ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security management Toolkit

Why rootkits mean you must nuke your machine

Matt Loney ZDNet.co.uk

Published: 17 Nov 2005 17:35 GMT

Rootkits hit the news earlier this month when Mark Russinovich of Sysinternals noticed odd behaviour following installation of some digital rights management (DRM) software that shipped with a Sony music CD. What he found sparked a furore that saw Sony threatened with everything from boycotts to class action lawsuits, and system administrators totally reassigning their approach to users playing what had previously been widely seen as harmless music CDs on work computers.

Rootkits may have been around for many years on Unix systems, but the Sony DRM debacle has propelled them into the consciousness of many IT managers responsible for Windows computers.

At Microsoft's IT Forum 2005 event in Barcelona this week, Windows programme manager Mike Danseglio delved into the technical aspects of rootkits. ZDNet UK was there to report what he had to say, to find out what University of Michigan students get up to with rootkits, why the only way to recover an affected machine with any level of assurance is to nuke it, and what the future holds.

What is a rootkit?
A rootkit is not an attack vector on its own. It is not a virus, and it is not a worm. It is a cloak or a disguise — something to hide something else. For instance an attacker might want to use a rootkit to put a virus on your system but doesn't want you to be able see that virus.

Is a rootkit malware?
Most people think it is, but it is not always. A sys admin might want to use a rootkit to hide something from the user, to monitor the system in some way. I treat rootkits neutrally — I don't want to class them as good or bad. You have to make your decision in each case.

The rootkit is not a virus, a worm, or a Trojan horse. It is just the code that hides something. Can it hide worms and spyware etc? Absolutely it can. The issue in the Sony DRM case is whether Sony properly disclosed that it is installing a rootkit on your system. And what Sony uses is a rootkit: it hides other things.

1 2 3 4

Did you find this article useful?
292 out of 532 people found this useful

Post a comment

Full Talkback thread

5 comments

A rootkit exists in video memory?? Is this video m... Anonymous
wouldn't it solve the problem if the OS does not a... Sans
This article is woefully uninformed, from the mean... Anonymous
Rootkits should be viwed exactly the same as other... Martin Ridley
Try reading and fixing the terribly high amount of... Myles

More In Security management

Company/Topic Alerts

Create a new alert from the list below:

Featured Talkback

It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.