First come, first served

January 17, 2007

Once a rootkit takes hold of a PC, you've got your work cut out to get rid of it. So make sure you keep them out.

While the political world is constantly discussing the merits of variousvoting schemes, in the computer security world it's very much a case of"first past the post" when it comes to control of a PC. The first codethat runs can effectively veto any attempts for control from latecomers.This has been well known to virus writers since the days of the floppyboot-sector virus.

Anyone who has had to clean up a virus- or spyware-infested PC will knowwhat I'm talking about. The first stage is to boot the system from aknown clean operating system. In the old days of DOS, this was a prettystraightforward process; booting from a write-protected floppy would dothe trick. Indeed, good old Dr Solomon's Antivirus used to include arescue disk precisely for this purpose with the write-protect tabpermanently removed.

This was necessary because some of the smarter virus writers hooked intothe DOS routines that accessed files and floppy disks. When theanti-virus software scanned an infected file or disk, the virus codewould substitute a clean copy of the relevant data, avoidingdetection.

Fast-forward to the present day and the same basic technique is stilluseful, although it has evolved into more sophisticated toolkits toevade detection, known in the business as "rootkits".

For a clean boot on a modern operating system you need a CD. There is asubstantial range of CD-bootable Linux distributions with added securitytools that are a must-have accessory for the security professional'stoolkit. Some bootable Windows CDs are also available, albeit commercialrather than free. A copy of Symantec's Ghost, for example, gives you acheap bootable Windows version with antivirus and basic network access.Many other vendors also provide bootable CDs as part of theirproducts.

Such hide-and-seek techniques are not limited to malicious software.Rootkits are typically installed immediately after a system has beencompromised by an attacker, so they can then poke around in relativepeace without worrying about the system administrator spotting what'sgoing on. However, fortunately for us, most market leading anti-malwareproducts include some form of rootkit detection.

Recently there has been a flurry of rootkit research highlighting someworrying developments on the horizon. Next Generation Security Software(www.ngssoftware.com/research/papers/) has investigated the potential tosubvert the firmware used on expansion cards or motherboard powermanagement to provide rootkits with a foothold before the operatingsystem boots. This could have serious consequences for detecting andpreventing rootkits and will need some careful handling by securityvendors.

More in the proof-of-concept stage, but still worrying, is the prospectof using malicious virtual machine environments to fool the operatingsystem that it's running on real hardware, when in fact it's completelycontrolled by a rootkit. For a more technical examination of the topicsee www.eecs.umich.edu/virtual/papers/king06.pdf.

The good news is that the "first come, first served" rule still applies.You can pre-empt a virtual machine-based rootkit by having a virtualmachine-based security system already installed. Firmware-based rootkitssuch as those affecting the basic input/output system of the system orits additional cards can also be halted.

The simplest option is a physical gate controlling the firmware updateprocess; updating any firmware is something that should only be donewith the user's full knowledge. Alternatively security systems embeddedin the machine itself, such as the much maligned Trusted Platform Moduleinitiative, could prevent, or at least hamper, the spread of suchmalware.

One thing certainly hasn't changed since the days of rescue floppies:when it comes to malicious software, prevention is certainly better thancure.

Nick Barron is a security consultant. He can be contacted [email protected]

prestitial ad