For many years now antivirus have been monitoring hard drive activity as the main line of defense against malicious code. Each file which is stored on the drive is scanned by the antivirus and, should any threat be detected, it is eliminated. Therefore, if the rootkit is known, even quite a technically-simple antivirus will be able to at least detect and, on many occasions, eliminate it.
However, as we mentioned above, rootkits can be unique in design, exclusively developed for a specific machine. This obviously means that the antivirus will have no previous knowledge of the rootkit, and will therefore not have it recorded in its list of ID signatures for malicious code.
There are even cases of rootkits which do not use the hard drive, as was the case with the SQLSlammer worm. In such a case traditional protection solutions would fail spectacularly, as happened with the aforementioned worm.
It is therefore necessary to have a system which not only monitors file activity on the drive, but goes one step further. Instead of analyzing files byte by byte, it is important to monitor what happens when the file is executed.
A rootkit needs to carry out tasks which could be considered “typical”, such as acquiring root privileges, modifying basic calls to the operating system, falsifying data reporting within the system…. All these tasks, when considered individually, present little danger. However, when they combine at any given moment, and are implemented by the same program, they give clear signs that something strange is happening in the computer.
If, as mentioned before, antivirus solutions totally fail when it comes to detecting a rootkit, new technologies which detect threats by their behavior are most effective when detecting and blocking rootkits. These technologies do not operate on the basis of previously-learned conditions relating to fixed identification patterns of threat. Their success is based on intelligent, automatic investigation of the status of a process being executed on a computer.
When a series of actions is taken on a system and all (or at least some) of them present a risk to information integrity or the system’s correct functioning, a series of factors which assess the danger of this task are evaluated. For example, the fact that a process may request administration privileges in a system is nothing out of the ordinary. This does bring a certain risk, of course, but there is no need to warn of the situation. When carrying out an installation, administrator privileges may be required in order to carry out the necessary modifications and execute the file correctly.
Likewise, it is possible that a certain process must remain hidden, as there is no possibility for interaction, or that a certain process may open a specific port for communication, or that it may register keystrokes. However, when all these characteristics come together, the process can be viewed as a threat. When this happens, an in-depth analysis is required in order to be able to safely authorize the program’s execution.
Despite rumors to the contrary, rootkits can be eliminated, although not so easily as if they were a “Friday the 13th” virus. As we mentioned, rootkits protect themselves by remaining hidden, thus ensuring that no other process (such as an antivirus, for example), can detect them. However, in order for this process to hide, it must be operating and activated on the system’s memory.
The best way to avoid such a process from acting is to ensure that the operating system on which the rootkit is present never boots up with a disk different to the one with the rootkit, such as a CD, for example. In this way, if the rootkit is known, it can be eliminated.
However, if the rootkit is unknown, (in other words, if it has been specifically developed for a particular system), any antivirus will fail to detect it. In this case, the IT problem is perhaps of least importance: there is a person who is intentionally trying to harm your company and has taken the trouble to enter your system in an attempt to endanger it.
In this case, in addition to police investigation, it is necessary to rely on a security provider with the sufficient means to carry out forensic investigation on a disk and detect, and therefore eliminate, the rootkit. Check with your anti malware systems provider. No reply because it’s Friday evening? Maybe it’s about time you chose another option!