Can This Virus Be 'Rooted' Out?

##AUTHORSPLIT##<--->A new kind of hard-to-detect malware is increasing our vulnerability to hackers andcreating headaches for makers of antiviral software.

SecurityJUST AS REAL VIRUSES mutate to evade antiviral medication, the writers of computer viruses and other forms of malware change their code to elude our antivirus software. If a biological virus were to start mutating more rapidly, it would compromise the ability of medical researchers to develop antiviral drugs. Unfortunately, that’s what is now occurring with computer viruses.

Why is this happening? The short answer is that malware is becoming more modular. An ill-intentioned author can choose from an array of attack strategies. When a new vulnerability is found, a piece of code that exploits the vulnerability can be attached to old, malicious code. Creating more havoc for PC users is the short time it now takes between the announcement of a software vulnerability and the appearance of malware that exploits the vulnerability. This underscores the importance of keeping your computer’s antivirus software up to date. Monthly updates are no longer good enough. (See “How to Keep Your Campus Safe from Infection,” August 2005, for a review of 13 antivirus products.

A Cloak of Invisibility

The latest trend in malware is rootkits. A rootkit is a small piece of software code that runs deep within a computer’s operating system and can be used to conceal other programs. The term rootkit comes from the Unix world and refers to software tools that give an intruder full, or root, access to a computer’s operating system. That access can be used to hide other software code from all but the most technically adept users.

For example, the dir command in Windows allows you to see the available files in the current and/or parent directories. With a rootkit, that command can be intercepted and false information returned. This makes a great tool for creating the software version of Harry Potter’s invisibility cloak—and creates a real problem for antivirus software writers. The good news is that rootkits are difficult to write; the bad news is that they can be easily downloaded from the internet. Expect to see more of them being used to attack your computer.

The use of rootkits to hide software code isn’t confined to hackers; companies use this technology as well. Last year Sony BMG installed rootkit code on their CDs that would install itself whenever the CD was played on a computer running Windows. Sony’s intent was to conceal their copy protection code and prevent people from copying music onto their PCs. Unfortunately, in addition to consuming system resources running in the background, the Sony rootkit could also be used by virus writers to conceal their code. The first virus that made use of the Sony rootkit was observed in December 2005.


A Bug's Life: Although the term bug was used to describe
industrial defects in Thomas Edison’s time, computer scientist
Grace Hopper popularized the use of the word to describe
computer problems. Shortly after World War II, when her
colleagues at Harvard University (MA) found a moth in
one of the relays of the school’s Mark II computer, she
commented that they were "debugging" the machine. You
can actually see remains of the moth taped in the project’s
logbook at the Smithsonian National Museum of American
History in Washington, DC.

Only after a massive public outcry did Sony halt production of CDs containing the XCP and MediaMax 3.0 and 5.0 rootkits. In reaction to the rootkits, class action lawsuits have sprung up in New York and California, and rootkits have earned classification as illegal spyware by the Texas attorney general. The Sony BMG website now recommends: “If you have played a CD on your computer that contains either XCP or MediaMax 5.0 content protection software, you should update or uninstall the software to reduce your risk of security vulnerabilities.” Microsoft, Symantec, and Computer Associates provide antivirus tools to detect and remove the Sony rootkits.

The settlement of one class action suit in New York will bring relief to anyone who bought, received, or used Sony BMG CDs with either XCP or MediaMax software. For example, if you have an XCP CD, you can exchange it for a replacement CD, an MP3 download of the same album, or either a cash payment of $7.50 and one free album download or three free album downloads. See Sony BMG’s website for information about the settlement, as well as an explanation on how to file a claim—along with a list of CDs affected by the settlement. Claims must be filed by Dec. 31, 2006.

Waiting for a Solution

Unfortunately, in their continuing game of cat-and-mouse, the hackers and their rootkits are outrunning the antivirus code vendors. But a solution will come; it’s just a question of when. Until then, the only prescription is a regular dose of the same old same old: Make sure your virus protection software is current. And stay tuned.

Doug Gale is president of Information Technology Associates, an IT consultancy specializing in higher education.

This article originally appeared in the 08/01/2006 issue of THE Journal.