Rootkits and adware

Rootkits and adware can wreck a good computer, but first let me give you an idea of what a rootkit is.

Rootkit - definition from Wikipedia.org:

“A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.

The word “rootkit” came to public awareness in the 2005 Sony CD copy protection controversy, in which Sony BMG music CDs placed a rootkit on Microsoft Windows PCs.”

A Google search for “rootkit” returns over 7,000,000 results, indicating more than a little attention on this subject.

Unfortunately, as you may have noticed in the search above, Sony, a “legitimate” company was installing rootkits in their customers computers, presumably with the assumption that you are guilty of music piracy because you bought their product. One notable article on the subject that I suggest to those not in the know, is titled “DRM this, Sony!” and was written by Molly Wood, section editor, CNET.com.

Rootkits are not new:
Microsoft has known about the problem of hiding files (common activity for a rootkit) and in fact wrote in July 2004 an article titled “Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files”:

“File hiding is an advanced stealth technique that is becoming popular among system monitoring software such as RootKits, Trojans, and keyloggers.”

If Microsoft wrote about it in 2004, chances are that this type of activity has been existing in the Windows arena for more than a few years. Microsoft Corp. security unit’s Jason Garms, architect and group program manager in Microsoft’s Anti-Malware Technology Team stated in an interview by eWEEK that:

The Ispro rootkit, for example, was prevalent on 50 percent of all Windows XP machines without a service pack. About 20 percent of all scans of machines running XP SP1 and SP2 also found the rootkit.

The numbers are roughly the same for the FU rootkit while the Win32/HackDef stealth rootkit is lower down on the list, Garms said.

eWeek.com in their article titled “Anti-spyware Battles Rootkits with Rootkit Tactics” By Paul F. Roberts on December 14, 2005 mentions how even anti-spyware has to resort to spyware tactics in order to fight current spyware.

“The latest threats, like Cool Web Search, use rootkits. They’re polymorphic and self healing. They install at eight different points in the file system,” Carlson said. “The complexity of coming up with a removal routine could take a week or two,” (Rick Carlson, a vice president for sales and marketing at Aluria.)

Eric Howes, a spyware analyst at the University of Illinois, says he agrees. He says he began seeing rootkit features in spyware like Cool Web Search around 12 months ago.

And Windows Vista is apparently being waited for by more than users.
(The emailbattles.com description of one of them:)

One man hidden in central Europe rivets the attention of security professionals worldwide. He calls himself holy_father. And he created Hacker Defender, (hxdef) the notorious rootkit used by adware, spyware, virus, digital rights management, and security professionals to bugger Microsoft Windows.

When asked about Vista, and it’s purported higher security, he responded:
“I think that all these protection will affect kernel mode rookits only :) which mean it would be possible to rewrite hxdef - or write somethign similar in user mode - that would really work even on OS with such kernel protection :) This is great, isn’t it ?:))”

Rootkits and adware/spyware:
A Google search for “rootkit adware” returns over 330,000 results. This would indicate that there is quite a bit of attention on the subject of rootkits in the realm of adware itself. What this means to _you_ is that adware (and spyware) companies are utilizing rootkits to hide their malicious software from you, your anti-spyware and your anti-virus softwares, making it more likely that they can keep their garbage installed in your computer and sending their servers data from your computer without your knowledge.

For instance, the rootkit Propo came out into the wild recently and the description from ZoneLabs follows (with virus information supplied by Computer Associates):

“Win32.Propo is a family of multi-component trojans that download and execute arbitrary files, modify registry settings, and monitor an affected user’s web usage. They have been associated with adware.

The name of the registry keys Propo uses for the device driver and its own settings are randomly generated, and as such differ each time Propo is installed.”

The important items above are:
..a) “execute arbitrary files”
..b) “the registry keys Propo uses for the device driver and its own settings are randomly generated”

These two items (arbitrary and random) make removal very hard for someone who does not know where to look or what he/she is looking at. Where to look can be generally found anywhere on the web. However, what to look for requires experience.

“I don’t care if anybody sees my data! I have nothing to hide!”:
Imagine that you own, or are working in a medical office. And you know that the HIPPA act specifically states there should be _no_ third-party access to your computers with client data on them. And you have a rootkit installed in your computer… At that point, you are unknowningly violating the HIPPA act - a federal violation.

Or let’s say you are a financial consultant in the same situation - do you know where your client’s data is going today?

Alright, how about if you are an attorney or work in a law firm - do you know that your opposition doesn’t have a rootkit installed in your computer? If adware and spyware companies can do it…

And finally, let us assume that you are a typical home user. As you log onto your bank’s website to check your account - who is watching you type your username and password?

Need help?
If you need help removing rootkits or other adware/spyware from the computers on your network, consider giving my company, Los Angeles Computerhelp, a call - we’ll get your computers straightened out and then help ensure that it is harder for them to get infected again.

Last edited by Dan on 16 December, 2005