Thursday, 2 October 2008

Can rootkits ever be useful?

A security company has developed a tool that aims to protect users from fraud, even if their computers are infected with viruses or other threats. According to Technology Review, Verdasys has developed SiteTrust, which it hopes to license to financial institutions. These in turn would provide software to their customers, who would use it alongside existing security products such as anti-virus and firewalls.

There are two interesting points with Verdasys' approach, as far as I can tell from reading Technology Review's report. The first is the idea that we should assume that everyone's systems are infected with malware. This is a depressing thought, but probably very sensible. The second, and possibly most controversial, is that SiteTrust is "essentially a rootkit."

Verdasys chief technology officer Bill Ledingham reportedly acknowledges the controversy surrounding commercial rootkits, but claims that Verdasys' experience in designing them ensures they won't interfere with a computer's normal use. He also admits that criminals may try to dig even deeper into the system, to undermine SiteTrust, but hopes to stay one step ahead of the hackers.

Remember this: he claims that the rootkit won't interfere with a computer's normal use; and hopes to stay one step ahead of the hackers.

THE PROBLEM WITH ROOTKITS

Rootkits are usually malicious, being designed to allow a program to exert maximum control over a system at a very low level in a secretive way. Online criminals sometimes use rootkits to take control of victims' computer systems, but sometimes a legitimate company chooses to use rootkit-like techniques to protect data in one way or another. This rarely ends well.

Sony has tried this a number of times but, in each known case, experts have noted (or even demonstrated) that an attacker could abuse a system with 'legitimate' rootkit technology installed. This is the main problem with commercial rootkits. They can provide an opportunity for an attacker. When users don't know that the software has been installed, as was the case with Sony's CD copy protection system, there are additional issues of personal privacy.

There may be a further issue of the rootkit interfering with the computer's normal use, but we'd take for granted that a commercial rootkit would not cause obvious problems to the system. Legitimate companies should have better quality assurance than online criminals, after all. So the main issue in this case is whether or not the rootkit could be used as an attack vector. And we won't know that until someone starts to play with the product in a lab.

Every technology company that deals with security hopes to stay ahead of the hackers, but few would claim (behind closed doors) that they are managing to do this. This is why malware exists and why no responsible company would ever claim to offer 100 per cent protection.

While it is possible that a company like Verdasys could produce a successful product that provides no opportunity for an attacker and that always stays one step ahead of the hackers, it is worth remembering that this aim might fail. And what a juicy target SiteTrust would be, if it did. After all, it is a product designed to secure important financial transactions.