Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Security

Rootkits, Polymorphics Turn Threats Tougher In 2006


Toughened threats have been the hallmark of this year's security scene, a prominent security researcher said Friday.

"They just got tougher this year," said Oliver Friedrichs, the director of Symantec's security response team. "They're harder to detect and harder to remove.

"And they're harder for individuals to detect themselves. In the past, users could find a malicious file themselves, an errant key in the registry, or a process running in Windows," Friedrichs said. "Now threats are less likely to show up there and more likely to be hidden on a system."

The main way that threats -- exploits, in the nomenclature of security vendors -- have stepped up their invisibility is through the use of rootkit technologies. Rootkits, while not new -- they've been part of the Unix landscape for decades -- have only recently been put to work by Windows hackers, said Friedrichs. "It's one of the biggest trends of the year."

Rootkit technologies cloak malware to evade detection, and when malicious code is spotted, make it harder to completely eradicate it from the infected system. Hackers have turned to the technology and its tactics for a pair of reasons, said Friedrichs.

"Security technology has improved drastically in the last five years, and attackers have needed to raise the bar to stay ahead and remain successful," he said. "But part of it is driven by profit. There's obviously a level of sophistication to attackers who are writing code for profit."

While 2006 didn't see a large jump in the complexity of the most sophisticated threats -- "we're really seeing a fairly consistent increase year to year," said Friedrichs -- that may change in 2007. Symantec expects to see even more advanced rootkits based on virtualization to appear next year.

"We've seen a lot of development in the theory of virtual machine rootkits, but we have yet to see it in the wild. In 2007 we'll see proof of concepts," he said.

By hiding malware within a virtual machine wrapper, hackers theoretically could elude security software detection. This summer, for instance, security researcher Joanna Rutkowska unveiled Blue Pill, technology that uses AMD's and Intel's hardware-based virtualization to create ultra-stealthy malware.

Friedrichs specifically mentioned Rutkowska's work as an example of the kind of serious VM-based threat that users may face next year. "As these [VM-enabled] chips are shipping more and more, the chance that threats will use them increases."

Another disturbing trend during 2006, said Friedrichs, was the reappearance of polymorphic viruses, malware that is able to rewrite its core assembly code as an evasion technique. One example from Symantec's list: W32.Polip .

"Polymorphics are exceptionally hard to detect and remove," said Friedrichs. Because of their mutation tactics, signature-based defenses will often allow a virus to slip through. Even behavioral-based detection, often dubbed heuristic scanning, can be stumped. "They make behavior-based scanning more challenging," admitted Friedrichs, but he said the best security software could still deal with threats like Polip.

"The ability to detect polymorphics is one thing that separates a strong security suite from a weak security suite," he said.

In a white paper published this week, Symantec claimed that its software beat software from rivals such as F-Secure, Kaspersky, and McAfee in detecting polymorphic viruses.

"The only thing that can beat these threats [of rootkits and polymorphic viruses] is technology that looks deep enough inside the system," said Friedrichs. "Users can't do it on their own anymore."


Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.