Security Watch | Matt Hines | InfoWorld | Rootkits taking hold | December 12, 2007 01:16 PM

MORE ENTRIES

Rootkits taking hold

December 12, 2007 | Comments: (0)

Rootkits taking hold

Malware infections -- in particular insidious rootkit attacks -- continue to proliferate at a rapid pace, according to new figures released by security vendor Prevx.

Based on the latest results attained from over 725,000 endpoint systems tested using the company's Prevx CSI automated malware scanner, some 14 percent of the business-owned PCs involved had been exploited by one type of rootkit or another, the company said.

Rootkits -- which are loosely defined as sets of tools that give administrator-level access to a computer or network and often hide themselves as close to a machine's OS kernel as possible to evade detection -- are considered by many security experts as one of the most stealthy methods for infecting computers today, and are thus considered to be very dangerous.

[ For an in-depth look at rootkits in the enterprise, see "Rootkits: The next big enterprise threat?" ]

Overall, Prevx reported that the percentage of machines that it found to be loaded with some form of malware rose from 15 percent to 22 percent since late October, largely driven by the flood of new rootkit infections.

As reported by Prevx: "Rootkits are a major concern because while a user believes his or her computer is 'clean' from infection, he or she is exposing more and more information to criminals who can use this type of malware to gather personal information across the Web."

While rootkits are nothing new and have been in regular circulation for years, Prevx officials maintain that the "rise of rootkits" has begun as attackers have shifted their focus to the threats that attempt to evade detection at the hands of traditional anti-malware applications.

Even though most businesses are using commercial anti-virus tools, rootkits are still finding a way in the door, said officials with the scanning specialists.

"Many PCs may be infected even though users and businesses have up-to-date anti-virus and anti-spyware products," Mel Morris, Prevx' CEO, said in a research note.

"Users often don't realize something is amiss until they run a full anti-virus scan of their PCs with updated signatures. Even then, rootkits will often go undetected," he said. "Part of the problem is that anti-virus scans simply take too long and users just can't be bothered to wait."

Unsurprisingly, Prevx' technology promises to allow for less cumbersome malware scans.

Among the 1,678 rootkit-infected PCs scanned by Prevx since Oct. 22, the most prevalent attacks included NDT2.SYS (found on 121 machines), SROSA.SYS (90), UNPR.SYS (82), FMTR.SYS (82), and INDT2.SYS (78).

The company said that in the first 9 days of Dec., 93 individual companies used its malware scanning technology, with 68 of those organizations having one or more infected PCs, and 13 companies, or 14 percent, with one or more rootkit infections.

A free version of the company's CSI scanning application can be accessed here.

Posted by Matt Hines on December 12, 2007 01:16 PM

RATE THIS ARTICLE:

COMMENTS

What you don't say is that Prevx scans all your files then phones home with a report. This looks even more invasive than Microsoft. You can't run the scan when you don't have prevasive internet connection and permit all traffic!

If you read the agreement, they don't want you using the program unless you want to give all this to them.

The privacy statement leaves something to be desired.

Oh foolish user, when will you ever learn????

Posted by: gostak at December 13, 2007 09:20 AM

Hey, that's worth pointing out, thanks for the heads up!

Posted by: Matt Hines at December 13, 2007 10:51 AM

prevx doesn't phone home with a report. files are all scanned online. it can't work without an internet connection because the database is 'in the cloud'. there are some other avs which are starting to do this as well (panda, nod32) because it allows the av vendor to hold all of the definitions online which allows for instant updates and global monitoring. it is not an infringement of privacy at all, no private data is sent up and only data about executables is sent at all.

Posted by: Jonathon at December 22, 2007 12:05 PM

@Jonathon Thanks!

@gostak "foolish user" all A/V programs need updating from a database. Your scare-mongering harms the very people that need protection most.

@Matt -- ideally your would edit your "thanks" or post another comment to limit the harm from gostak's untruthful scare mongering.

Posted by: Dave L at January 9, 2008 12:45 PM

Well, it's good to know that the Prevx info gathering appears to be opt-in and anonymous, but, as the market moves toward positive security models, these types of privacy and security issues must be considered.

Thanks to all for the comments and clarifications.

Posted by: Matt Hines at January 10, 2008 06:36 AM

I apologize if my comments are considered "scare-mongering". I just don't feel comfortable, after reading that data about executables is sent up, I am left with the question, what data about the executables is sent up? Does or does not Prevx get a list of all the executables on my machine?

There seems to be some confusion about what private data is. I consider what executables I have on my machine to be my business and no one else. I do want to know if someone has slipped a mickey into my programs. But what programs I have written, compiled and run are private!!

Posted by: gostak at March 18, 2008 04:05 AM

ZERO DAY PODCAST

Listen to the latest podcast:

MP3 •

•

• Archive •

Technology White Papers

InfoWorld Technology Marketplace

» Technology White Papers Library

Technology White Papers by Topic

Technology White Papers E-mail Alert