The Trouble with Rootkits

Have you ever wondered where all of those spam emails come from? Most people think they are sent from server farms in former Soviet-block countries, from Nigeria, or from tech-sleazes here at home who work hard to find avoid detection and find loopholes in the CAN-SPAM Act.

While much spam does come from those sources, a new spamming technique is to use ordinary people as unwitting spammers. One such recent attack, Storm Worm, seeks to turn poorly secured PCs into occasional spam servers.

Many users in Europe downloaded Storm Worm early this year when they clicked on an email attachment claiming to contain information about wind storms that ravaged the continent. In the U.S., users were infected when they opened an email with a subject line reading “U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel.” The email contained an attachment purporting to be a video of the event.

What’s troubling about this attack isn’t the delivery method, which is standard social engineering, but what happens next. Rather than launching a DDOS (distributed-denial-of-service) attack or spreading a virus or worm, Storm Worm drops a kernel-mode rootkit onto the recipient’s computer.

A set of software tools that give an intruder administrator access to a PC, Rootkits typically hide themselves from end users. The rootkit can then provides ongoing access to the system, allowing attackers to install spyware, monitor user keystrokes, or use the compromised computer as part of a spam botnet, which is what Storm Worm does.

Storm Worm’s botnet sends out so-called pump’n’dump stock spam—spam used to inflate a stock’s price, which the spammers own and then dump after it gets high enough. Fortunately, Storm Worm appeared to be rushed. It was a fairly primitive rootkit, which standard antivirus scanners can detect.

The user community is lucky in this case. A better designed rootkit can persist long after a signature has been developed for it. “The problem is that people believe they are uninfected. They’ve kept their security up to date and run their scans, but the rootkit has avoided detection and is working in the background,” said Neil MacDonald, VP and fellow at the research firm Gartner.

Rootkits more advanced than Storm Worm make themselves invisible to antivirus scanners, often even disabling them. They also hide themselves from Windows Task Manager, which shows a PC’s running processes. The end result is they are extremely difficult to detect after the initial infection, and an infection can last indefinitely, all without the end user suspecting a thing.

Attacks as Investments

Rootkits are on the rise because hackers have different goals today. “The motivations of hackers have switched,” MacDonald said. “Taking down a million machines for fame and glory isn’t the motive anymore. Now it’s profit. The goal of attackers today is to use a compromised system over the long haul.”

For today’s organized cyber-criminals, an infected machine is an investment, and they seek to leverage that investment over time.

Even if you can’t see the process running in your Task Manager, wouldn’t you notice a system slowdown? Not necessarily. Most users expect performance degradation over time, and attackers are smart about hiding their activities.

“One thing many attackers do is target times when usage is low. Many PCs stay on all the time, so an attacker will schedule activities for late at night,” MacDonald said.

Rootkits exploit a key flaw in many operating systems: The fact that standard users are granted administrator privileges. “If end users don’t have administrator privileges, the threat is less significant,” MacDonald said.

Buena Vista?

One of the key security improvements in Microsoft Vista is its User Account Control (UAC). “Activities such as surfing the web, sending email, and using productivity applications do not require special privileges, so UAC automatically limits the power of a user’s account, even an account with administrative privileges, when doing those activities,” said Stephen Toulouse, security program manager at Microsoft.