The number of malicious programs is on the rise, according to McAfee’s Avert Labs, with exponential increases in rootkits and Windows-based stealth components.
In the first quarter of 2006, the number of rootkits increased by 700 percent over the year-ago period, according to McAfee. Meanwhile, the number of Windows-based stealth components dominate the landscape, with an increase of 2,300 percent from 2001 to 2005.
“Clearly we are seeing that stealth technologies, and rootkits specifically, are increasing at an alarming rate,” said Stuart McClure, senior vice president, global threats at McAfee. “This trend in malware evolution is creating hardier and ever more virulent strains of malware that will continue to threaten businesses and consumers alike.”
Stealth Technology Skyrockets
Why have incident rates of stealth technology increased by more than 600 percent in the last three years alone? The open source environment, along with online collaboration sites and blogs, are partially to blame for the increased proliferation and complexity of rootkits, McAfee said.
The sudden rise in online collaborative research efforts using Web sites that contain hundreds of lines of rootkit code, available for recompiling, adapting, and improving, along with rootkit binary executables are key factors.
“Last year there were a couple of Web sites that became popularized in understanding and developing rootkit technologies. We also saw that the term rootkit became generalized in the media,” Ken Dunham, senior engineer at threat intelligence firm iDefense , a VeriSign company, told TechNewsWorld. “The debate over the Sony rootkit sparked interest in it as well. Whenever you have a lot of interest and you have tools and capabilities and well-developed community forums to develop things, you are gong to see a lot of it.”
With the availability of rootkit code and stealth creation kits, malware authors can more easily hide processes, files, and registry keys, without detailed knowledge of the target operating system. The power and versatility of stealth technologies have driven their spread into nearly every known form of malware. Their popularity has grown beyond malware into mainstream commercial software, with some security software vendors and consumer electronics firms recently being “outed” for using stealth technologies in their products, McAfee said.
At the end of last year, iDefense discovered a worm called Feebs. The worm spread a new variant every two or three days. Upon deeper investigation, iDefense learned that the Feebs worm included rootkit functionality. The worm evades detection, and that is a key characteristic of the latest Internet threats, Dunham said: “We knew without a doubt that 2006 would be the year of the rootkit because it’s all about stealth for survival when people are coding for cash.”
Stemming the Tide
Analysts expect to see continued increases in malicious code that uses rootkit technology because the code is readily available, it’s not difficult to implement, and there are plenty of users that support the development of rootkits. That means even a novice can perpetrate this stealth attack.
“It’s all about hiding it so you can maintain extended control over a computer because then you can profile it and steal more. In today’s world, with identity theft running rampant, they need more than just your credit card. They need to get your date of birth and your social to get maximum profit on your computer. So it’s about remaining stealthy,” Dunham said.
There are solutions to detect rootkits, like F-Secure‘s Blacklight and Sysinternals’ RootkitRevealer, two that Dunham has tested and reports work well.