Stealthware!
Maybe instead of bending the term "rootkit" to fit a new mold the security industry would better benefit by adopting widespread use of the term "stealthware."
January 17, 2006
Maybe instead of bending the term "rootkit" to fit a new mold the security industry would better benefit by adopting widespread use of the term "stealthware."
Just to be clear, let's recap a tiny bit of history regarding rootkits. Originally, rootkits began in the world of Linux and Unix systems. A paper published by GIAC states that the oldest rootkit dates back to October 1994 and affected Sun operating systems. Most of us probably suspect that there were rootkits before that date (and arguably there were user-mode rootkits dating back at least to the 1980's), but nevertheless the data clearly shows the origin of rootkits and gives us some idea of their age.
The intent of that particular rootkit was to gain unauthorized access via systems' root account (which is basically the equivalent to the Windows Administrator and Systems accounts) and to maintain that access by hiding the tools used to grant such access. Thus the term "rootkit."
Quite naturally, a long-standing and accepted definition has been in place for very long time (in terms of computer technology anyway). SANS defines a rootkit as "A collection of tools (programs) that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network." Well I don't know about you but that seems really clear to me.
As I pondered in my recent editorial , why is that now people think that the term "rootkit" should be redefined? The result of painting companies black (by inappropriately using the term "rootkit" to refer to something that doesn't truly fit the long-standing definition) could be that eventually any software that hides something in any way whatsoever will be considered a "rootkit," which just isn't true. Hiding something is not the same as granting unauthorized access.
By trying to redefine what a "rootkit" is, people are in a sense inadvertantly trying to gain access to your mental dictionary and take control of it -- oh, the irony!
Eric Howes, director of malware research at Sunbelt Software, was quoted in an article at eWeek as having said, "Definitions can be helpful, but [Symantec's hidden directory technique] feels like there's an agenda to legitimize the use of what is a dangerous piece of technology. My great worry is that we will define rootkits in such a narrow way that the whole definition will come down to malicious intent. Companies will hide behind the disclosure loophole."
Well heck, rootkits are malicious! That's just the way it is!
On the other hand, Symantec hiding a directory is not malicious, and hiding a directory is not a rootkit. Symantec's technique was designed to protect people from themselves. However there were two sticking points, as astutely pointed about by Mark Russinovich: One is that intruders could use the cloaked directory to hide something on people's systems, and the other is that companies are hiding things from computer users when they really should not be doing that.
Both points are valid concerns and do point out security risks. But even so, that does not warrant bending terminology out of shape.
The solution seems incredibly simple to me: If you want to point your finger at software that hides something in the operating system then it would be incredibly easy to call it "stealthware." Because that's what it truly amounts to -- stealth activity. "Stealthware" is clear. It's concise. It's highly accurate. There's nothing blurry or stretchy about that term.
About the Author
You May Also Like