Who Will Win the Game of Cat and Mouse?

By Ryan Smith ·

I recently provided Steven Vaughan-Nichols with some information for an ITWorld article about rootkits - tools that attackers use to hide their presence on compromised systems. Pulling together my thoughts for Steven really got me thinking a lot about how rootkits started, how they’ve evolved, and what’s to be expected in the near future.

Originally, rootkits started off as replacements for system programs that might show traces of an attacker.  These replacements had additional code added into them to prevent the legitimate system owners from seeing the traces an attacker had left behind.

Companies developed software to detect the rootkits’ presence so that they could combat them. These pieces of software took simple cryptographic fingerprints of legitimate binaries and periodically compared them against the installed software.  If a single bit of the file was changed, the fingerprint was dramatically changed. As a result, these tools were extremely effective in detecting rootkits.

Unfortunately, as rootkit countermeasures matured, attackers also evolved their tools. All of the programs that could potentially show traces of attacker activity relied on a central piece of software: the kernel.  So, attackers found ways to modify the kernel to hide their traces. They were able to combat the signature-based anti-rootkit technology, which marked the start of a trend that continues to this day – the high-tech game of cat and mouse. As software has continued to evolve to meet the needs of rootkit detection by staying up-to-date with the latest trends, rootkits have continued to evolve by delving deeper into the system.  The trend went from modifications of system programs, to modifications of the kernel, all the way to modifications of the system BIOS and leveraging processor virtualization features.

Computer hardware manufacturers have been pushing Trusted Computing out incrementally over the past few years. And, Trusted Computing could turn out to be an end to the game of cat and mouse. However, if history has anything to say then it will just be another turn in the game.