Harry Waldron - Corporate IT Security

  What is a Windows Root Kit?

http://www.securityfocus.com/news/2879
http://msmvps.com/harrywaldron/archive/2005/02/19/36425.aspx

A Windows "root kit" is an assembly of programs that subverts the Windows operating system at the lowest levels, and, once in place, cannot be detected by conventional means.   Also known as "kernel mode Trojans," root kits are far more sophisticated than the usual batch of Windows backdoor programs that irk network administrators today. The difference is the depth at which they control the compromised system. .

  Why is Root Kit Detection Important?

Unix and Linux based root kits have been present for years and there are some tools available to detect these threats.   However, Windows based root kits are a new paradigm and expected to grow in the future. 

Because root kits work at the kernel level of the Operating System, they cannot be easily detected by Antivirus or Firewall systems.  For example, they can secretly open a port on the server in a way that the firewall software thinks is closed.  The system administrator or home user may think “all is well“ but the system could be collecting and transmitting information to malicious individuals.

Detections are made more on an accidental than proactive basis.  For example, the only sign a server or PC might be infected with a root kit is because is it "blue screening".  The industry needs sophisticated detection tools for this high risk security exposure.

  Microsoft's GhostBuster Root Kit Detection Tool

http://netsecurity.about.com/b/a/146844.htm
http://www.schneier.com/blog/archives/2005/02/ghostbuster.html

Ghostbusters is a new innovative CD based checking tool that Microsoft is experimenting with.  It works by booting the system a couple of times from the CD, while comparing the current OS settings with the expected baseline controls of what Windows should be.  This detailed checking process can help find startup processes or substituted executable code that might point to a hidden root kit.  

Security professionals definitely need a tool they can test out a suspicious server or workstation.  The ability to actually clean the system is less important, as a server or PC should be rebuilt from the ground up if it is infected with a root kit.  Due to the difficulty of detecting rootkits and their expected growth in the Windows environment, I'm hopeful Microsoft will continue their work in this area.

Microsoft should continue development for a root kit detection tool.  It would be a useful addition to their excellent array of security analysis tools.  A root kit detection tool could help network administrators quickly research suspicious activities.  It would also be a great security auditing tool to check servers perhaps quarterly during scheduled downtime to ensure all is well.

I hope that the threat of Windows rootkits won't further materialize.  Still, conceptually a comparative tool to quickly validate startup processes and check for inappropriately subsitituted DLLs or APIs for the latest versions of Windows would be a beneficial tool for corporate administrators.