They’re evil; they’re nasty; we hate them; and we’re still pissed at Sony for bringing them into the limelight. Rootkits. Ugly bits of malware code that dig deep into your OS kernel, there to hide and do their nefarious business beneath the radar of your average AV program.
Sony’s ill-thought out rootkit served to ‘protect’ their music CDs from being ripped by customers. That’s actually tame compared to what rootkits do nowadays. They’re usually in place to hide some real destructive code like a keylogger.
I talked to David Moll, CEO of Webroot, about a year ago about the changing trends in malware. He mentioned keyloggers being installed as rootkits specifically. Worse, he explained that keyloggers are now getting smart. Used to be they’d just snapshot everything you entered for X number of hours, then zap the info off to the bad guy as an ASCII file. No longer.
Today’s keyloggers are smart enough to know when you’re entering stuff they want to steal. Moll said these things are often coded to activate only when you’re hitting either a certain kind of Web site or even just a specific list of Web sites–like your bank’s Web site, for example. Only then do they start logging key info.
It’s a nastier world out there every day. Fortunately, Grisoft, the guys behind AVG, is trying to help. These guys put out a free anti-virus program, which has long been one of my favorites when I’m reviewing a loaner PC. Now they’ve got a freebie rootkit detector, too.
It’s for Windows, detects rootkits and removes them, too. You can download it here with a 30-day free commercial license included. After that, it’s free for home/non-business users only. AVG put the thing through a 6 month open beta test, so it should be fairly solid, but I’d still go easy before trying that removal tool in the wild. Whether or not the remover is free isn’t the issue–its that rootkits aren’t necessarily coded to any single set of rules and we’ve already experienced trouble when trying to simple yank some of them. Best to watch the Web for word on the effects of removing a specific rootkit before taking that risk.
I’d tell you to check Grisoft’s ongoing security blog to find out how it works on specific rootkits…but they don’t do one. An oversight if you ask me. Fortunately, there are independent sec info sources you can hit to find out about the effects of a removal tool before actually trying one. Garza over at InfoWorld’s Zero-Day usually knows what he’s talking about, so do the guys at ZoneLabs (tho they probably won’t help with AVG), but somebody over at Dark Reading definitely will.