Complete Transcript of Interview - Andrew Lee - ESET
Let’s Talk Computers Radio Talk show
Host Alan Ashendorf
November 18th 2006
Alan: Today, on LTC, we are going to be talking about “rootkits” and how they really impact your computer system. Our guest today is Andrew Lee, Chief Research Officer, with ESET. And welcome back to LTC, Andrew.
Andrew: Hi, Alan. It’s great to be back.
Alan: First of all, what, exactly is a rootkit?
Andrew: In terms of what people mostly refer to as rootkits. Now, the name is actually something of a misnomer. In the early days, what rootkit, essentially was, was group of utilities, which we used to gain and keep elevated access on a system. They developed it on the UNYX Systems, (the Linux type systems), where the most powerful account on the system is called Root for the super user, (the most powerful user).
Alan: It’s like in a Windows System, where the Admin or the Administrator would be the most powerful user for the Windows Box.
Andrew: The Administrator views his own system. And because that user is called Root and you had a collection of these files, which enabled you to Get Root, if you like, and sometimes you will hear that expression, “You’ve got Root”.
Well, rooting the system meant that you had full administrative access to the system and the rootkit allowed you to get in there, get that access and sometimes be able to hide the fact that you were in there.
What we are really talking about in terms of Windows Rootkits is substantively different. You do not necessarily need to try and get fully elevated privileges. What people are really talking about is terms of the rootkits that we have now, is “stealth technology”, which allows things to be hidden from operating systems.
To give you a very simple example of what I mean, is if you open up Windows Explorer on your computer and you go to the Tools Menu and look at the Folder Options – in there, you will have a tab in there that says, View and in there, there is an option, called “Hidden Files and Folders”. And you can turn of the viewing of certain types of folders. You can hide extensions or you can hide protected operating system files. That is a kind of stealth technology. It basically means that when you go to look in Windows Explorer, certain files are not displayed. So, that is an easy way to understand what I’m talking about. And obviously, there is nothing malicious in Windows’ being able to hide system files. That is a very good idea, because you do not want people in there, just deleting important files for whatever reason, or being able to have access to certain types of folders.
Alan: But, that is just an attribute of the file. You can set it as a “Read Only” attribute or a “System Hidden” attribute. And it is just really toggling a bit that says, “don’t show it to the average user”, but it is still in the system. But, what you are talking about goes a lot deeper in the sense that now Windows can’t even finds.
Andrew: That’s right. Now, the worrying thing about the rootkits, as we talk about them, in terms of being used for malicious purposes, is that they can go into the system, become installed in there, load themselves every start-up and effectively hide completely from the operating system. So, there is no way that even if you list the directory in DOS or if you run a scan with a normal anti-virus system, or anything like that, it cannot see those processes. If you go into the Task Manager, you cannot see the process, listed. If you look in Explorer, you don’t see any files listed.
This is really where the malicious exploitation has come. Because people have realized, “Well, I can hide a Trojan underneath a rootkit, I can hide a virus underneath a rootkit; I can hide all the files that I am collecting with a key logger under a rootkit.”
Alan: When you are saying that it hides from the operating system, but if you know the name of the file, and let’s say it’s an executable, and you type it directly with the full path, it is going to launch it, right?
Andrew: What usually happens is that there is a process called by the rootkit, which will hide certain things. So, let’s take a typical example. The Hacker Defender Rootkit, which is very, very widespread. It’s a very popular rootkit, used by malware creators.
What that does, is it gives you some kind of configuration file, which allows you to put in certain parameters. Let’s say that I wanted to hide everything that begins with the letters h-s-d-e-f. It is going to hide the Hacker Defender File. What happens is that you launch that in the system. It creates a process, which is completely hidden to the operating system. So, whatever you do, if you try and access the files in there, using the operating system – so even if you try to execute something from in there, it simply would not be able to find it; because as far as the system is concerned, that does not exist. So, you can try and open up a folder and even if you know that it is there, the system will just simply say, “I can’t find the file that is specified”.
Alan: So, this takes a really intelligent anti-virus, anti-threat system in order to kind of 1) weed these out or 2) to prevent their launching.
Andrew: It does. There are two issues here 1) is obviously you want to make sure that your anti-virus program detects it before it is installed. Because, once a rootkit is installed, there are all kinds of things that are an attacker can do. It is obviously a really bad idea to have something that will able to install itself. So, you would hope that your anti-virus system would catch that.
But, another problem that can come is that maybe there wasn’t detection at the time, and so the thing becomes installed, but when you put your anti-virus onto the system a normal anti-virus program cannot see the files because they are hidden. But, to all intents and purposes, they do not exist. So, what you actually really need, is something which can kind of x-ray through that or that can provide you some kind of true vision of what the system really is looking like, rather than the fake version that the rootkit is presenting to you. So, it is really important that when you are trying to detect rootkits that are installed, that you can actually see what the system looks like, rather than the soft of “faked up” version that the rootkit will present to you.
Alan: This is why you want to have something that is real-time prevention, like heuristics, where it looks to see what the action is going to be doing, not necessarily just finding the file by its name.
Andrew: Definitely heuristics are a part of that, because you can detect sort of modified rootkits and things that have changed. But one of the things that we have actually done, as well, is that we have recognized that for just being able to prevent the installation of rootkits isn’t enough.
There are going to be circumstances where people need to be able to remove rootkits, as well. With the new Version 2.7 of NOD32 that has come out, we have included an anti-rootkit technology – effectively, anti-stealth technology, which is able to have a true sight and a true vision into the system. So, regardless of the fact that the rootkit is presenting this fake view, (so the operating system cannot see it), what we have done is to be able to create a driver in NOD32, which can see through all of that and cut through it and then detect the files as normal, and clean up and draw the system back to the way that it was before.
Alan: Some people say that once you get hit with a rootkit, the only thing that you can basically do is reformat your hard drive and start all over again, because it is hidden so deeply that nothing can find it. But, you are really finding it, aren’t you?
Andrew: We are finding it. And it is an important thing. There are certain types of malware, which for instance, holds you to ransom, say, “we’ve started up your files and they are going to disappear, unless you give us money. And that is one of the applications that rootkits can be used for – they simply hide a lot of important things, and say, “Well, you are not going to get that back, unless you pay us money.” But, it is not always a good idea to say to people reinstall your operating system. It’s not always the most helpful in saying that people need to get their data back. Now, arguably, you don’t know what has happened on that system while the rootkit has been installed because you’ve got this thing that’s there. It’s hidden all sorts of processes. It’s hidden all the things that have been going on. And you might want to take the step of rebuilding a system and getting a clean install. So, that is still good advice, but it doesn’t change the fact that while you are actually affected with a rootkit, there are very good reasons for wanting not to just reformat the hard drive and start again. You want to get your data back. You want to make sure that you can recover everything. So, by having this technology, (NOD32) allows that protection to know that – okay, the system has got a rootkit on it. We know that is bad, but we can take care of that. We can clean it off, allow you back into your system – allow you the control back of your system. Your are still not under some one else’s control. Then you can take the remediation steps that are necessary to make sure that your data is okay, you have backups and then maybe you might want to re-build the system.
Alan: Well, Andrew, there’s a lot of stand-alone programs that are called rootkit finders, rootkit revealers and rootkit fixers. But, why don’t you want to run something like that? Why do you want to have an integrated solution like NOD32?
Andrew: Probably the best reason is to do with simplicity. People expect our solution to be able to deal with the threats that they encounter. Why should we sell a product to somebody then expect then to find some other utility or some other tool to take care of a problem that we can deal with? The other removers and some of the other technologies that there, are actually quite complex to use. They will give you a list of files and say that these are hidden processes, but it doesn’t give you any information about whether that is a malicious process, whether that’s actually important. Do I need to take that file out or what do I do?
Another advantage to having it integrated is that we can say that once we look underneath the fake view from the rootkit, we can say that this is an infected file. This is a malicious file, etc. So we can see that that file is there and we can automatically deal with it. So, you don’t have to go through this process where you’ve got this tool. You can see that it’s found some hidden processes, but you’re not really sure what to do. The integration produces a lot of simplicity for the user. In fact, it can be completely transparent in the same way that the rest of the Product works. You can have that kind of “silent” thing going on, if you want to.
Alan: I look at it if you are hiring a body guard and then being told by the body guard, “Yes, but I don’t protect from dogs. You are scared of dogs, so you are on your own when it comes to dog bites.”
Andrew: That’s it, it’s one of the things that we have been absolutely committed to and if you look the history of what we have done, as those new threats have appeared – for instance, phishing, and the spyware – we have integrated it into the system because we recognize that our customers want to be able to deal with that in an integrated way. They don’t want to have to go and get some special tool or some other third party software. They are used to the way that we work. We want to be able to provide that integrated detection and the simplicity of being able to just see that all of those things are in the same place.
Alan: If you have a rootkit on your machine and even if it’s not even doing anything bad, it can actually cause destabilization or actually cause problems and you don’t know it.
Andrew: There are two types of rootkits, really. There’s what’s called user mode or user land rootkits, which kind of run in the context of the user. So, when you log on as a normal user, it runs with whatever level of privilege you have. There are some more tricky rootkits, which run in what’s called kernel mode, and the kernel is like the heart of the operating system. And if you get a kernel mode rootkit, it can really cause problems, because it is very dangerous to hook into the kernel and start playing about – it causes the machine to go Blue Screen very quickly. So, it can get a lot of instability when you have rootkits and other types of malware, as well, (Some of the Spyware stuff and Adware stuff). It really slows the machines down. It can cause it to become really unstable. The threat, isn’t just that rootkits can cause the system to be compromised by hiding things, but actually, it could just destabilize it because of the way that it works – that it may be not too well written or it interferes with something else in your system and it just means that every time you try and boot up or whatever, it’s got a Blue Screen.
Alan: Well, what kinds of computer systems are affected by rootkits? Windows 95, 98, XP, or is it just a certain type of file system, or what?
Andrew: It is a real threat for all levels in the rootkits way that it works, it’s hooked into the way that the system works, not necessarily so much to do with the file system, although some of them take advantage of using things like permissions from the hold that’s how they work. They work by fooling the operating system, itself, believing that those files aren’t there.
Alan: Now, if I have NOD32 installed on my system, do I have to buy a separate upgrade or separate module in order to protect myself against rootkits?
Andrew: When you are the lifetime of your license, you will get whatever protection we offer. When you buy our Product, it’s the same Product at all levels. So, obviously we want businesses to be able to protect themselves and we are concerned about our Enterprise Customers. But, Home Users effectively get the same protection. There is no difference in the way that we make our product. We don’t disable anything. But, when you buy the NOD32 license, you get the upgrades, included, not just the updates and the signatures. You actually get upgrades to the Product, so that you get the best protection that we can offer at every point.
Alan: So, you don’t have to worry about it being a 2005 Version or a 2004 Version that I have to get different definitions for. When I get the NOD32 License, get the newest, the greatest, the only software that’s out there and if you come out there with a new module, it’s instantly pushed out to me.
Andrew: As soon as that upgrade is available, it is to be released. You can go ahead and upgrade. Your License covers you for that.
Alan: And if we would like to find out more information about NOD32 and how it protects you from rootkits, where would you go?
Andrew: The best place to go is to http://www.eset.com and take a look there.
Alan: Andrew, it’s been our pleasure to have you here on LTC, talking about how we can continually keep our computers safe and we hope to have you back on the air again, real soon.
Andrew: Thanks very much, Alan. It’s been a real pleasure.
Visit ESET on Facebook
Follow ESET on Twitter