Tuesday, March 10, 2009

How To Protect Information Technology Systems - Rootkits

by: Daynne Darryl

Many defensive technologies have been developed to combat the spread of Internet worms. Unfortunately, there is no single technology that protects against all types of mobile malicious code. Many enterprises rely on only a small set of protective technologies to protect their assets, such as firewalls and virus scanners.

Worms have increasingly become “blended threats”; they use many different methods to attack systems. In effect, they are using an attack- in-depth strategy in order to carry out their mission. Single-point solutions may be able to block a few of the attack vectors, but will not be able to stop all of them.

The nature of malicious code, or malware, (e.g., viruses, worms, bots) shifted recently from disrupting service to actively seeking financial gain. In the past, worms were designed primarily to propagate. The impact on victims and organizations was primarily a disruption of service resulting in loss of productivity and sometimes a loss in revenue. Now, many of the significant worms are designed to steal sensitive information such as credit card numbers, social security numbers, pin codes, and passwords and send the information to the attacker for nefarious purposes including identity theft.

Unfortunately, attackers have become very adept at circumventing traditional defenses such as anti-virus software and firewalls. Even encrypted web transactions may not protect sensitive information if the user’s computer has been infected.

Malware also includes other attacker tools such as backdoors, rootkits, and keystroke loggers, and tracking cookies which are used as spyware.

Attacker tools might be delivered to a system as part of a malware infection or other system compromises. These tools allow attackers to have unauthorized access to or use of infected systems and their data, or to launch additional attacks.

Rootkits are collections of files that are installed on a system to alter its standard functionality in a malicious and stealthy way. A rootkit can make many changes to a system to hide the rootkit’s existence, making it very difficult for the user to determine that the rootkit is present and to identify what changes have been made. Rootkits are powerful tools to compromise computer systems without detection.

They do this using a variety of tricks to manipulate the operating system , the effect is that you cannot see the malware product on your computer using normal Windows programs. Detecting the presence of rootkits is not easy. The fundamental problem with rootkit detection is that the operating system currently running cannot be trusted. In other words, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers. There are several programs available to detect rootkits. Rootkit detectors have to work from within the potentially infected system. Rootkit detectors which run on live systems currently only work because rootkits have not yet been developed which hide themselves fully.