Now, the geek in me comes out...in the early '60s, Arthur C. Clarke wrote in his essay, "Profiles of the Future" that "Any sufficiently advanced technology is indistinguishable from magic." Applying this to rootkits in use on Windows systems, and the concept holds true over 40 years later.
"Not detected by anti-spyware and anti-virus software" != rootkit (not always, anyway)
My point is simply this...too often, an incident isn't fully investigated and what is first suspected to be a rootkit turns out to be something else entirely. I believe that this is due largely to the Windows GUI (which I still believe is meant only to protect the user or admin from himself...). What I mean by that comment is that the majority of the security training for Windows involves interaction through the GUI...click here, check this box, click "OK". However, the GUI tools provided with a native Windows installation are simply insufficient to perform incident response. Therefore, what we end up seeing is that administrators and first responders become limited by their interaction with the GUI, and have no concept of what's going on "under the hood". For example, most folks have very little idea how much the Windows system interacts with the Registry, and where evidence of activity can be found...but I'll leave that for another blog entry.
So that's where education comes in. But the question becomes...how do you educate the folks who need it? Write books? Offer courses? I'm not sure if this works...and I say this because one doesn't see a lot of discussion on such topics.
Why is this education important? Well, while MS's Strider Ghostbuster approach is a good one, there are a great number of machines that may (please note the heavy emphasis on the previous word) be compromised in some way, but can't be taken down for examination. Production machines in ecommerce infrastructures, file servers, or the CxO's workstation...such systems can't necessarily be taken offline. Usually, one needs justification to do so, and one needs facts in order to develop a justification. The education part comes in by teaching administrators and first responders where to look, what to look for, what to watch out for, and how to interpret the data they collect.
Is the concept of rootkits and rootkit detection important? Yes, most definitely so. I did quick search this morning and found the following bits of malware with rootkit capabilities:
- BKDR_BERBEW.Y (8 Feb 05)
- SPYW_PEEP.A (15 Feb 05)
- Trojan.Blubber (15 Jan 05)
- Trojan.Comxt.B (2 Feb 05) ADS + Rootkit
- Win32.Malsan.A (7 Dec 04 - .C, 9 Dec 04)
With regards to rootkit detection, Joanna Rutkowska released flister earlier this year. Joanna's done some pretty interesting work in the past, and I'm definitely going to be adding flister to my rootkit testing infrastructure.
One final thought...I have to get a publicist or something. Sheesh! SysInternals releases RootkitRevealer and is almost immediately /.'d. Others have done work that doesn't seem to be making it into the public (or even the community) view. For example, in my book, I described and provided an initial implementation of tool for performing rootkit detection on live Windows systems, using a behaviour-based approach. I've actually found the code listed online, too (i.e., rkd.pl). Why do I bring this up? Well, how else do you pierce FUD like this?