The threat of rootkits (define) seems to have faded from public consciousness in recent months, with key loggers and Trojans getting most of the attention.
However, a survey by Internet security vendor Prevx finds that quite a few PCs are infected with rootkits.
Prevx has a free scanner called Prevx CSI that looks for rootkit infections and, after just a few weeks of testing, the results were not pretty. Prevx first started giving out CSI to perform scans for malware and adware in October. Of the 291,000 users who downloaded Prevx CSI, one in six found some kind of infection.
What makes rootkits so difficult to deal with is they often take control of the operating system, so they can disable an antivirus or security program and are usually used to hide the real malicious code. Rootkits in and of themselves aren't dangerous, but they act as the guardian or defense for something that islike a key logger.
"There's so much malware out there it's hard for all security companies to detect all the threats. Used to be a new threat every few days, and that was manageable," Jacques Erasmus, director of malware research for Prevx told InternetNews.com. "Now they are releasing a new piece every hour of the day and it's very hard for the vendors to cope with this influx of malware."
The threat is only getting worse because the bad guys are getting better at their work, using polymorphic code, encrypted networks and compromised Web sites.
Peter Firstbrook, senior security analyst for Gartner, agreed.
"I would totally agree that [antivirus] vendors are failing in protection," he said. "There's no question there's a lot of undiscovered rootkits and malware out there. It doesn't surprise me at all."
Part of the problem is that every AV vendor uses a different detection method and no one is foolproof, he added. He was skeptical of the one in six findings, thinking it was likely skewed by people who had or suspected an infection and "wanted a second opinion."
Prevx CSI uses what Erasmus called the "herd" approach to harness its user base as researchers, so every user is involved in submitting suspicious code to be examined. Every AV program has a function to submit suspicious code but that has to be e-mailed in and examined in a lab.
Prevx CSI examines the application on the end user's computer, so by the time it is submitted, the company already knows what it does, what files it attacks or alters, what IP addresses it communicates with, and so on.
While there was a high frequency of businesses infected with rootkits, Erasmus said they are doing a fair job of keeping their PCs clean. "You rarely see businesses getting badly infected. Maybe someone's laptop gets hit. But consumers are a different story. It's like the wild, wild west out there for them," he said.