F-Secure Shines Black Light on Root Kits
F-Secure says its new software will help eliminate a breed of malware long familiar to Unix admins that's growing increasingly common on Windows systems.
F-Secure is preparing to launch the first public demonstration of a new security technology the company says will help eliminate a particularly difficult breed of malicious software.
Yesterday F-Secure formally announced its BlackLight Rootkit Elimination Technology and says it will demonstrate it tomorrow at the CeBIT show in Hannover, Germany. A public beta of the software will be made available tomorrow as well.
According to F-Secure, its new BlackLight product can scan a system in usein the background without producing false positives that might confuse a less experienced user. The company said the software also discern files that have been modified without malicious intent during a scan, further cutting down on false positives.
Root kits, which used to be more commonly associated with Unix systems, typically provide malicious users with unrestricted and covert access to the workings of a given computer. In Unix systems, the "root" user is the most privileged user, similar to the Windows "Administrator" account. Root kits generally take the form of system software that has been designed to function like the standard system utility it is replacing, but hide evidence of other malicious software such as keystroke loggers, surreptitious network monitors, or suspicious account activity.
The Unix "ps" command, for instance, which shows all the running processes on a given system, can be reprogrammed in such a way as to avoid revealing processes that would tip the suspicious admin off to the existence of malware on the machine. Similarly, a reprogrammed "ls" command can be used to list files in a directory as expected, but ignore files associated with the root kit. The "last" command, which can reveal when a user last logged on and for how long, can be suborned to hide unauthorized use of the root account.
Root kits also periodically remove potentially revealing information in system logs.
Root kits built around modified system utilities can be detected by software such as Tripwire, which compares checksums of program files to ensure that a given utility is the same file as would be found on a secure, newly installed system.
Root kits also take the form of software that modifies the behavior of the operating system's kernel, providing a tougher target for detection.
In the past few years, root kits have stopped being so exclusively associated with Unix systems and have begun to appear on Windows systems, though published reports considered them "rare" as late as 2003.
According to F-Secure, root kits that evade detection by most Windows security software are growing in prominence, and the company sites Win-Spy, PC Spy and Invisible Keylogger spyware programs as well as the Maslan and Padodor viruses.
Other companies are already in the game, including Symantec, which began offering anti-root kit detection late last year.