Ian JP Kenefick said:
You don't need to know *HOW* they function. You just need to know what
a rootkit is. Soon enough they will be integrated in AV anyways.
For detection perhaps. Many rootkits cannot be removed while the
operating system is running. You need to boot using some other
operating system, like Windows or Linux on a bootable CD, so you can
repair the infected OS. Not knowing how the tool proposes to remove the
rootkit means users will end up with dead or partially disabled
computers. You already see that with users of anti-spyware tools that
blindly let those tools make changes without knowing what the changes
will be and whether they should even be allowed. Several times I've
seen a user use Ad-Aware or Spybot to remove spyware that uses an LSP
(layered service provider) in the TCP layer, and the removal of the
spyware ends up removing the LSP which doesn't then chain correctly and
renders the user incapable of any further network connects. Blindly
removing a rootkit without some knowledge of the environment within it
exists and affects will lead to even more corruption of the system by
the uneducated applying these risky tools. Anti-virus software is more
mature in how it eradicates viruses but users sometimes still end up
with dead applications, dead connects, or a dead system after blindly
letting the AV program eradicate a virus. With rootkits, you are
performing major surgery on your OS to remove the rootkit. I doubt such
removal will prove any more robust and reliable than installing service
packs for Windows, and we all know that installing service packs can
result in problems. You know there will be lazy users that will blindly
use the rootkit remover without first saving logical file backups (for
data recovery) and saving disk images (for disaster recovery).
We are just now seeing utilities to remove rootkits, yet the first
exhibited rootkit for Windows was shown, I think, back around 1997. How
long has it been that ADS (alternate data streams) have been available
for files? Ever since NTFS arrived
(
http://www.ntfs.com/ntfs-multiple.htm). Yet it is only recently that
some anti-virus products will scan the ADS of files looking for viruses.
They depend on the on-access scanner seeing the ADS getting loaded into
memory and detecting the virus there. That means the virus hides on
your system until something reads the ADS to load it into memory. Okay,
so the virus can't do anything while just sitting in the ADS until it
gets loaded into memory whereupon it gets detected, but many users would
prefer to safely remove the unlit bomb rather than risk trying to defuse
it while the fuse is burning. Some users actually disable the on-access
scanner because it sucks up too many CPU cycles, especially on heavily
loaded hosts, like file servers. Most users don't know about alternate
data streams because Microsoft doesn't include any features in Explorer
or any utilities in Windows to interrogate for their existence and
content. You have to get a utility from the Windows 2000 Resource Kit
or use a 3rd party product, like LADS or CrucialADS, to identify that a
file has an ADS.
Ad-Aware's SE version was the first anti-spyware product I saw that
finally included scanning of the ADS. I haven't found documentation
that says Microsoft/Giant AntiSpyware scans the ADS of files. TDS-3
will scan the ADS of files looking for trojans. Kaspersky AV uses the
ADS but only to record a hash value of the file along with status so it
can later skip scanning that file if it was found clean on a prior scan
(but KAV's uninstall is dirty in that it leaves behinds all the ADS'es
assigned to files), but I don't know if it actually scans the ADS of
files looking for viruses. The last version of Norton AntiVirus that I
used was 2003 and it did not scan the ADS of files. I'm still trying to
find which anti-virus products will scan more than just the primary data
stream (i.e., to scan the multiple streams assigned to a file). I
contacted McAfee through their online chat but obviously got hold of an
India rep who wasn't really interested in handling pre-sales tech
questions, didn't know what I was talking about, and then claimed McAfee
does scan the ADS of files but I suspect the rep just gave up to make me
go away. A McAfee user noted that the command-line version of VirusScan
has the /STREAMS switch, but that means scannings the ADS of files is
*not* the default mode of operation. When I asked TrendMicro if
PC-Cillin scans the ADS of files, their reply was to ask which operating
system I use (but NTFS is, after all, *NT* File System which is
available on *all* versions of NT-based Windows), plus they wanted the
version number of PC-Cillin although I said in my message that it was a
pre-sales inquiry. Guess the tech rep didn't have their coffee yet to
be awake enough to understand the question. Avast's response was "avast
considers NTFS streams as a special type of packed files. That is, it
can detectd viruses in NTFS if archive scanning (unpacking) is enabled.
In the free (Home) Edition, you can choose to use all unpackers or none
(single check box)." Eset's response regarding NOD32 was, "NOD32 does
not scan alternate data streams. It is a feature we are planning to add
in the future, however, there is no word on when it will be available."
So it is still a mixed bag as to whether or not an anti-virus product
will scan the alternate data streams of files.
Most users are recommended to use a firewall when they connect to the
Internet. Most are recommended to use one that includes outbound
firewall rules against applications that ask for a connection, so the
user needs to know a bit more than someone using an inbound-only
firewall. If the firewall provides the option to block fireholing
(where an unauthorized program uses an authorized program to get an
Internet connection, like the tooleaky test which uses IE), the user
will have to understand more of how his system works to know how to
answer the prompts. If the firewall supports DLL authentication (to
ensure the DLLs for the application are used by it when making an
Internet connection and haven't been replaced by malware copies), the
user needs to know how their applications function and possibly
interrogate the DLLs to believe it should be authenticated for use with
the application when making the connection. Removing a virus can be
risky to the security, stability, and reliability of your system.
Removing spyware is more risky. Removing rootkits is very risky. As
the risk increases, it behooves the user to understand more fully what
actions will get committed to eradicate the malware. Dumb users kill
computers.
As the level of security increases, the users needs more education. The
same holds true for eradicating rootkits which is the utmost complexity
in extricating malware. Some rootkits are easy to eradicate. Some are
very, very tough. I'm not saying that you need to be an OS programmer
to understand how to eradicate a rootkit, but you'll need a lot more
expertise than the lazy newbie that can't even figure out that removing
the blocking of attachments in Outlook Express is a configurable option.
At some point, you'll have to decide if it is worth spending the time to
eradicate the rootkit and then spend more time to repair your system
rather than just do a fresh install or restore to a prior snapshot
stored in a disk image which can be quite a bit shorter in time and a
lot easier in effort.
