An article by John Markoff in Sunday’s New York Times about the growing popularity of botnet attacks is worth taking a closer look. (You may need to register to view the article)
Botnets, for those of you still not aware of them, are collections of computers that have been compromised by bad guys. They happen by inserting a malicious piece of software on someone’s PC without their knowledge, what is called a rootkit. This software allows someone else to control this collection of computers, and often for ill-gotten gain. I laud the Times for actually printing a sidebar that tells its readers what they can do to try to prevent their PC from being compromised.
Markoff touches on rootkits briefly in his piece, and is the subject of a paper I wrote for the Trusted Computing Group that you can find here.
Rootkits were first developed in the 1990s for Unix computers, then became infamous for Windows PCs in 2005 when Sony Music used them in numerous music CDs to prevent users from making digital copies. Now they are quite common and basic prototypes are found on several Web sites that can be used by even inexperienced programmers to develop the most virulent rootkits.
What makes rootkits so insidious is that they are hard to detect and harder still to remove without doing a wholesale operating system re-installation or re-imaging of a computer’s hard drive. They are designed to hide from normal view of the operating system, since they modify the operating system itself. They can disguise themselves as ordinary operating system utilities, replacing the file and process viewing commands with their own code, or modify the most basic parts of the operating system to conceal their presence. Most of them are designed to survive reboots of the PC, and can live undetected on a system for months.
Some of the nastier rootkits include key logging programs that will record username/passwords typed into a particular machine and send this information to a central repository that can be used to compromise or steal sensitive data.
A new breed of infections employ virtualization techniques similar to those used by EMC’s VMware and Microsoft Virtual Server 2005. By silently creating a virtual environment in which the normal operating system runs, the rootkit gains access to all data processed by that operating system while evading detection. Under these circumstances, a rootkit can run a clean copy of the OS and still get access to all the confidential data.
There are a series of rootkit detection and removal tools, such as Microsoft’s own Malicious Software Removal, Sophos Anti-Rootkit, PrevX, Tripwire, UnHackMe and F-Secure’s Blacklight. However, using any of these tools requires anyone to be vigilant and spend a lot of time pro-actively doing regular hard disk scans, along with spending time interpreting the results of these scans and deleting the offending compromised files. In some cases, you will have to compare the current state of your system with results from booting a known clean copy of their OS from a special CD, which is cumbersome at best.
And even PCs running their own firewall software are at risk, since infections can be transmitted by browsing dangerous Web pages or by sending files via Instant Messenger applications, or even by inserting a music CD into their systems, as Sony has so aptly demonstrated. It is a tough world out there, sadly.
Corporate IT staffs have one solution at present to stop rootkits from taking over their PCs. It is a combination of a special hardware chip that is present inside many new computers called the Trusted Platform Module (TPM), along with software from Wave Systems of Lee, Mass. called Embassy Endpoint Enforcer. The TPM isn’t found in older computers, and the Wave Systems software is the only one shipping that really takes advantage of it at the moment, although other software is in the works. I realize that this doesn’t help home PC users fight rootkits either.
Microsoft’s new Windows Vista operating system includes a feature called BitLocker that provides hard drive encryption. The key for the encryption can be stored on the TPM, making it easy and secure to use. This doesn’t do anything for rootkits, but at least it shows that software developers are getting on board with the TPM.
In the meantime, follow at least some of the suggestions in the Times.
From Robert Gordon at CA:
Brian Grayek, our vice president of Threat Content Development here at CA, thinks the war on botnets is far from over. He also says the industry needs to explore legal and technological ways to shut down bot herders and return “botanized” machines to their rightful owners.
What do you think is the best Rootkit removal tool (even commercial)
A good starting place is this tutorial here.
And then you have the botnets going after the Antirootkit Scanners – see this blog entry http://www.antirootkit.com/blog/2007/01/07/gmer-people-power/ its about one of the most popular scanners website being taken down.
Here is a review of six rootkit detectors from IWeek