October 01, 2005
Rootkits or stealth-malware
A "rootkit" or "stealth malware" is a piece of malicious software that hides itself from the OS and all conventional forms of detection. Once you are infected, you will never know about that infection using standard methods. But there are three ways to conquer a rootkit; diligence, in-box detection, and out-box or out-of-bound scanning. The best defense against any kind of malware is to never give the bad guys a chance to get on your machine at all. Be diligent, use "safe hex". Unfortunately, we are human. We'll be vulnerable to new threats nobody knows about yet, and we'll occasionally make a mistake that will make us vulnerable to old threats. Scanning inside your machine is easy, but it only goes so far. It will look inside your machine to look for tell-tale signs of a rootkit. But this is begging the same cat and mouse game we have with viruses. Rootkits aren't sophisticated enough (yet) to counter current anti-rootkit actions. But I'm sure that it won't be long before every time we find a way to catch them, they'll find another way to fool us. Out-of-bound scanners checks for a hidden an infection from outside of Windows. This allows for looking without using the operating system that allows rootkits to cloak themselves. It sounds like I'm trashing Windows but I'm not. Rootkits came from the Unix world. The new twist is that they are now being used against Windows. The Saturday before the computer club meeting I got a SPYWAREINFO newsletter about rootkits. They claim that AntiVirus and AntiSpyware programs will soon be obsolete. They called on all AV vendors to come up with ways to do both residential and out-of-bounds scanning. Since I knew that Symantec would be at the 1:00 meeting, I planned to be there and ask some pointed questions. What I learned was that Symantec is already on top of the situation. The speaker said that an add-on for rootkits would probably come out around Christmas. They were already talking about possible ways to do the out-of-bounds scanning.
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader