Fourth Prediction for 2008
Rootkits Will Proliferate
This blog entry explains the fourth of my ten predictions regarding events and trends that I have gone on record as saying that will occur in 2008. The prediction is:
There will be a proliferation of rootkits, particularly kernel-level rootkits and rootkits that work as spyware, to the point that a surprisingly large percentage of systems that connect to the Internet will be rootkit-infected without the knowledge of either users or system administrators.
A rootkit is a kind of Trojan horse program that if installed on a compromised host alters the systems’ operating system such that signs of attackers’ activities (including changes to the system during installation of the program) are not evident. Attackers who have installed this program can remotely access the host whenever they want.
Rootkits often substitute system programs and libraries with versions that seem to be normal, but that in actuality sabotage the integrity of the compromised host. Rootkits are in many ways the ultimate type of malware nowadays because computer criminals increasingly desire financial gain from their activity, but to achieve their goal, they must be as surreptitious as possible.
User-level rootkits replace executables and system libraries that system administrators and users use, with any changes being carefully hidden. Kernel-level rootkits change parts of the kernel of the victim host’s operating system or may actually even replace all of the kernel. Process and other listings are altered to disguise kernel-related processes and other signs of the rootkit. Program execution is often “redirected” such that malicious instructions, not the original ones, are executed in memory.
I have seen various statistics concerning how prevalent rootkits are.
For example, in 2006 Trend Micro found that the number of reported rootkits increased over the year and that rootkits were the most frequently found type of malware. McAfee Labs has reported similar results. At the same time, however, it is difficult to obtain accurate statistics concerning rootkit prevalence because of the extreme difficulty to identifying rootkits.
AUSCERT, the Australian CERT Team, found that commonly used anti-virus software fails to detect up to 80 percent of Trojan horse programs that reside in systems. I have no trouble believing AUSCERT’s claims; after all, anti-virus software is designed more than anything else to discover viruses and worms by using signatures, but signature-based detection methods are much less likely to work when malware is purposefully covert.
Furthermore, rootkits are much more clandestine than are “normal” Trojan programs. The inescapable conclusion, therefore, is that any statistics concerning the prevalence of rootkits must almost certainly seriously underestimate the actual prevalence of this type of malware.
Spyware has also become more prevalent over the years, and not surprisingly, a growing portion of spyware has rootkit functionality. A good example is Rebery, which is injected into victim PCs at malicious Web sites through exploiting bugs in Web browsers. Rebery becomes active when users visit certain on-line banking or e-commerce Web sites. It captures customer and transaction-related information (including screen shots), which it then transmits to another Web site. Spyware is quickly and easily installed without users noticing, so the increasing convergence between spyware and rootkits will only make rootkits increasingly prevalent.
Finally, even if rootkits are found, eradicating them is generally not easy.
Numerous programs purported to be rootkit removal tools are widely available, but none of them are anywhere close to 100 percent effective.
Most users, let alone a sizable proportion of system administrators, do not know this, however. Running rootkit removal tools leads to the unfortunate assumption afterwards that a system is normal and healthy, an assumption that too often is blatantly false.
The most reliable way to remove a rootkit is in fact to completely rebuild the system in which the rootkit has been installed, something that most users do not even know how to do. The fact that rootkit eradication is so difficult is yet another reason why rootkits are bound to become increasingly prevalent.
