February 21, 2005 (HOSTSEARCH.COM) Normally, when I hear about Microsoft talk about security I give it about as much credence as a car salesmans pitch or George Bush talking about democracy. This time around however in exposing rootkits at the RSA Security Conference in San Francisco I think Redmond has brought to light a truly scary threat to Windows and Linux users.
Rootkits work like this; a hacker breaks into a computer and modifies the kernel or core of the code base. Then, the virus erases the record of the changes made to the hacked computer from the logs. The hacker leaves a backdoor into the system and can then reenter the system noiselessly. Some can even intercept queries or "system calls" that are passed to the kernel and filter out queries generated by the rootkit software. Thus, the most common signs that a program is running, such as an executable file names, currently running rootkit processes, and even configuration settings in the operating system's registry, are invisible. Outbound communications can piggyback on commonly used ports such as TCP to communicate with the outside world without interrupting other applications that communicate on that port.
Then the hacker has free reign on the machine. He can listen in on all traffic on the local network, grabbing passwords and usernames destined for other machines (although this can be detected).
The rootkits are very hard to detect and can only be removed by completely reinstalling a machine.
First there was spam, and now its 75% of all email. Then came the trojans, viruses, and worms, and now we have spyware and adware. Security companies have not been able to stop any of it despite daily releases of new applications and solutions. Perhaps methods for guaranteeing internet security are akin to stopping crime in the real world. In other words, outside of Singapore youd better beware walking through strange neighborhoods.