Automation Won't Solve Weaponized Rootkits

By Sonny Discini | Oct 3, 2007 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3703236/Automation-Wont-Solve-Weaponized-Rootkits.htm

Many people are unsure what a rootkit is. More or less, it resembles any other malware out there only it is much harder to detect and remove. Stealth is the primary characteristic of a rootkit.

With millions of dollars worth of corporate secrets residing on hosts throughout an organization, rootkits are the perfect vehicle to steal this information without detection. As if this isn't treacherous enough, there are examples of rootkits that now run on cellular phones, PDAs and even firmware.

Most IT folks have heard the term "rootkit" but most don't truly understand how to mitigate the threat.

The biggest mistake IT pros are making is using dated technologies and methodologies in an attempt to remediate the issue. Traditional signature and heuristic based solutions are not effective against rootkits. In fact, there have been several studies conducted that show tools specifically designed for rootkit removal couldn't identify 25% of the test set.

The problem here is that rootkits have become weaponized. They feature a list of functionality ranging from polymorphic capabilities all the way to anti-forensics and encryption. Even the advanced tools used in the forensics community suffer from deficiencies that now must be accounted for.

An example of this is disk analysis, a major part of forensic examination systems. The weaponized rootkit will counter this by sitting in memory instead of writing data to the hard drive. Another example is when researchers step through the reverse engineering process using a debugger. This task is complex and tedious under normal conditions but today's weaponized rootkit now throws garbage cans in the path of investigators by crashing the debugger.

As the bad guys continue to refine their rootkits, they are aware of several things that most organizations face. The first is the tremendous amount of data that has to be examined on a daily basis. This data stream provides a wonderful river of white noise in which to mask rootkit activity. They also know that because of space limitations, organizations may lose all traces of an attack in a relatively short amount of time. Even if you are lucky enough to identify a packet stream that was generated by a rootkit, chances are you may not be able to get your hands on the actual executable. This means you may never know the extent of the capabilities and losses you suffered.

And let's say that you are able to identify a rootkit. Most likely, it is going to be deeply embedded into the OS or perhaps even beneath it. Removing a rootkit isn't like the run of the mill malware. Tearing a rootkit out may leave your system with irreparable damage, and that's if you're lucky enough to remove it entirely.

So how do rootkits get onto hosts in the first place?

Unlike viruses and worms that rely on automated mechanisms to spread, individuals with specific intent often plant rootkits. Many times this individual is a trusted employee or someone who has access to your most valuable electronic assets. The rootkit is often custom designed to perform its tasks and remain hidden for long periods of time – years even. This can make determining the extent of damage a very difficult, if not impossible, task.

So what can we do to battle weaponized rootkits?

The answer does not rest with automated tools this time. You need a set of highly skilled people who understand the criminal mind, reverse engineering, and how to spot rootkit activity in the flood of white noise that all organizations have.

You may want to start picking the white hats out of the crowd now.

Article courtesy of Enterprise IT Planet