Kevin Le Blanc (Global) - Rooting Out Rootkits

In this blog post, security expert Kevin Le Blanc discusses the dangers of rootkit attacks and explains some measures you can take to protect your business.

You practice defense in-depth.  You have deployed a breadth of security solutions across your endpoints and network. You update and patch as regularly as possible. But deep below all your tools is a rootkit saying “everything is ok” while secretly monitoring what your systems are doing and silently extracting data. How can this happen?

The volume of rootkit-based stealthy attacks continues to grow exponentially. To put this growth into perspective, over the past three years, the volume of rootkits has grown to the point where McAfee Labs is detecting on average over 1200 new rootkits each and every day - that is over 50 new rootkit variants being discovered every hour. The growth of these sort of attacks is in direct relation to their effectiveness.

The evidence is clear: traditional security methods are insufficient for dealing with the complexity of today’s threats. What is required is a new way of thinking about security to protect against the ever evolving threat landscape.

So what are rootkits and how do they operate? A rootkit is a specific technique type of malware attack that attempts to gain privileged access to a system while actively hiding its presence from users and security tools. Rootkits such as koobface or TDSS typically provide a remote user with access to all resources on the system on which the rootkit is installed. They often join the compromised system to other “rooted” systems as part of a larger botnet.

So what makes rootkits so difficult to stop? Rootkits typically operate in kernel mode, many layers below the operating system and application level. Kernel level rootkits attack systems well before operating system and security software defenses, residing within the application layer, even become effective. Therefore, they largely go undetected until it is too late meaning the rootkit has successfully attacked the system and has likely already launched or released its payload infecting the machine. Rootkits are also hard to defeat because they are typically well disguised against detection and many forms of sophisticated rootkit have the ability to change or alter themselves and can even re-infect systems despite being detected and cleaning attempts have been made to remove them.

To protect against stealth threats targeting the computing stack much lower i.e. below the operating system, security protection also needs to go below the operating system. In order to do this, the industry must look at combining the power of software security and hardware to have a continual view and persistent security throughout the computing stack. 

One of the ways technology leaders are addressing kernel level rootkits is by combining the power of native hardware functionality of a specific type of CPU processor that has built-in virtualization technology and innovative security counter measure software specifically designed to operate in concert with the CPU hardware layer.  This technique of security counter-measures has become known as hardware-assisted security.

You can think of hardware-assisted security as a new security layer providing a much “deeper” security footprint than previously possible and therefore extending protection well below the application and operating system level. By doing so, it is now possible to monitor system behavior, including memory and CPU state changes within the BIOS layer and the operating system kernel as they are being attempted; thus giving the ability to see and prevent events and actions in real time. With this low-level vantage point, evasive techniques used by rootkits can be detected and prevent actions before they have a chance to embed themselves in the OS, kernel, or memory, thereby inhibiting the effectiveness of kernel level rootkit attacks.

By Kevin Le Blanc, Senior Director of Product Marketing, McAfee