¿Which are their objectives?
They try to conceal to other processes that are carrying out malicious actions in the system
. For example,if in the system there is a back door to carry out espionage tasks,
the rootkit it will hide the open ports that they expose the communication;
or if there is a system to send Spam, it will hide the activity of the mail system.
Rootkits, when being designed to happen unnoticed,
they cannot be detected. If a user tries to analyze the system
in order to see what processes are being executed, rootkit will show deception,
showing all the processes except he himself and those that are hiding.
Or if it is tried to see a listing of the files of a system,
rootkit will cause that is that information but hiding the existence of the own file of rootkit and
of the processes that it hides.
When the antivirus makes a call to the operating system
in order to verify what files it has, or when it tries to find out what processes are in execution,The rootkit will falsify the information and the antivirus will not be able to receive
the correct information to carry out the disinfection of the system.
¿How to come up to us?
A system is necessary that watches not solely the activity of the archives in the disk,
but that goes further on. Instead of analyzing the archives byte to byte,
it must be watched what they do when executing itself.
Rootkit needs to carry out some tasks that could be considered
“typical”, like acquiring rights of root, to modify basic calls to the operating
system,To falsify systems of report of information of the system...
All these tasks, one to one, involves little danger. But all of them,
meetings and at the same moment, carried out by the same program,
they provide clear information that something strange is happening in the computer.
If the solutions antivirus fail definitively to the hour to detect rootkit,
the new technologies of detection of threats by behavior have their better test of effectiveness in the detection and
blockade of rootkits. These technologies previously do not base their operation on conditioners
learned on closed patterns of identification of threats. Its success is based on the intelligent investigation and
automatic of the situation of a process in a computer.
When a series of actions is carried out on the system and all of them
(or, at least, some) they can suppose a risk for the integrity of the information or
the correct operation of the machine, a series of factors is evaluated that serve to describe the danger as that task.
For example,That a process wants to take rights of administration in a system it(he,she) can be more or less habitual.
And it has a certain risk, without a doubt, but it is not necessary to alert for that reason.
A simple installer for a game can need to have administrator right to be able to carry out
the modifications necessary and to be able to execute itself correctly.
Or for example, it is possible that a determined process must remain hidden,
since interaction possibility does not exist, or that a determined process opens a concrete port in communicating,
or that registers pulsations of keys. But all those characteristic meetings do that the process
it is possible to be considered as a threat and an analysis in depth to be able is necessary to authorize
the execution of safe way.
¿What to do?
In spite of which it comes saying itself,
rootkits can be eliminated (although not so easily). These programs are autoprotegen hiding and
avoiding that no other process (as a antivirus) can detect them. But so that that process can be hidden,
it must be in activated operation and in memory.
The best way to avoid than the process between in action,
it is to avoid the starting of the operating system in the disc in which is rootkit,
using a disc different from the one from the infected system; as it can be
CD. Thus, if rootkit is well-known, it will be able to be eliminated.
Nevertheless, if rootkit is not known (that is to say, that has been developed specifically for a system in concrete),
any antivirus will fail. In this case, the computer science problem is almost less important:
there is a person who, deliberately, it wants to make damage to its company and it has been bothered in entering the system to harm to him.
1. The AntiSpyware de Microsoft will protect against rootkit of Sony
Microsoft Windows AntiSpyware (still in phase beta)
it will detect and eliminate of our operating system rootkit of Sony. For it it is not necessary to make nothing special,
since this functionality will be included in the updates (weekly) of the product, with which as of the week that comes,
lthose that they have installed this anti-spyware will have the protected equipment.
It can unload it from the connection of unloadings of antispyware
2. Demand to Sony BMG by its technology antipiracy
Record Sony BMG has was demanded (11/2005)
by means of a public interest action in California by the consumers who affirm that their computers
they have been damaged by software antipiracy of some CDs of this company.
The demand asserts that
BMG it acted bad when not revealing the true nature of the management system of
digital rights that use in their CDs and thousands of users have infected their computers without knowing it,
according to documents of the court.
The denunciation, interposed the 1 of November in Superior court of the Angels
, it requests to the cut that protected Sony BMG lets sell CDs additionally
with software antipiracy and economic compensations for the Californian consumers who acquired them.
¿CDS of Sony with Virus?: To think that a company "as "serious" as Sony has put these rootkits in
your CDs "to "prevent" them from pirating is scandalous. Now that we can hope of other companies that the prestige of Sony does not have?,
perhaps they will have the pretext "If Sony did it because not we?.
Any company has all the right to protect its productions and creations,
but not to modify - to manipulate the operating system of the user without its consent.