Security vendors looking to define 'rootkit'

After being criticized for including rootkit-like cloaking software in its Norton SystemWorks product, security vendor Symantec Corp. is calling for an industrywide effort to define what the term "rootkit" actually means.

Such an initiative would be similar to efforts such as those of the Anti-Spyware Coalition, an industry group that is attempting to define and help developers identify spyware, said Vincent Weafer, senior director for development, Symantec Security Response

Although Weafer did not know what forum might ultimately be used for this discussion, the IT-ISAC, (Information Technology Information Sharing and Analysis Center) is one possible venue, he said. "We've already approached the IT-ISAC, a forum of security vendors and researchers, and asked them as to whether they can help us form an open discussion," he said. "It looks like they're willing to do that."

Rootkits are typically thought of as a collection of tools used by hackers to hide the presence of their malicious files and software on a system, but there is some debate as to whether all software that employs these cloaking techniques should be called rootkits.

The meaning of "rootkit" has become an important issue for Symantec, a vendor of security software, which does not want to be lumped into the same category as Sony BMG Music Entertainment, the company that infamously shipped rootkit code with its XCP (extended copy protection) digital rights management software.

Security experts agree that Sony's software was much more dangerous than Symantec's, but even Sony's software used the cloaking techniques to strengthen its digital rights management controls -- not to maliciously seize control of a user's system, the goal more commonly associated with rootkits.

The man credited with bringing Sony's rootkit software to light argued for a strictly technical definition of the term. "The question is, 'Where is intent connected to the definition, or should it not be?'" said Winternals Software LP Chief Software Architect Mark Russinovich. "Should the definition be technologically oriented, or should it have a social component to it?"

According to Russinovich, "motivation should be disconnected from the definition." This opinion is at odds with the view of Symantec's Weafer, who believes that the question whether the software developer had a malicious intent should count.

A McAfee Inc. executive agreed that, following the Symantec news this week, the time has come for a definition. "Between the Sony issue and this one, there's clearly a lot of confusion in the public," said Joe Telafici, director of operations for McAfee's AVERT Labs. "People have latched on to this term as a very dangerous term ... depending on how [rootkits] are implemented, they can be more or less dangerous."

The Anti-Spyware Coalition has had some success with its efforts. It published a draft spyware definition in October, and on Thursday it produced a final draft of its Risk Model Description, (http://www.antispywarecoalition.org/documents/RiskModelDescription.htm) which describes the criteria antispyware developers should use to identify spyware.

But while efforts like the one Symantec is proposing may help professionals in the field, they will do nothing to alter popular usage, said Alan Paller, director of research with the SANS Institute, a training organization for computer security professionals.

"I don't think you can stop the public and the marketing people from using words any way they choose," he said. "So even if there were a standard definition of a rootkit, it wouldn't change the use of the term."