the IT community spotlight.

In the past, innovations in the art of hiding rootkits was shared in newsgroups and posted to community Web sites. The financial upside of having rootkit knowledge, however, is changing that, MANDIANT's Butler says. Those who uncover new approaches may take their discovery to a security company as their calling card to obtain a job. More disturbing, however, is the amount of money malware authors are willing to pay for new techniques. And with both sides of the divide doling out cash for the latest innovations, rootkit development is clearly becoming a lucrative pursuit -- one that leaves most organizations in the lurch, unaware of what's coming.