An active, open source development community and new tools are fueling stealth “rootkit” programs.
The number of stealth techniques found in malicious software surged 600 percent in the past three years, according to data published last week by McAfee. And the pace of change is accelerating, driven by developer interest and online forums, say experts.
Rootkit.com has more than 42,000 members and active forums that are pushing the evolution of rootkits, according to Jamie Butler, CTO of security firm Komoku, who helped create rootkit.com.
A recent IRC “bot” program by a contributor named “Tibbar” that runs at the Windows-kernel level is a good example. The program uses a software library contributed in December by a user named “Valerino,” that is an open source equivalent of commercial drivers like KSOCKS from Open Systems Research, that sell for hundreds of dollars, Butler said.
The commercial drivers are licensed by software vendors with products, such as firewalls, that work at the kernel level. The Valerino library extends the same capabilities to any developer with the know-how to apply it, Butler said.
Over time, more applications that can tap into the Windows kernel will make life tougher for security vendors to thwart malicious programs, Butler said.
“The lower you go, the harder it is for someone to subvert what you’re doing,” Butler said.