In 2011, McAfee saw over 75 million individual pieces of malware. Fortunately, most organizations were not compromised by the majority of those viruses, Trojans, and spyware. These typical threats were caught by a combination of antivirus (AV), Host Intrusion Prevention Systems (HIPS), and Desktop Firewalls (DFW). While we should not take these threats lightly, these established methods fight against most of these types of threats.
What should really concern us is the growing presence of rootkits, and the zero-day exploits used to deploy them. Traditional security solutions work at the application layer, using hooks into the underlying OS. Rootkits are playing unfair, going below the operating system for their nefarious deeds.
A rootkit is a specific type of malware that gains privileged access to a system while actively hiding its presence from users and security tools. Rootkits typically provide a remote user access to all resources on the system on which the rootkit is installed. They often join the compromised system to other “rooted” systems as part of a larger botnet.
Three factors are driving the rise of rootkits:
• Ease of creation. It used to be that it took a significant level of technical knowledge to create a rootkit that would give the desired access and remain undetected. There was a certain art to tapping in to the arcane knowledge of injecting malware into the operating system. Now, however, there are a number of rootkit crafting tools that let someone with zero coding skill create a custom rootkit tailored to their specific needs.
• Target-rich environment. When is the last time you used a computer (or printer, TV, or phone) that wasn’t connected to the Internet? Added connectivity adds onramps for rootkits. While organizations work to provide a solid perimeter, it’s eroded by users taking their work laptops outside the corporate firewall or logging into systems from home.