The threat of rootkits
However, a survey by Internet security vendor Prevx finds that quite a few PCs are infected with rootkits.
Prevx has a free scanner called Prevx CSI that looks for rootkit infections and, after just a few weeks of testing, the results were not pretty. Prevx first started giving out CSI to perform scans for malware and adware in October. Of the 291,000 users who downloaded Prevx CSI, one in six found some kind of infection.
Then, beginning on December 1, Prevx added rootkit detection. Since then, 114,000 computers were scanned and 1,678 had a rootkit, or 1 out of every 70 PCs. On top of that, 93 companies used the business scan feature in Prevx CSI and 13 of those companies, or 14 percent, had at least one or more PC infected by a rootkit.
What makes rootkits so difficult to deal with is they often take control of the operating system, so they can disable an antivirus or security program and are usually used to hide the real malicious code. Rootkits in and of themselves aren’t dangerous, but they act as the guardian or defense for something that is—like a key logger.
“There’s so much malware out there it’s hard for all security companies to detect all the threats. Used to be a new threat every few days, and that was manageable,” Jacques Erasmus, director of malware research for Prevx told InternetNews.com. “Now they are releasing a new piece every hour of the day and it’s very hard for the vendors to cope with this influx of malware.”
The threat is only getting worse because the bad guys are getting better at their work, using polymorphic code, encrypted networks and compromised Web sites.
Peter Firstbrook, senior security analyst for Gartner, agreed.
“I would totally agree that [antivirus] vendors are failing in protection,” he said. “There’s no question there’s a lot of undiscovered rootkits and malware out there. It doesn’t surprise me at all.”
Part of the problem is that every AV vendor uses a different detection method and no one is foolproof, he added. He was skeptical of the one in six findings, thinking it was likely skewed by people who had or suspected an infection and “wanted a second opinion.”
Prevx CSI uses what Erasmus called the “herd” approach to harness its user base as researchers, so every user is involved in submitting suspicious code to be examined. Every AV program has a function to submit suspicious code but that has to be e-mailed in and examined in a lab.
Prevx CSI examines the application on the end user’s computer, so by the time it is submitted, the company already knows what it does, what files it attacks or alters, what IP addresses it communicates with, and so on.
While there was a high frequency of businesses infected with rootkits, Erasmus said they are doing a fair job of keeping their PCs clean. “You rarely see businesses getting badly infected. Maybe someone’s laptop gets hit. But consumers are a different story. It’s like the wild, wild west out there for them,” he said.
Erasmus acknowledged the convenience of selling the solution to the problem his firm identified.
“True, we are trying to push our product, but at the end of the day, out of all the tests we’ve done, we feel that our product competes very well against other products and is very effective at removing the rootkits out there,” he said.
Firstbrook agreed partially. “I certainly agree that the current crop of AV vendors are not doing that great job at rootkit detection, but I’m a little skeptical that [Prevx] can do significantly better than people who have been in the business for a long time,” he said.
The first thing the company could do to gain some wider credibility, he said, is participate in detection benchmarks, such as those performed by AV Comparatives, which performs a widely recognized test of all the major anti-malware programs on the market.