Kernel Rootkits could be the next bad thing
By Nick Farrell: Friday 18 February 2005, 08:25
A HITHERTO OBSCURE security expert and software colossus, based in Redmond and called Microsoft has warned of a new generation of spyware that is almost impossible to detect.
According to Computerworld, Volish experts told the RSA security conference that system monitoring programs, or "kernel rootkits", are undergoing a transformation at the moment.
Mike Danseglio and Kurt Dillard, both of Microsoft's Security Solutions Group said that the malicious snooping programs are becoming more common and could soon be used to create a new generation of mass-distributed spyware and worms.
Rootkits run quietly in the background and can be spotted by looking for memory processes that are running on the infected system.
However, kernel rootkits, which modify the kernel, or core request processing, component of an operating system, are becoming more common, Vole says.
Newer rootkits can intercept system calls that are passed to the kernel and filter out queries generated by the software. This makes them invisible to administrators and to detection tools, says Danseglio.
Microsoft researchers have developed a tool, named "Strider Ghostbuster" that can detect rootkits by comparing clean and suspect versions of Windows and looking for differences.
However the paper admits that the only way to be sure that you have killed a kernel rootkit is to completely erase an infected hard drive and reinstall the operating system from scratch.