Monday, February 12, 2007
Review of 6 rootkit detectors. Six what?!
A "rootkit" is a program that blinds you and other programs on your computer to its existence. It can conceal other files and programs. If you can't see what's on your computer, you're not really in control of it.
A rootkit might be part of the nastiness installed by other unwanted software. A rootkit might conceal malicious software from antivirus or antispyware products.
Infoworld reviewed six programs for detecting infection by a rootkit.
"The best things in life are free" applies to software. The reviewer's top choice is a Russian programmer's free product, "Rootkit Unhooker". It detected all the test cases and wasn't too hard to use.
Is this something you need? I'm torn about how to advise you. A rootkit detector is potentially as troublesome as antivirus software, the results may be harder to understand, and the threat isn't overwhelming yet.
More information
There are no files on your computer
Some religions teach that all the world is an illusion. On your computer, that's a simple everyday fact. Your hard disk is just a set of magnetic patterns. Electronics on the disk makes it look to your operating system like a bank of data with addresses for each piece. Your operating system assembles chunks of the data and makes it look like files to you. Not just to you, but also to the programs you use. Your word processor sees the illusion of files that the operating system creates, and then adds another layer of illusion by making the file look like a paper document.
I've oversimplified. The operating system itself is an onion, with layers of illusion wrapped around each other.
Every time you hear words like "virtual" or "abstraction" it means someone has created an illusion.
If a layer of the onion closer to the middle chooses to hide something, then none of the outer layers can see it.
Rootkits try to get closer to the center of the onion than any program that might detect them. It's an arms race. The most dangerous rootkits are the ones closest to the center of the Onion of Illusion, and are called "kernel rootkits".
As your computer reboots, it builds a new Onion of Illusion. The only way a rootkit detector can work in the long run is if it's on a CD-ROM and you reboot to use it. Once an infected computer is up and running, nobody can guarantee detecting an organized deception like a rootkit.
Other metaphors: the dishonest interpreter
Each layer on your computer is doing a translation job. Your word processor translates "Save" to the operating system as "write to a file". The operating system translates that to the disk drive as a series of commands like "store these 512 bytes at sector 1b440cde".
Have you ever read one of those stories where someone is in a foreign country and gets a crooked interpreter?
Other metaphors: embezzlement
Each layer of management gives orders and takes reports from the layer underneath. If somebody at the bottom of the heap is falsifying data by creating ghost employees (and cashing their paychecks). The corporate equivalent of a rootkit would be infiltrating the company with people falsifying reports. Then anything could happen and the executives couldn't stop it, because they wouldn't know about it.
Watchguard has some videos with more information about rootkits and how they work. (Disclosure: they bought an article from me once).
|
A rootkit might be part of the nastiness installed by other unwanted software. A rootkit might conceal malicious software from antivirus or antispyware products.
Infoworld reviewed six programs for detecting infection by a rootkit.
"The best things in life are free" applies to software. The reviewer's top choice is a Russian programmer's free product, "Rootkit Unhooker". It detected all the test cases and wasn't too hard to use.
Is this something you need? I'm torn about how to advise you. A rootkit detector is potentially as troublesome as antivirus software, the results may be harder to understand, and the threat isn't overwhelming yet.
More information
There are no files on your computer
Some religions teach that all the world is an illusion. On your computer, that's a simple everyday fact. Your hard disk is just a set of magnetic patterns. Electronics on the disk makes it look to your operating system like a bank of data with addresses for each piece. Your operating system assembles chunks of the data and makes it look like files to you. Not just to you, but also to the programs you use. Your word processor sees the illusion of files that the operating system creates, and then adds another layer of illusion by making the file look like a paper document.
I've oversimplified. The operating system itself is an onion, with layers of illusion wrapped around each other.
Every time you hear words like "virtual" or "abstraction" it means someone has created an illusion.
If a layer of the onion closer to the middle chooses to hide something, then none of the outer layers can see it.
Rootkits try to get closer to the center of the onion than any program that might detect them. It's an arms race. The most dangerous rootkits are the ones closest to the center of the Onion of Illusion, and are called "kernel rootkits".
As your computer reboots, it builds a new Onion of Illusion. The only way a rootkit detector can work in the long run is if it's on a CD-ROM and you reboot to use it. Once an infected computer is up and running, nobody can guarantee detecting an organized deception like a rootkit.
Other metaphors: the dishonest interpreter
Each layer on your computer is doing a translation job. Your word processor translates "Save" to the operating system as "write to a file". The operating system translates that to the disk drive as a series of commands like "store these 512 bytes at sector 1b440cde".
Have you ever read one of those stories where someone is in a foreign country and gets a crooked interpreter?
Other metaphors: embezzlement
Each layer of management gives orders and takes reports from the layer underneath. If somebody at the bottom of the heap is falsifying data by creating ghost employees (and cashing their paychecks). The corporate equivalent of a rootkit would be infiltrating the company with people falsifying reports. Then anything could happen and the executives couldn't stop it, because they wouldn't know about it.
Watchguard has some videos with more information about rootkits and how they work. (Disclosure: they bought an article from me once).
# posted by Frederick @ 7:21 PM Email to a friend:
Haloscan: they provide trackback