|
Keeping your remote laptops healthy is not an easy task these days. Infections are everywhere, and once these PCs leave the shelter of your enterprise network, they can easily get filled with rootkits, malware and viruses.
Of the three types of infection, rootkits are the most troubling. A rootkit is a special software program that can be left on a PC without the user's knowledge or permission, and allow someone else to have remote control of the machine's operations. They often are used to assemble major botnet attacks, where a hacker controls groups of PCs to send out spam or more malware over the Internet. This can expose an enterprise to legal liability as well as potential data loss on the individual PCs that have been compromised.
First developed in the 1990s for Unix computers, rootkits became infamous for Windows PCs in 2005 when Sony Music used them in numerous music CDs to prevent users from making digital copies. Now they are quite common and basic prototypes are found on several Web sites that can be used by even inexperienced programmers to develop the most virulent rootkits.
What makes rootkits so insidious is that they are hard to detect and harder still to remove without doing a wholesale operating system re-installation or re-imaging of a computer's hard drive. They are designed to hide from normal view of the operating system, since they modify the operating system itself. They can disguise themselves as ordinary operating system utilities, replacing the file and process viewing commands with their own code, or modify the most basic parts of the operating system (the kernel) to conceal their presence. Most of them are designed to survive reboots of the PC, and can live undetected on a system for months. "Remember that a rootkit is not designed to help an intruder gain access to a system. A rootkit is designed to make the intruders feel at home and allow them work silently on your system without being disturbed," says web developer Oktay Altunergil.
Some of the nastier rootkits include key logging programs that will record username/passwords typed into a particular machine and send this information to a central repository that can be used to compromise or steal sensitive data.
Tools Are Available
There are a series of rootkit detection and removal tools, such as Microsoft's own Malicious Software Removal, Sophos Anti-Rootkit, PrevX, Tripwire, UnHackMe and F-Secure's Blacklight. However, using any of these tools requires users to be vigilant and spend a lot of time pro-actively doing regular hard disk scans, along with spending time interpreting the results of these scans and deleting the offending compromised files. In some cases, users will have to compare the current state of their systems with results from booting a known clean copy of their OS from a special CD, which is cumbersome at best.
"How often are you going to have your users reboot and scan their PCs," asks Steve Hanna, of Juniper Network's Architecture Technology Group. "This isn't really very practical on a continuous basis, since most users are only going to investigate a potential rootkit issue once in a while."
For example, users might be motivated to investigate a potential infection if some other symptom is observed on their PC, such as reduced performance or odd boot behavior. And even PCs running their own firewall software are at risk, since infections can be transmitted by browsing dangerous Web pages or by sending files via Instant Messenger applications, or even by inserting a music CD into their systems, as Sony has so aptly demonstrated.
A new breed of infections employ virtualization techniques similar to those used by EMC's VMware and Microsoft Virtual Server 2005. By silently creating a virtual environment in which the normal operating system runs, the rootkit gains access to all data processed by that operating system while evading detection. "Under these circumstances, a rootkit can run a clean copy of the OS and still get access to all the confidential data," says Hanna.
But there is some good news on the rootkit front. There are improvements in endpoint health assessment and remediation that can help to rid enterprises of rootkits by stopping them at their entry to a remote laptop. These measures take a combination of particular hardware and software and provide system administrators new ways to defend their PCs.
The developments center around a piece of added hardware called the Trusted Computing Module (TPM), a special hardware component that is now present in most new commercial-grade laptops and desktops sold by the major PC manufacturers, and according to IDC, are present in about 20 percent of all PCs operating today. Until relatively recently, the TPM chip wasn't used by many applications, but with these new products it can serve as a mechanism for stopping rootkit infections.
Here’s How It Works
Whenever the PC boots, the TPM measures the BIOS, boot loader, and all other critical software components in the operating system. These measurements are taken before the software runs and stored securely on the TPM so they can’t be modified. When the PC connects to the network, the measurements are sent to a server where they are checked against a list of known good configurations. If the software is not good, the PC can be quarantined and repaired.
One company that has already developed software that works with the TPM is Wave Systems of Lee, Mass. They sell a product called Embassy Endpoint Enforcer, which is designed for use in enterprise IT endpoint situations to support the TPM hardware and ensure that no rootkits are operating on a remote laptop.
Wave's software forms the foundation of a new series of standards from the Trusted Computing Group called the Platform Trust Services, which became public in November 2006.
"This defines how software can take advantage of the TPM and use it to determine how critical system components are measured and reported to the OS," says Brian Berger of Wave Systems. "This standardizes the work that we did on our product and makes it easier for other companies to make use of the TPM."
In addition to Wave, others are working on supporting the TPM, including Microsoft with its Vista operating system. Vista, which began shipping in December 2006, includes a feature called BitLocker that provides hard drive encryption. The key for the encryption can be stored on the TPM chip, making it easy and secure.
The TPM gets around the issue of doing frequent system scans, because the boot process is guaranteed and no software can make any unauthorized modifications to these files.
"The TPM becomes the first step in the boot sequence," says Hanna. "It serves as a secure foundation for the BIOS, the boot loader, the kernel, and the rest of the operating system. Since the TPM performs this check every time the PC boots, it provides a regular check for rootkit infections. This means it will be easily apparent when a PC has been tampered with. And that’s a good thing in today’s dangerous world.”
About the Author
David Strom is the former editor-in-chief of Tom's Hardware and Network Computing, the author of two computer books and thousands of magazine articles on Internet security, computer networking, and other technical topics. He can be reached at david@strom.com.
Go Back
|
