"Real"Companies And Their Rootkits

My current column discusses the latest poop about how Symantec was discovered to be using a rootkit of sorts to hide a directory. They did it for benign purposes, but there is some potential for abuse. In any event, they fixed it.

F-Secure's blog has now added some analysis of what sorts of rootkits they are seeing being used by "real" vendors, and for what purposes. In fact, I'll add another use to the three they list (arguably this fits in their #3 "Software protecting their processes and configuration data"): Mark Russinovich mentions on the Sysinternals RootkitRevealer page that "There are also antivirus products, such as Kaspersky Antivirus, that use rootkit techniques to hide data they store in NTFS alternate data streams. If you are running such a virus scanner you'll see a Hidden from Windows API discrepancy [in a RootkitRevealer scan] for an alternate data stream on every NTFS file." "Real" Companies And Their Rootkits

Linked by shanmuga Saturday, 14th January 2006 2:47AM