Wednesday, March 16, 2005

Lions and tigers and rootkits...oh, my!

As each day passes, I run across more and more fallout from MS's mention of rootkits at the RSA conference.

I've found mention of this at Adam's Mindspace, Bruce Schneier mentioned it, and others have mentioned it, as well.

A quote from Adam's blog:
The message was basically that, as there is currently no defacto way of detecting these rootkits, you either need to go to extreme measures to detect their presence on a potentially infected system or start from scratch.

I've got to say that I completely disagree. The fact remains that one doesn't need a rootkit to hide activity on a system. Simply changing the file name works just fine...it seems to fool a great number of people. Hiding the network activity has been demonstrated time and again...one way is to use IE as a COM server and have it do your bidding.

My point is that many user-mode rootkits are actually easily detected...just pick up a copy of my book and take a look at what I wrote about AFX Rootkit 2003.

Now, will these methods of detection always work? Probably not. But they work for now. The real danger isn't that rootkits are undetectable...it's that people think MS is saying that they are. Once the media grabs hold of this, now more people suddenly know about rootkits on Windows systems, but they don't know the real deal...all they know is the media hype.

What's missing in this whole media maelstrom is real, in-depth analysis. Most of the blog entries I've seen are simply links..."look, this guy said this about that!"...without much more than opinion from the blogger, if anything at all. Robert Hensing's blog is the noteable exception.

No comments: