The poisonous rootkits rocking the security world

Despite the increasing levels of quality in rootkits, their end objective has remained the same. "The goal is always to become as hidden as possible and to achieve this goal the rootkit should stay, in theory, outside the operating system so that the security software won't be able to detect it and remove it," said Marco Giuliani, threat research analyst.

What's massively concerning for IT is that much modern security software is about as useful as body armour made of silly putty in the face of many rootkits. Whether they are "uber rootkits" or the more widespread kits that target the Windows kernel and the hard drive's Master Boot Record, today's antivirus is practically pointless in many cases.

"The fact is, most security software is still unable to effectively counteract kernel mode rootkits. A lot of them can't either detect proof of concept rootkits that are more than two years old,"

"Despite what people may think, detecting such kinds of infections is not as trivial as it would seem." Giuliani added.

Going deeper underground

With traditional protections failing, many IT departments are understandably worried. But just a matter of weeks ago a new kind of security model was brought to market that will help in the ongoing fight against rootkits.

Modern security software is about as useful as body armour made of silly putty in the face of many rootkits.

To ensure rootkits aren't hiding malicious activity on systems, security companies have had to follow cyber criminals and go under the OS. Introducing McAfee and Intel's first security-on-a-chip product Deep Defender based on the DeepSAFE concept announced in the summer. Almost everyone agrees this is the model required to take on the super-rootkits of today.

"Up until now, all our malware arsenal has been held at the operating system. The [DeepSAFE] idea is right We would love to get our technology in there," said vice president of technical strategy at M86 Security, Bradley Anstis.

"The reason why I think chips are the way forward is not only because they're what we load all our operating systems on, but also because anti-malware technology actually running embedded in the hardware is so much more scalable than sitting on top of drivers or operating systems."

Competitors will be clambering over one another to ensure they get a slice of the sec-on-a-chip pie and there's little doubt they will get their fill soon. Intel and McAfee won't be able to hold onto their golden egg for too long.

Firstly, with the majority of computers in the world today based on Intel chips, the pair would face inevitable anti-trust probes if they chose not to open the model up. Then there would be the security implications: if there is only one kind of protection to bypass, hackers won't have such a hard time figuring out how to install rootkits on machines.

"It would be a massive shame if we slowed down the development of this new kind of approach to security just because of competition," Anstis added.

As much as the sub-OS model will help though, the end of rootkits is nowhere in sight. Indeed, our very own Davey Winder recently picked up on a key piece of information included in the marketing puffery for Deep Defender, namely that it's "capable of detecting nearly all kernel-mode malware." Or as Mr Winder himself put it: "It's a bit like trying to flog an underwater camera that is 99 per cent waterproof."

As in every other segment of the security industry, and in life itself, there is no such thing as 100 per cent protection.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.