PDA

View Full Version : Rootkits - the next major security risk



Tranquility
2005-Feb-25, 07:41 AM
"Rootkits" are being brandished the greatest upcoming security risk by Microsoft researchers. They are virtually undetectable by current antivirus, antispyware, anti-"insert whatever you want here" software, and it affects multiple operating systems:

http://www.pcworld.com/news/article/0,aid,119720,tk,dn021705X,00.asp


Microsoft security researchers are warning about a new generation of powerful system monitoring programs, or "rootkits," that are almost impossible to detect using current security products and that could pose a serious risk to corporations and individuals.

mid
2005-Feb-25, 09:41 AM
A cowpat produced by a male, frankly.

Rootkits have been around forever, they aren't the 'next big thing' at all.

What happens is that some very clever (though morally unhinged) people invent new ways to break past network security measures. Then they write programs (these rootkits) that automate the process.

Then the script kiddies get hold of them, and run them without having the slightest clue how they actually work. It's always been this way.

Tranquility
2005-Feb-25, 12:11 PM
A cowpat produced by a male, frankly.

Rootkits have been around forever, they aren't the 'next big thing' at all.

What happens is that some very clever (though morally unhinged) people invent new ways to break past network security measures. Then they write programs (these rootkits) that automate the process.

Then the script kiddies get hold of them, and run them without having the slightest clue how they actually work. It's always been this way.

That's true, but that's how certain viruses become "the next big thing". Script kiddies are the reason for renowned attacks by Blaster, myDoom, SASSER, etc. And the fact that they're adopting it means it becomes more of a "mainstream" attack, which would really make it the next big thing to worry about because there isn't anything to combat it.

mid
2005-Feb-25, 02:31 PM
Well, that's not strictly true. The one thing to combat it is the same thing that you'd use to combat any network security threat - keep yourself patched up, don't run any network-aware apps you don't need, and ensure you've got a half-decent firewall in place.

Rootkits require a remote-root exploit to get onto your box; the only difference between this and a virus is that you need prevention, rather than just relying on your AV software to cure an infection after it's started.

Tranquility
2005-Feb-25, 03:08 PM
Prevention is not such a difficult thing, just keep updating your OS, but things seem to always slip through. Either way, the presence of some sort of removal measures rather than just prevention measures is essential, which is what causes the idea to be worrying.

Chuck
2005-Feb-25, 03:50 PM
The problem with Microsoft Windows is that it's really a floppy disk operating system. Back in the good old days before we had hard drives I'd reboot my TRS-80 with the floppy disk of each program system that I wanted to run. If I downloaded a game from somewhere and ran it, the worst a malicious program could do would be to infect or crash one floppy disk.

With hard drives, all of our files are on the same disk and, for some reason, Microsoft has decided that any program that we run should have unrestricted access to all of them. We're completely at its mercy.

The solution seems simple. The operating system shouldn't allow a program to access anything that's not in its folder or subfolders without specific permission from the user. Operating system programs could access everything and you'd give permission to programs from trusted sources, such as a word processor or picture editor that might need access to the files in other folders in order to be useful. Other software could be given permission on a folder by folder basis as needed, and perhaps be allowed to read files in other folders but not change them, such as library files.

With such a system, it would be safe to download and run other programs. Malicious programs could crash only themselves. If such a program tried to access your operating system, mail system, or anything else you'd be asked if you want to allow it. Since some video game you just downloaded has no business in any folder but its own you'd disallow it.

The send and receive parts of a mail system could be kept in separate folders so a security hole in the receive part could not affect the send side. Such a hole might be exploited to infect the receive software but it couldn't spread by mailing copies of itself to others. If you wanted to forward a piece of mail you'd give one time permission for the receive software to access your outbox. If a virus tries to do it, it would have to give itself away by asking for permission. Without automatic access to outgoing mail, it would be very hard for a virus to spread. It might trick a few novice email users by lying to them, but a virus won't go very far very fast if it has to ask get special permission from each person who receives it.

Gullible Jones
2005-Feb-25, 10:50 PM
There are already several rootkit scanners out there for Linux and UNIX. I don't see why there would be any problem making them for Windows.

And yes, rootkits are old news.