The poisonous rootkits rocking the security world

There are some seriously stealthy rootkits running on computers today. Tom Brewster investigates the extent of the problem...

Rootkits have been around for years. Born in the UNIX world over two decades ago, the term remained a part of UNIX and Linux experts' argot until the mid-2000s.

Thanks to a Sony BMG gaffe in 2005, rootkits entered the lexicon of almost everyone in the tech world. To stop people copying music excessively once installed on Windows systems, Sony ensured users didn't just download tunes when they shoved CDs into their computers, they got rootkits too.

Advertisement - Article continues below

Sony didn't appear to realise the security implications of what they were doing. By installing the Extended Copy Protection (XCP) and MediaMax CD-3 software on user systems, Sony wasn't just invading people's privacy without them knowing. It admitted the rootkit included "a feature that may make a user's computer susceptible to a virus written specifically to target the software."

Things only worsened when Sony issued its rootkit removal tool, which opened up a flaw for other malware to exploit. After all this was discovered, Sony was sued and had to recall the millions of affected CDs.

Once installed, a rootkit acts like a malware invisibility cloak.

It was one of the most significant moments in IT security history. Sony may have settled the lawsuits but the damage was done. The world now knew what rootkits were and what they were capable of. Worst of all, cyber criminals were inspired to create some seriously pernicious rootkits, some of which are leaving security companies whimpering in their labs.

Advertisement - Article continues below
Advertisement - Article continues below

The end game for cyber criminals themselves is simply to evade detection, covering up malicious software doing nasty things to infected systems.

"Cyber criminals are not unlike pickpockets in the real world: they try to remain as inconspicuous as possible, quietly 'working the crowds' as they target other people's property," said Kaspersky senior technology consultant David Emm. "Rootkits are a key part of the cyber criminal's armoury. Once installed, a rootkit acts like a malware invisibility cloak to hide any tell-tale signs that a malicious program is installed."

The classic kernel kits

The most concerning rootkits around today are those that target the OS kernel. "The most advanced rootkits in the wild are still kernel-based rootkits, malicious software that work from inside the operating system," said Marco Giuliani, threat research analyst at Webroot. "They are able to spread in the wild without being blocked by most security software."

The rootkit of the TDL or TDSS malware is one of the nastiest kernel-focused kits around today. Over the past three years, various versions have upped its capabilities to make it incredibly difficult to identify. It is the dark chameleon of the security world, the evil twin of Where's Wally?.

Advertisement - Article continues below

TDL-4 is the latest incarnation. It appeared in mid-2010, able to in infect both 32-bit and 64-bit operating systems, making widely-used versions of Windows vulnerable. The rootkit infects the boot sector, meaning malicious code is loaded before the operating system. To do this, TDL-4 gets into the Master Boot Record (MBR). This is what makes TDSS so stealthy.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020