Rise of the Weaponized Rootkit
And you thought stealth was the only trick up a rootkits sleeve.
Many people are unsure what a rootkit is. More or less, it resembles any other malware out there only it is much harder to detect and remove. Stealth is the primary characteristic of a rootkit.
With millions of dollars worth of corporate secrets residing on hosts throughout an organization, rootkits are the perfect vehicle to steal this information without detection. As if this isnt treacherous enough, there are examples of rootkits that now run on cellular phones, PDAs and even firmware.
Most IT folks have heard the term rootkit but most dont truly understand how to mitigate the threat.
The problem here is that rootkits have become weaponized. They feature a list of functionality ranging from polymorphic capabilities all the way to anti-forensics and encryption. Even the advanced tools used in the forensics community suffer from deficiencies that now must be accounted for.
An example of this is disk analysis, a major part of forensic examination systems. The weaponized rootkit will counter this by sitting in memory instead of writing data to the hard drive. Another example is when researchers step through the reverse engineering process using a debugger. This task is complex and tedious under normal conditions but todays weaponized rootkit now throws garbage cans in the path of investigators by crashing the debugger.
As the bad guys continue to refine their rootkits, they are aware of several things that most organizations face. The first is the tremendous amount of data that has to be examined on a daily basis. This data stream provides a wonderful river of white noise in which to mask rootkit activity. They also know that because of space limitations, organizations may lose all traces of an attack in a relatively short amount of time. Even if you are lucky enough to identify a packet stream that was generated by a rootkit, chances are you may not be able to get your hands on the actual executable. This means you may never know the extent of the capabilities and losses you suffered.
And lets say that you are able to identify a rootkit. Most likely, it is going to be deeply embedded into the OS or perhaps even beneath it. Removing a rootkit isnt like the run of the mill malware. Tearing a rootkit out may leave your system with irreparable damage, and thats if youre lucky enough to remove it entirely.
So how do rootkits get onto hosts in the first place?
Unlike viruses and worms that rely on automated mechanisms to spread, individuals with specific intent often plant rootkits. Many times this individual is a trusted employee or someone who has access to your most valuable electronic assets. The rootkit is often custom designed to perform its tasks and remain hidden for long periods of time years even. This can make determining the extent of damage a very difficult, if not impossible, task.
So what can we do to battle weaponized rootkits?
The answer does not rest with automated tools this time. You need a set of highly skilled people who understand the criminal mind, reverse engineering, and how to spot rootkit activity in the flood of white noise that all organizations have.
You may want to start picking the white hats out of the crowd now.
This article was first published on EnterpriseITPlanet.com.