The rise of the rootkit threat

Posted on 18 Apr 2006 at 18:03

Security company McAfee has highlighted the pitched battle between the security community and virus writing networks in its charting of the rise of rootkit threats.

Rootkits have boasted a high profile ever since Sony's ill-fated attempt at copy-protection stumbled when it was found to contain insecure rootkit technology that compromised the system upon which it was installed.

While it may have been the first time most of the public had heard of the term - which refers to code working at a low level, interacting directly with the operating system and invisible to the user and other applications, including many security software - the infamy of the incident also took the fancy of virus writers the world over: rootkits are now big business on the virus underground.

McAfee's report claims that software for the creation of rootkits is exchanging hands for as much as $2,000 and that absolute numbers have risen alarmingly: some 400 per cent between 2004 and 2005. And the company predicts continued growth of 650 per cent every year for the next two to three years.

It says that rootkits themselves are also becoming increasingly sophisticated, and are used to hide more and more malicious components. Take the first quarters of 2005 and 2006: for the 2005 period, McAfee had 60-odd stealth components sent to it for analysis; roll on to the 2006 period and that figure rises to 612.

The reason that rootkits are gaining so much attention is manifold. First, McAfee says that virus writers are attracted by the technical challenge of using rootkits - which were originally for manipulating Unix and Linux environments - for Windows, and says there is a range of unmapped APIs for writers to use in the system.

Second, there's money to be made. Not only from selling rootkit 'kits', but also because of the way they are used: not only for direct attacks on a system, but also to hide components of adware and other potentially unwanted software, rendering them almost impossible to uninstall for most users, even if they are aware of them.

Third, says McAfee, the effect of collaboration between rootkit writers means that this form of attack is constantly moving forward. So much so, that the company cites 'collaboration' as 'largely to blame for the increased proliferation and complexity of rootkit components'.

Indeed Finnish security company F-Secure was pretty much the first company with a widely available commercial anti-rootkit product, but that was as recently as March of last year.

Clearly then it will fall to the security community to be equally as clubbable in order to keep up with this quickly evolving threat.

More information about McAfee is available on its website.

Author: Matt Whipp