Archives || Search || About Us || Advertise || Feedback || Subscribe-
Issue of January 2006 

[an error occurred while processing this directive]

 Home > Techscope 2006
 Print Friendly Page ||  Email this story

The Rootkit and Botnet menace

The latest threats on the security radar map are rootkits and botnets. What is worrying is that few security solutions can detect these bits of malware. Kumar Dawada examines the security vulnerabilities that could end up plaguing India Inc. in 2006.

“I think computer viruses should count as life. It says something about human nature that the only form of life we have created so far is purely destructive. We’ve created life in our own image”

Stephen Hawking, Physicist

Just when you thought things couldn’t get worse, they did. The latest bits of malware floating around the Net and on that copy-protected CD one of your managers just played on his PC are rootkits and botnets. These threats have managed to stay ahead of security software for now. Botnets not only use the latest trends in encryption and polymorphism, they conceal themselves in rootkit code to permanently reside and remain undetected on compromised systems. This is like Jack the Ripper becoming Invisible Man. The recent brouhaha about Sony Music’s copy protected CDs having a rootkit that affected one in six DNS servers, across a statistical sampling of one third of the 9 million DNS servers that security researcher Dan Kaminsky estimates are in existence, could just be the tip of the iceberg as the security battle intensifies.

Botnet—Stealth Code

The sudden spate of improvements in bot design and state of the art stealth technology is a result of the phenomenal growth of botnets as an underground industry. The bot masters collaborate, share code and help each other develop mutated bots that are rich in capabilities and commands. Modular bot designs allow these black hat hackers to come out with bots in record time using new methods to exploit emerging vulnerabilities in operating systems and applications.

Botnets and rootkits have been around for a while but their combination into a unified, malicious attack tool has caused shockwaves worldwide. The saddest bit is that even those enterprises that have conscientiously invested in deploying the best security solutions available and implemented comprehensive security policies are soft targets for the botnet industry. The slow response of leading security vendors in developing solutions despite the onslaught has only raised the concerns of IT-enabled services and enterprises.

Rootkit And Botnet Primer
A bot is software that allows a computer system to be remotely controlled without the knowledge of the computer’s owner. A botnet is a group or network of computers controlled by a bot master or bot herder. These botnets do what the bot master tells them to do. This can include anything from transmitting important files from the compromised system (also called zombie systems) to installing new malicious software or using it as a front for launching a DDoS (distributed denial of service) attack.

A rootkit is a set of software tools, originally recompiled Unix tools, used by an intruder after gaining access to a computer system. It is used to conceal the processes, files or system data. This helps the intruder maintain access or maintain a ‘root’ to the system without being detected by the user or owner of the compromised system. Rootkits can be used effectively on many operating systems including Windows, Linux and Solaris.

Rootkits are of two types—kernel and application level rootkits. Kernel rootkits replace system calls with modified versions that hide information about the intruder. Application level rootkits replace regular application codes with their own or modify the behaviour of existing applications using hooks, patches, injected code, or other methods.

The major problem with rootkit detection is that even the operating system running the compromised system cannot be trusted. Even a simple request such as asking for a list of all running processes or a list of all files in a directory is unreliable because there is no guarantee that all processes or files will be displayed.

How Vulnerable Are We?

Today, India is an internationally favoured destination for outsourcing, whether business processes or high-end knowledge processes. It has a dynamic software industry. Many verticals such as BFSI, healthcare, pharma, telecom and government rely totally on their IT infrastructure for their business processes, business transactions, business decisions and mission-critical data. This in turn is dependent on security deployments and policy. Downtime due to malicious attacks can mean anything from a loss of business worth millions of dollars to loss of confidence in the eyes of investors or outsourcing clients. The logical question arising now is how much damage can a malicious botnet and rootkit attack cause and how vulnerable is the Indian enterprise to such threats?

Milind Tasgaonkar, Principal Consultant, Cisco Systems warns that today malicious attacks affect millions of systems within minutes or seconds. IT-enabled service sectors have security gaps which can be exploited by intruders. BFSI is especially vulnerable as it has mission-critical data stores in small cities and remote branch offices. Malicious attacks on these systems can spread to the lowest level and have far-reaching consequences.

Traditionally security was based on the fortress model. Firewalls and other technologies have focused on keeping everyone except authorised employees out of the network. Today’s business environment demands that any time, anywhere access be granted to employees, vendors, contractors and even guests.

Immunising The Internet
Tel Aviv University student Eran Shir and his colleagues have published an article in the online edition of Nature Physics journal: “Distributive immunization of networks against viruses using the ‘honey-pot’ architecture”. It is still a theoretical model based on simulations and analysis. They do not intend to patent the idea and have provided it as open source.

According to them, the antivirus concept is outdated. It aims to protect individual computers by removing viruses, worms, spyware and other malicious software from them. However, this means first identifying the malicious software every time and then coming up with a solution. This takes too long and meanwhile, the malicious software has already done maximum damage. Today malicious software always has a head start and the antivirus or antispyware is unable to keep up. What is needed is immunity software which immunises not only individual computers but also the entire network.

What is required is a response to malicious attacks in real time. This is possible only if the immunity software spreads across the Internet faster than the virus or malware. This effectively means beating the virus and malware at their own proliferation game. The technology already exists; it only has to be fine-tuned. Erin and his colleagues propose a system in which a few strategically placed honeypot computers run automated software that identifies the new virus or malware. Its signature or behaviour pattern is then sent out across the Internet. The sentinel program on all other computers in the network can now identify the virus or malware, and prevents its entry when it tries to attack the network. Simulations have shown that larger the network, the more efficient this method becomes. For instance if a network has 50,000 nodes and only 0.4 percent of those act as honeypot then just 5 percent of the network will be infected before the immune system can halt the virus and other malware attacks. However, if there is a massive network of say 200 million nodes and 0.4 percent of these are honeypots then only 0.001 percent of the nodes will be infected before the immune system is triggered.

The Botnet Mayhem

Captain Felix Mohan

Captain Felix Mohan, CEO, SecureSynergy is of the opinion that the latest batch of sophisticated botnets have given their owners absolute power over compromised machines, putting them in a position to launch distributed denial of service attacks, distribute malware, send spam, host porn, use compromised systems to store illegal files or information, or use them for any other illegal activity that the botnet owner desires. “Botnet owners have evolved themselves as infrastructure providers. For a price, they hire out their botnets with their armies of compromised machines to whoever wants to engage in malicious or criminal activity. Botnets have made large-scale criminal activities affordable and easy, even for novices”, says Mohan.

Saran Gopalakrishnan, Senior Product Manager, Websense agrees that the risk to Indian enterprise is enormous and includes loss of intellectual capital, loss of confidence and credibility among customers, investors and partners, spam attacks, phishing and storage of illegal or stolen files on compromised systems. Botnet owners use keylogging, packet sniffing, searching the hard disk for data and transmitting it without the knowledge, consent and assistance of the system’s owner to wreak havoc.

A Deafening Silence

Solutions to combat the botnet and rootkit menace have not been forthcoming. Only F-Secure has come up with a toolkit called BlackLight to detect and remove rootkits, while Microsoft is said to be developing prototype anti-rootkit software called Strider Ghostbuster. In such a scenario, how can SMBs and large enterprises combat the botnet and rootkit menace?

Tasgaonkar feels that one solution to combat new viruses and malware is to develop a self-evolving network that can defend itself from current and future threats. “Network routers and switches already see and control the flow of all data and IP-based communication. If the core networking components are combined properly with specialised security technologies and services including endpoint monitoring software then proactive security can be obtained through network intelligence”, he says.

Update Your Rootkit Quotient
F-Secure ( claims that it is the first vendor to provide a rootkit scanner called BlackLight as part of its security suite. According to them, it has already been available for the last nine months. Their Web site also lists the types of rootkits prevalent currently.
FU Rootkit

Open-source, simple, can be actually incorporated into worms and bots by simple cut and paste command. However, it only hides processes, not files or registry keys.

Hacker Defender
More serious because it is used by hackers to compromise corporate servers.
Sony BMG DRM Has the dubious distinction of being the most common rootkit. BlackLight has not been able to detect this rootkit. Sony has already released a stand-alone uninstaller to remove their DRM software from infected systems.
Apropos spyware Does not use rootkits for hiding, only to prevent its uninstallation and removal.

Solutions On The Horizon

Rajendra Dhavale, Consulting Director, Computer Associates feels that botnet attacks can be minimised and prevented through a PPT (People, Process and Technology) approach. It is necessary to educate support and technical staff about the types of risks prevalent on the Internet. They will retain it longer and can educate end users who encounter them. “Having proper security process and policies shows staff and customers how serious the company is about security. All security policies must be reviewed periodically, discussed and updated to address new threats,” says Dhavale.

Viral Raval
Kale Consultants

Viral Raval, VP-IT, Kale Consultants echoes similar sentiments. He too feels that the key to preventing rootkit and botnet proliferation is people’s involvement and ownership. “Only when the users know that doing something will actually cause harm and hamper their own productivity, there can be effective prevention and fewer instances of proliferation. Organisations should also avoid the trap of overexposure on the Internet. Also the organisations should do regular checks on IRC and install the latest AV patches,” says Raval.

Sanjay Sharma, Corporate Head – Technology, IDBI Bank feels that having a proper security deployment and policy in place is enough to take care of the rootkit and botnet menace. “Botnets take control of the system only if proper security arrangements have not been made by an enterprise. Proper security deployment including a DMZ (de-militarised zone), internal and external firewalls and other things to prevent unauthorised access. This prevents botnets and rootkits from entering the network. There is no need for a special rootkit or botnet removal tool or solution,” says Sharma. He feels that personal computer systems are more susceptible to black hat hacking and unauthorised controls. This is because, unlike large enterprises, they do not have elaborate security deployments in place.

Mohan thinks that protection against rootkits and botnets requires SMBs and large enterprises to employ stringent end-point security. They need to keep endpoint anti-virus and security patches up-to-date.

Today’s security solutions can easily be circumvented by rootkit and botnet developers. Major vendors are taking their own sweet time to develop solutions. Therefore, unless netizens come up with an innovative way to beat rootkits and botnets at their own game, we may end up living in an era devoid of any privacy. As in the society envisioned by George Orwell in his novel 1984, each person may end up saying “Big brother is watching you.”

- <Back to Top>-  
Untitled Document
Indian Express - Business Publications Division

Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.