Once a rootkit takes hold of a PC, you've got your work cut out to get rid of it. So make sure you keep them out.
While the political world is constantly discussing the merits of various voting schemes, in the computer security world it's very much a case of "first past the post" when it comes to control of a PC. The first code that runs can effectively veto any attempts for control from latecomers. This has been well known to virus writers since the days of the floppy boot-sector virus.
Anyone who has had to clean up a virus- or spyware-infested PC will know what I'm talking about. The first stage is to boot the system from a known clean operating system. In the old days of DOS, this was a pretty straightforward process; booting from a write-protected floppy would do the trick. Indeed, good old Dr Solomon's Antivirus used to include a rescue disk precisely for this purpose with the write-protect tab permanently removed.
This was necessary because some of the smarter virus writers hooked into the DOS routines that accessed files and floppy disks. When the anti-virus software scanned an infected file or disk, the virus code would substitute a clean copy of the relevant data, avoiding detection.
Fast-forward to the present day and the same basic technique is still useful, although it has evolved into more sophisticated toolkits to evade detection, known in the business as "rootkits".
For a clean boot on a modern operating system you need a CD. There is a substantial range of CD-bootable Linux distributions with added security tools that are a must-have accessory for the security professional's toolkit. Some bootable Windows CDs are also available, albeit commercial rather than free. A copy of Symantec's Ghost, for example, gives you a cheap bootable Windows version with antivirus and basic network access. Many other vendors also provide bootable CDs as part of their products.
Such hide-and-seek techniques are not limited to malicious software. Rootkits are typically installed immediately after a system has been compromised by an attacker, so they can then poke around in relative peace without worrying about the system administrator spotting what's going on. However, fortunately for us, most market leading anti-malware products include some form of rootkit detection.
Recently there has been a flurry of rootkit research highlighting some worrying developments on the horizon. Next Generation Security Software (www.ngssoftware.com/research/papers/) has investigated the potential to subvert the firmware used on expansion cards or motherboard power management to provide rootkits with a foothold before the operating system boots. This could have serious consequences for detecting and preventing rootkits and will need some careful handling by security vendors.
More in the proof-of-concept stage, but still worrying, is the prospect of using malicious virtual machine environments to fool the operating system that it's running on real hardware, when in fact it's completely controlled by a rootkit. For a more technical examination of the topic see www.eecs.umich.edu/virtual/papers/king06.pdf.
The good news is that the "first come, first served" rule still applies. You can pre-empt a virtual machine-based rootkit by having a virtual machine-based security system already installed. Firmware-based rootkits such as those affecting the basic input/output system of the system or its additional cards can also be halted.
The simplest option is a physical gate controlling the firmware update process; updating any firmware is something that should only be done with the user's full knowledge. Alternatively security systems embedded in the machine itself, such as the much maligned Trusted Platform Module initiative, could prevent, or at least hamper, the spread of such malware.
One thing certainly hasn't changed since the days of rescue floppies: when it comes to malicious software, prevention is certainly better than cure.
Nick Barron is a security consultant. He can be contacted at firstname.lastname@example.org.