What makes a rootkit?

The Sony copy-protection fiasco has moved the term from hacker lingo to a threat known and feared by ordinary PC owners.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
The Sony BMG copy protection debacle has pulled "rootkit" out of the hacker underground and into the wider world of regular computer users.

But while those PC owners may now recognize the term, that doesn't necessarily mean they know what kind of threat it describes. And in the Sony case, not even the experts can agree on whether the record label's antipiracy technology meets the technical definition of a rootkit.

"I would say it is more a stealth technology than a rootkit," said Vincent Weafer, the senior director at Symantec Security Response. "A rootkit is used by people trying to maintain remote access to a system. Sony is an example of a much more limited technology. It was only designed to hide itself."

That argument over semantics is important to security providers, which have to define threats before they defend against them. But in general it matters little, since all the experts agree that the technology ultimately acts as a rootkit would, making it every bit as dangerous as if it were installed by hackers.

Sony's copy-protection software, created by U.K.-based First 4 Internet, is installed on a computer's hard drive when certain Sony BMG Music Entertainment CDs are played on a Windows PC and after the listener accepts a license agreement.

The software uses the programming tool at the center of the controversy, which buries itself deep in the internals of a Microsoft Windows PC. It blocks all but the most technically-savvy users from being able to detect its presence. It is also invisible to most security products, which typically don't look that deep into a computer's workings.

"Rootkits can hide on the machine because they operate at a very low level in the operating system," said Joe Telafici, the director of operations at McAfee's Avert labs.

Behind the code
The term "rootkit" originates from the Unix world. It refers to a set of tools that would hide any trace of an intruder yet maintain full, or "root," access on system running the operating system.

"A rootkit retains access to the system that has been previously compromised, and it hides itself from someone who is authorized to use the computer," said Jon Orbeton, a senior security analyst at security software maker Zone Labs.

Critics say that Sony's software left PCs vulnerable to attack because it provided a hiding place for other applications. Trojan horses that try to commandeer a system and take advantage of the cloak provided by the CD software have already appeared on the Internet. In addition, Sony initially didn't provide an uninstall tool (which exacerbated the situation).

All this adds up to a rootkit, experts such as Dan Kaminsky say. Kaminsky is the security researcher who has estimated that the Sony software is installed on at least 500,000 PCs.

"I had the same reaction that a number of security people had: Is Sony getting remote root on machines?" Kaminsky said. "Are they getting the capability to run code on a machine? That's what fundamentally makes it a rootkit: evasion of user knowledge."

Rootkits are available for sale online and some hackers even offer to create custom rootkits for payment, experts said. Often the software is used to hide a backdoor on a computer that lets hackers enter surreptitiously. Typically, it arrives in a Trojan horse or via malicious Web download. Some adware makers also use rootkits to cover up their software.

Antivirus software can often block known rootkits from being installed on a PC using a signature list. Incoming code is checked against this list of threats and any that matches is rejected. However, this means that new versions pose a challenge for security software companies. Also, rootkits are getting more complex, making them harder to remove, according to some experts.

"Security companies?are definitely behind the curve," said Andrew Jaquith, a senior analyst at the Yankee Group, a Boston-based research company. "I think it is inevitable that you are going to see enhanced offerings from the leading players that are targeted specifically at rootkits."

Some protective software providers are catching up. Finland's F-Secure offers a test version of its BlackLight rootkit elimination technology, and Sysinternals, one of the first to reveal the threat behind Sony's copy protection software, has a free "RootkitRevealer."

At the moment, Microsoft offers detection and removal of some rootkits in its Malicious Software Removal Tool. In addition, it plans to add protection to the upcoming Windows Defender, its revamped Windows AntiSpyware tool.

Getting rid of a rootkit is easier to do when it first lands on a PC, as opposed to after it has been installed, Symantec's Weafer said.

"Let's say one of these rootkits comes in e-mail; it is far easier to see it there than once it is on the system," he said. "The current area of research is how to detect and remove once it is in place. That's more challenging, (as is) doing so without negatively impacting the system itself."

Symantec hopes to release rootkit-fighting technology next year, Weafer said.

Telling bad from good
The task of digging out rootkits should not just be the work of security products, but also something to be dealt with in the operating system, McAfee's Telafici said.

Microsoft is taking steps. Windows Vista, the successor to the XP operating system due out next year, will have barriers that make it harder for software like rootkits to run. It is a balancing act, because some of the operating system functionality that a rootkit abuses is needed to make an OS work with third-party products, Telafici said.

"Most modern operating systems are very open architectures. The reason you can buy a PC and mix and match technologies from other companies is because the operating system makes it very easy to install devices and allow it to run software code to see those devices and communicate with it," he said.

While rootkits used for malicious purposes by far outnumber rootkits used with good intent, beneficial versions do exist, Orbeton said.

"The security department at a company I previously worked at used what would be considered a rootkit so we could log in to computers in the event the computer got compromised by an attacker," he said. "We did not want the attacker to know that we had this tool present on the system."

That particular rootkit was created internally. Orbeton does not recommend using a publicly available rootkit for administrative or security purposes, as they may have a secret backdoor.

"A rootkit is just a tool. What it is actually used for is what makes it good or evil," Orbeton said.

But Wes Ames, a computing security architect who helps manage tens of thousands PCs at airplane maker Boeing, doesn't like meddling with the innards of the operating system.

"I am very much against companies doing any kind of modification of operating system files. Those were not intended to be modified, and they contribute to the general instability of the machine," he said.