A comment on rootkits

As a new year opens, the IT security blogging world starts making top10 lists, new year predictions and the like. The most interesting observations I have seen so far are technet's stats on rootkits.

In 2005 we started seeing the first of them and warned users about the power of the "Invisibility Ring" for software. Rootkits can really make any program invisible in the eyes of monitoring tools, the operating system and antivirus programs. When used for evil, they can be devastating... imagine making invisible a crafty thief.

In 2010, we're still fighting them and they keep getting more and more complicated by using different and more creative ways of staying off the radar. The technet article mentions that today, only 7% of all malware use rootkit techniques to hide. That seems very very low, which means that the bad guys are using ready-made recipes to attack and aren't really creating their own software. Well, actually some are... about 7% of them.

It sounds strange that the most dangerous kind of tool for malware is only being used by such a low percentage of the bad guys. There are two possibilities: Either the bad guys have not realized the power that a rootkit can give to their evil creations or we are not measuring this properly. A third possibility is that the proficient rootkit-enabled malware programs is being outnumbered by loads and loads of easy-to-detect run-of-the-mill mediocre malware. That even seems likely. In any case, we need to keep polishing our swords in order to let our cleaning tools detect and deal with the latest rootkit technologies. For the ones that use them, that is.