The root(kit) of all evil

Rootkits reconsidered

When a security researcher discovered Sony was using hidden software-cloaking and monitoring techniques to protect copyright on its music CDs, the public backlash led to lawsuits against the company and a debate ensued about the use of rootkits in commercial software.

Opponents say rootkits should never be used because they introduce potential vulnerabilities and are deceptive, while others contend they can be legitimately used for deep-stealth technology in both the enterprise and at home.

The Electronic Frontier Foundation (EFF) is not among those envisioning a positive role for rootkits.

“I have yet to see a rootkit that did not raise security concerns, and I am sceptical that there can be legitimate use of technologies that hide files from the user in an effort to thwart user control of their own computer,” says Kurt Opsahl, staff attorney at EFF.

Security expert Bruce Schneier, founder of managed security services firm Counterpane, is equally adamant.

“Can there be benevolent rootkits? That’s similar to the question of benevolent worms. The answer is ‘no’,” he says. “Rootkits use stealth to hide payloads, and that can cause problems. A user loses control with what’s going on in their machines.”

Antivirus vendors CA, Trend Micro and McAfee say they reject use of rootkits as a way to protect security software. “We call it stealth technology rather than rootkit technology and, by and large, it’s a negative thing,” says Stuart McClure, McAfee’s senior vice president of global threats.

But some say stealth technologies can be ethical and shouldn’t be dismissed as absolutely evil.

“Rootkits are inherently deceptive, of course,” says Christine Olson, project manager with StopBadware.org, the group formed by Harvard University and Oxford University to provide the public with a detailed list of software programs deemed to be unethical, deceptive or dangerous.

“But there are instances where the owner of the machine might want to deceive others using the machine [and would have the right to do so],” she says.

James Butler, CTO at Komoku, a startup funded by DARPA (the Defence Advanced Research Projects Agency) to develop ways to detect rootkits, says the debate that started after security researcher Mark Russinovich discovered the Sony rootkit remains murky.

“The debate centres around whether it’s acceptable for a company to install software that uses stealth in order to protect the company’s software from being detected,” he says.

In Sony’s case, the way the software was written would let an attacker also use the stealth abilities to hide programs. “In the end, rootkits can be good or evil. It’s all in how they’re used,” he says.

Gartner security analyst John Pescatore asserts corporations could benefit from more rootkit-like applications, such as those used to monitor employees. “Yes, there is a role for stealth in the enterprise world,” he says, adding that in the home, parents might want rootkit-like ways to monitor what their kids do on a home PC.

Some IT and network professionals say rootkit-like technologies could play a valuable role in the enterprise.

Enzo Micali, CIO at 1-800-Flowers, where flowers can be ordered online or by phone for delivery, says: “I’d consider stealth technology to monitor employees. The company owns the computers.”

Martin Lapointe, network manager at Canadian retailer Reitmans, concurs that “there is a role for stealth in the enterprise.” But using any rootkit-like technologies would depend, at the very minimum, on ensuring their use conforms with the user-consent and data privacy laws of the countries in which they’re used, he says.

Sam Curry, vice president of threat management at CA, says rootkits in commercial software could be compromised, with devastating results. Plus, antivirus and antispyware software would look too much like the evil code it’s trying to find and eliminate.

David Perry, Trend Micro’s global director of education, says: “We don’t want to look like the opposition”, even though hiding software components from attack has appeal, he says.

Symantec, which declined to comment, endured its own public backlash when Russinovich discovered Symantec’s Norton SystemWorks was using a cloaking technique to hide its NProtect directory for storing temporary copies of files the user has deleted or modified.

Bowing to public criticism, Symantec re-evaluated the practice — which it said it did to keep users from deleting files — and released an update in January allowing the directory to be scanned using manual or scheduled scans, not just an on-access scanner.

Some say there is plenty of software that already uses stealth techniques, including that of most antivirus vendors.

“Most antiviral software and virtualisation software, like VMware, are essentially rootkits,” Gartner’s Pescatore says. “Good rootkit-like software gives the user choice and informs the user,[who then] knowingly installs it.”

Join the newsletter!

Error: Please check your email address.

Tags rootkitsSecurity IDEVIL

More about CounterpaneEFFElectronic Frontier FoundationGartnerHarvard UniversityMcAfee AustraliaNortonSonySymantecTrend Micro AustraliaVMware Australia

Show Comments

Market Place

[]