Windows XP

Malware: the Cat and Mouse Game

I originally posted this at http://www.318.com/TechJournal

Spyware is software that covertly gathers user information through the user’s Internet connection without their knowledge, usually for advertising purposes. Adware refers to any software application or program displaying advertising banners or Pop-up. Adware is often considered spyware (although not always) and is typically installed without the user’s knowledge. Malware is a general term that encompases both of these and often viruses and trojan horses, which can cause computers to become slow due to the amount of processing power that these applications can take and the number of them that can infect computers.

Malware applications are typically bundled as a hidden component of shareware programs, online music, scripts hidden on websites and viruses that can be downloaded from the Internet. Over the past two years, many products have been released such as Windows XP Service Pack 2, Adaware and Spybot Search and Destroy that can effectively remove spyware. However, spyware and adware authors were able to make a lot of money from their pseudo-legal actions and have become better programmers in their newfound spare time.

Many spyware and adware products have begun to incorporate the use of root kits into their software. A root kit is a set of tools used by intruders once they have hacked into a computer system. These tools can help the attacker maintain his or her access to the system and use it for malicious purposes. Root kits often discuise themselves in order to prevent detection. Root kits exist for a variety of operating systems such as Linux, Solaris, and versions of Microsoft Windows. Root kits are typically used by attackers to build collections of slave systems and hide their tracks.

By using techniques that are most commonly attributed to attackers, spyware and adware products are becoming more and more harmful to systems. The utilities that once helped to resolve malware issues on systems are not working as well as they once did because of these new techniques employed by malware authors. Many of these techniques go far beyond simply hiding the malware and involve teaching the operating system to pretend that the malware doesn’t exist to make it almost impossible to find.

RootKit Revealer is a free product distributed by sysinternals.com that can search for known root kits. A litmitation of this application is that it doesn’t find new attacks that were released since the last revision of Rootkit Revealer. Microsoft is also looking into software that can detect root kits with their Strider Ghostbuster Project. Both RootKit Revealer and Strider Ghostbuster not only look for root kits but also look for any attempts to hide any applications from the operating system.

This was effective when the projects were announced and first released. Now, a new generation of malware is coming along that is intelligent enough to actually hide itself from standard searches and then not hide itself from the RootKit Revealer or Strider Ghostbuster scans. The finesse with which authors of malware are creating their root kits often leaves one wondering who is ahead in the game.

For more information on the many rootkit removal services that may be available to your business, please contact Three18, Inc. at 310-581-9500 or via email at sales@318.com