ESET News

Alan: Just when you thought you were safe from viruses, along comes something called, “root kits”. What are they? And why are they so dangerous? Our guest today, is Andrew Lee, Chief Technical Officer with ESET. Welcome back to LET’S TALK COMPUTERS, Andrew.

Andrew: Thanks, Alan. It’s good to be back.

 

Alan: Andrew, we’re seeing “rootkits” all over the news. What exactly is a rootkit and how is it a threat to us?

Andrew: The definition has slightly changed. A long time ago, rootkits were a group of utilities that were used by people to get access to the most powerful user on the Unix system. On the Unix system, the administrator, the most powerful account, is called root. and hence the name rootkits.

What we’re really talking about now, and what most people are seeing reported in the news and the press nowadays is really the Windows rootkits. And what they tend to mean by that is a system or utility that is used to hide processes or files from the operating system, so that they are easy to discover.

 

Alan: I have utility programs that can just about find any kind of hidden file, no matter what its attributes are, but you’re telling me that because of the way that it’s hidden, these utilities just won’t find it?

Andrew: There are various ways that these utilities find things in the system, so you look in Windows Explorer. When you go looking for files, it will only tell you what Windows is advertising to the product. If you’ve got a utility that allows you to search for files, you will only be able to see the same things that Windows, itself, can see. And the same thing is the commonest way that people try and look for something, a process or something like that where think something’s going wrong, is that they will hit control alt delete and get Task Manager and Task Manager gives you a list of processes that are running on the system. These root kits basically enable you to hide from those systems so that Task Managers or Explorer on whatever system it is unable to see the files or the processes that rootkit is running.

 

Alan: This sounds dangerous. If someone could hide a file somewhere on my system, that means that anybody who writes a virus program, which is very malicious, can put it onto my system somehow and if it gets onto my system, I can’t get it off.

Andrew: That’s right. They certainly are being used for that purposes. We’ve actually seen several variants of different viruses coming out including rootkit technology. It’s important to realize that rootkits, themselves, aren’t actually malicious. There’s no necessity for them to be malicious. It’s just they can be used to hide things, for instance, Windows Explorer, itself. You can go and see the controls there, and you can choose an option which says, “Hide important systems files”. Now, this is a good thing if you’re worried about your users deleting important things, because there are people who have a tendency, especially back in the days when disk space was expensive, particularly to find a big file and say, “I really don’t need that and delete it”. It was found that they may cause a problem to their system. But what Windows allows you to do is by default turn off access to really important system files. So, it’s essentially hiding it from you as a user. And virus writers can take advantage of that fact and they mark their file as a system file. These rootkits are somewhat more sophisticated but that’s really a simple way of hiding it. These hide from Explorer, itself, as well. They allow the virus to remain hidden or the files or whatever malware it is, whether it’s spyware, or a worm or a virus to remain hidden.

 

Alan: So, basically, it’s like a filter. It’s a filter like at a sub-directory level that says to the operating system that “if anybody goes to try to look for this sub-directory, lie and tell them that it’s not there.”

Andrew: That's one way of doing it.  There’re actually a few different types of root kits that are in certain files in different areas that the system will use different tricks. There are two major types of groups of rootkits. One is persistent, (meaning that they persist, every time you reboot, they’re still there). And then there are those that are non-persistent and exist only in memory (disappear after reboot). The second way is not so useful to a virus writer. You want to hide it every time you turn on.

But, they’re great for a hacker, you simply want to compromise a machine and to perform a hack, or perform an exploit and install a rootkit, which is only in the memory of the machine. So, there are no files actually hitting the disk and they can be very hard to find. But the most common ones, the ones that you see the most are the persistent ones, the ones which stay on the disk or somehow write themselves to the disk.

And of those types there are a couple of different types. One is what’s called, “user mode” rootkits and another called, “kernel mode rootkits”. The kernel is really is the core of your operating system, the thing that takes all the instructions and deals with all of them and provides all the input and output to the operating system, to the processor, etc.

 

Alan: This seems so sophisticated. We saw SONY using this to protect their copyrighted music, didn’t we?

Andrew: It’s one of the most documented cases of Sony’s music group actually releasing cds with effectively a rootkit on it. That root kit wasn’t particularly nasty or invasive; it certainly wasn’t trying to do anything malicious. But what the problem was that somebody realized that this was being done and they took advantage of that rootkit to create a Trojan, which used the rootkit to hide itself and the way in which that rootkit works was to hide files with a certain file name or a certain beginning to the file name. However, what the Trojan tried to do was to create a Trojan file name which was very similar and they would be hidden by the system. That was far from being a particularly sophisticated rootkit. There are some, in particular the kernel mode type rootkits, which are very, very well hidden and actually, because of that we had to update our software and re-write parts of its, because we hadn’t seen these type of threats.

 

Alan: There are settings in the Registry that we, as users cannot get into and we can’t even see them and there are certain settings in there that we see, but aren’t allowed to be changed.

Andrew: In many cases, particularly where they relate to services in the machine, there’s a very good reason that you don’t want to be messing about in the Registry and deleting things and changing things. There are certainly rootkits which take advantage of the fact that you can do this and they hide not only their files, but all the Registry entries and all the services that they run, and processes that they run, as well. It is extremely hard to see them and really the only way to see a rootkit is to have a special piece of software or anti-virus program that’s able to see this part of the rootkit.

 

Alan: This is getting to be so dangerous that they’re looking at maybe making a bill in Congress to outlaw rootkits.

Andrew: There is a lot of fear and uncertainty around the whole area of rootkits. It’s certainly very serious area. I think like with any threat, when it’s potential for abuse has been realized, at first everyone gets very worried and excited about it. But, actually, it’s really not unlike a lot of the other threats that we’ve had. There’s been several times in the past, where

these threats that have happened, have been changes in the way they are delivered have happened.

For instance if you look back in 1995, when the concept macro virus first appeared. That was a big thing, - macro viruses, and they became very prevalent, but what happens is that people upgrade their defenses they to use to protect their systems. Yes, it’s a very bad idea to use root kit technology for things like DRM or for that kind of thing.

It’s not the end of the world in Security terms. I think what is a shame is that people get so frightened by all the threats that are out there. If we properly protect the system and we do things safely, it’s still possible to exist safely on the Internet.

 

Alan: Well, that's why we turn to companies like yourself (ESET)  We count  on you to protect us. And how are you protecting us on this?

Andrew: We had to significantly re-write part of the engine. It wasn’t that we couldn’t detect these, but once they were installed, they were very difficult to detect. We had to develop a method that when the rootkit was installed on the system, that we would be able to see it. Traditionally, what we and other anti-virus companies do is hope that you’re (product is) installed on the system and once someone tries to install a rootkit, you can defend (against it), because you can see the files at that point. But once the things are actually installed and in memory and running, then it can be very difficult. We actually updated the product there to deal with that.

 

Alan: I think that’s a very important feature of ESET. Every time that you have a license with ESET, with NOD32, you get the latest engine. With other companies, anti-virus software, say 2005, or 2004, you’re not going to upgrade the engine, because you don’t have a license for it and just by sending you new definitions, it will not find these rootkits?

Andrew: It’s definitely something that we’re very passionate about. We give you the best protection that we know how to give you. There doesn’t seem to me to be very much point if we can protect you from a threat, not to let you make sure that you get the latest protection that’s available from the time of your license.

 

Alan: You talk about rootkits. It sounds like this is only going to be effective to a corporation. Home systems can be infected just as easily. Your software is the same software that you sell to a corporation. You also sell it to the home user, to make sure you get everything, right?

Andrew: One of the things that I really believe is that you give the same protection to everybody. Anyone who works in a large enterprise probably has a computer at home, as well. So, it makes sense, from enterprise point of view to have the user protected and it also makes sense for the home user to make sure that they’re protected at home, because they could dial into their work or use their protection to do their work from home. It does need to be protected. You try to make sure that people can be protected right across the board with the same technology.

 

Alan: And you have to make sure that you have the latest software, the latest engine, the latest definitions, because this is like the never-ending contest between thieves and locksmiths. The locksmiths are constantly making new locks more powerful to keep the thieves out and the thieves are learning how to get around the new locks.

Andrew: That’s true and there’s no anti-malware product in the world that doesn’t require updating at some point. I know that we try very, very hard with the heuristics and with that kind of protection that we can give you to make sure that there are times when you get caught out are very few. But we do believe in releasing frequent updates. We release it for a reason and then it’s important that the users get that.

 

Alan: That brings to a really important factor, because it used to be that you were only looking at viruses. And then you added spyware programs. And then the key-logging programs. And, now you’re looking at rootkits. All of this has to be into your engine and if your engine is not almost written in machine code, it’s going to slow your whole system, doing nothing more than processing to keep you safe from being on the Internet.

Andrew: It’s definitely a feature of what we do, is to have integration, to have everything in a one-stop engine, rather than having multiple engines that does this kind of bolted together. It is very highly optimized, it’s very fast. What we’re about, is not just trying to protect people from one type of threat. We’re actually really trying to be the anti-threat leader, if you like. We want to make sure that you have the latest, the best possible protection from all the digital threats that you’re likely to encounter in one small, fast, efficient package.

 

Alan: What are we looking at, as far as the cost for NOD32, for the home user and for the business?

Andrew: For the home user license you’re looking at $39.00, which is very competitive and comparative to other products out there. We also have very low (cost) renewals. And for the enterprise, there’s a huge range of options, and I’m sure any of our sales team would love to talk to people about that. Alan: And where could we go to get more information about NOD32?

 

Alan: And where could we go to get more information about NOD32?

Andrew: The best place to go is to take a look at www.eset.com.

 

Alan: You also have a new feature at your website. You have LET’S TALK COMPUTERS transcriptions, so if somebody wants to read the complete interview, they can go there.

Andrew: That’s right. It’s all there, written out and hopefully people can listen to these again and again. Enjoy them from our website, as well.

 

Alan: And as always, Andrew, it’s been our pleasure to have you as our guest on LET’S TALK COMPUTERS, showing us how to keep safe.

Andrew: Thanks, Alan. It’s been a pleasure.