Reader Frank Markus submitted a disturbing contribution this week regarding the dangers of a tainted Windows OS being used to hide software of ill intent:
- “There may be a very good reason that I have been unable to locate the malware that is troubling my computer: it may not be detectable.
“There is a new type of malware called a “kernel rootkit.” A rather brief article in the current Inquirer gives a summary of this new threat.”
A longer article in Computerworld on the same subject bore the ominous title “Microsoft on rootkits: Be afraid, be very afraid.” The article makes it all too clear why:
- “Once installed, many rootkits run quietly in the background, but can easily be spotted by looking for memory processes that are running on the infected system, monitoring outbound communications from the machine, or checking for newly installed programs.
“However, kernel rootkits that modify the kernel component of an operating system are becoming more common. Rootkit authors are also making huge strides in their ability to hide their creations, said Danseglio.
“In particular, some newer rootkits are able to intercept queries or ‘system calls’ that are passed to the kernel and filter out queries generated by the rootkit software. The result is that typical signs that a program is running, such as an executable file name, a named process that uses some of the computer’s memory, or configuration settings in the operating system’s registry, are invisible to administrators and to detection tools…”
Microsoft has been keen on this issue for some time and has published several documents relating to the matter. They’ve also developed an internal proof-of-concept tool called Strider GhostBuster to identify affected files.