By Dawn Kawamoto

Story last modified Tue Apr 18 05:59:43 PDT 2006

Rootkit numbers rocketing up, McAfee says

Rootkits, used by hackers to hide malicious software, are on the rise and becoming more complex, according to security company McAfee.

In the first quarter, the number of rootkits seen by McAfee's Avert Labs grew by 700 percent, compared with the same period last year, the company said Monday. Its research into "stealth techniques" also covered cloaking technology bundled with commercial programs, such as Sony BMG's antipiracy tool, and with potentially unwanted software such as adware.

While the use of such techniques to hide activity on computers has been around since 1986, their number and complexity have accelerated over the last three years, according to a McAfee report released Monday (Click here for PDF). In the first quarter alone, the Avert Labs found more than 827 stealth techniques. That contrasts with about 70 found in the same period in 2005 and with approximately 769 for the whole of that year.

"This trend in malware evolution is creating hardier and ever more virulent strains of malware that will continue to threaten businesses and consumers alike," Stuart McClure, McAfee senior vice president of global threats, said in a statement.

An "open-source environment" for development of stealth code among hackers is driving this rapid growth, McAfee said. Collaborative Web sites and blogs contain hundreds of lines of rootkit code for recompiling and enhancing the technology, along with rootkit binary executables, McAfee said.

As a result, attackers have an easier time creating ways to hide their malicious files, processes and registry keys without extensive knowledge of the targeted operating system.

"Collaboration does more than just spread stealth technologies. It also fosters the development of new and more sophisticated stealth techniques," the report's authors wrote. One way they gauged the complexity of the programs was by counting the number of component files in a software package.

During the first quarter, 612 stealth components were submitted to Avert Labs, compared with 60 in the same period last year, the report noted. The first-quarter figure was also nearly equal to that for all of 2005.

McAfee noted an increase in commercial software using stealth techniques to conceal code. Companies that have turned to the use of such technology include record label Sony BMG, which used it to hide copy protection code, and Symantec, which later stepped back from using it in its Norton SystemWorks PC-tuning application. The report did not label such stealth technology as rootkits, a word it said should be used in relation to malicious software.

While Microsoft's Windows is the main target of malicious rootkits because of its high level of use, McAfee also noted that its many undocumented application programming interfaces (APIs) make it an attractive target.

In gauging the future growth of rootkits, McAfee noted that while Microsoft's broad release of Vista looms on the horizon, a lull in Windows-related attacks won't come until there's widespread adoption of the new operating system, as was seen in the release of Windows 95.

"We can predict that, in the coming two or three years, the growth of rootkits for the current Windows architecture will reach an annual rate of at least 650 percent," the report stated.

main page ATTRITION feedback