There was a time there a little while back when it seemed that the security software companies finally had the hackers, criminals and unscrupulous businesses on the run. After years of difficulties with viruses, worms, Trojans and spyware, it appeared that maybe, just maybe the anti-virus (AV) and anti-spyware (AS) vendors were at last gaining the upper hand.

Such hopes, however, proved to be futile. The malware writers once again have the upper hand and AV/AS vendors have been caught napping. According to CERT, reported vulnerabilities in applications jumped by over 50 percent in 2005 after three years of little or no change.

The situation is so bad that none of the AV/AS vendors can remove regenerating malware or detect rootkits. Even the ones that claim rootkit detection capabilities do it almost exclusively based on signatures, something that can be easily bypassed by newer strains of malware that use polymorphism (this means, literally changing into many forms) or incorporate more advanced rootkit technology.

And the bad news is that the situation is not expected to get better anytime soon. According to research by AV vendor McAfee, one in seven malware incursions use rootkit technology to obfuscate their actions. By 2008, more than 84 percent of all malware are expected to be disguised by rootkits. That could create havoc in the enterprise unless new tools are brought in to augment today's inadequate security perimeter.

Evolving menace of hidden malware

While the fundamental approach to malware prevention, detection, and removal has not changed in the past several years, the threats have evolved dramatically. A big driver is the fact that the spyware industry now generates several billion dollars in revenue each year and is backed by organized crime. They harness a variety of covert tools to generate advertising revenue, capture bank account and credit card information, and steal corporate information. The effect can be devastating.

In particular, rootkits can make detection near impossible by existing AV/AS products. The best example of a rootkit is one used by Sony to prevent copyright violations. The vendor didn't tell anyone it had placed a hidden policing mechanism on home computers without permission. Yet not a single AV/AS vendor detected it.

Rootkits by themselves, however, are not necessarily evil. But the technology can be used by malware to actively hide itself and escape detection. Using the stealth cloak provided by rootkits, spyware can operate undetected. The attacker can then remotely install or modify components, steal locally stored personal information and even use the compromised machine for illegal activities.

Another evolving malware menace is a keylogger. As well as recording keyboard strokes, it can steal critical information that is not even stored locally on the computer. For example, a keylogger can steal a person's credit card number when the user enters their credit card number for a legitimate online transaction. It can also steal passwords and use them to gain unauthorized access into the network.

"Rootkit-based malware are viewed as the kings of malware," says Jayant Shukla, CEO of Trlokom Inc. (www.trlokom.com), a Monrovia, CA-based security software company. "They are hardest to detect and remove, cause considerable damage to the network infrastructure and pose an unprecedented risk to personal information."

Trlokom's flagship product, SpyWall, addresses the rootkit and keylogger problem by providing IT with the ability to detect, prevent and remove them. In fact, Trlokom is the only vendor that has a dedicated rootkit and keylogger scanner included in its anti-malware product.

It not only blocks rootkits and keyloggers from entering the computer, but it nips the problem in the bud by policing the area that is the biggest avenue of attack into an enterprise network - web access.

Rootkits typically enter the enterprise either via free software downloads (the rootkit is secretly bundled with another "free" application) or by exploiting an application vulnerability via web browsers, IM clients, VoIP clients or e-mail.

The Windows Metafile (WMF) exploit, for example, infected users via banner ads when they visited a web site, sometimes even at reputable web sites. Although it came in via the Web browser, it took advantage of a vulnerability in a component of the operating system that was not even accessible directly. Shukla terms these as "Ricochet attacks." Such attacks will gain popularity because they make it possible to exploit vulnerabilities in any component of the operating system.

Sandbox approach

The reason current security products don't effectively address the rootkit and spyware problem is that they are an outmoded and incomplete approach. To address the rootkits and malware problem, you have to defend on all fronts. This includes:
Prevention
Detection
Removal
Monitoring

Because rootkits and spyware are entering and hiding inside applications and kernel, defense must start at the entry point, i.e. the application. More specifically, the web browser must be protected as it is the avenue for 85 percent of the attacks, according to Trend Micro.

SpyWall has an edge over competing methods as because it is the only product that secures the entry-point application, i.e. the web browser. It achieves this by sandboxing (i.e. isolating) the web browser to prevent spyware from infecting the enterprise. Untrusted scripts and ActiveX can be safely run in the sandbox, thereby restricting the interaction the browser has with the system. Any damage is contained, analyzed and eradicated.

This creates a first line of defense. For example, it blocks zero-day attacks i.e. those that are so new that there is no known patch or signature to address them. Even if a signature is created quickly and that signature is effective, malicious code writers alter the rootkit just enough to evade the latest defenses, or include features that enable the threat to regenerate itself after it has been "cleaned". That's why some spyware appears so invincible. Further, some malware can even disable the very tools designed to detect and eliminate it.

As well as sandboxing, SpyWall uses definition, anomaly, and behavior based scanning methods to find rootkits, spyware, and other malware. A dedicated rootkit scanner finds hidden files, processes, and registry entries. It will also locate unauthorized modifications to applications and the OS, a common ploy used by attackers. Another scanning method examines the active content in memory and tries to ascertain its "expected behavior" to classify it as malicious. Any threats are neutralized and removed.

Chun Yu Works Inc. of Taiwan, for example, is a major producer of nuts and bolts. It has a large manufacturing facility in Chino, Calif., an IBM RS 6000 shop that uses Windows PCs at the desktop level.

But desktop infections were devouring IT staff hours. As a result, IT staffers had developed the habit of carrying around anti-spyware tools on thumb drives for that inevitable moment when yet another end user reported an infection or performance slow.
But addressing desktop casualties one after another was a thankless task.

"We spent too many hours every week handling spyware attacks on our desktops," Roberto Wong, network administrator at Chun Yu Works, said. "It was taking so long to handle some machines that we began to wonder if it might be cheaper just to supply infected users with a new workstation."

The company adopted Trlokom software and Wong noted an immediate shift in threat-based challenges.

"After we put in SpyWall, we didn't get any more infection for six months," Wong said. "We have had no problems at all with WMF, rootkits or other similar vulnerabilities."

Shukla explains that SpyWall is effective against zero-day attacks as it utilizes advanced behavioral detection techniques that combine "deduced behavior" and "observed behavior." This both detects and prevents the installation of spyware without the need of signatures. That way, there is no period of extended vulnerability while IT waits for the vendor to come up with a signature.

In addition, Trlokom's anti-malware tool: monitors web usage; blocks undesirable websites; silently blocks malicious ActiveX; stops unwanted changes to browser settings, file system, and registry; protects against phishing attacks; and blocks downloads of files from the web (.mpeg, .mp3, etc.). By incorporating prevention, detection, removal and monitoring, SpyWall provides a complete and effective solution against the rootkit threat.

See no evil

The big problem that security vendors run into is that their principal "scan and clean" approach to malware has been rendered obsolete by newer rootkit wielding malware. And the fact that there are two distinct types of rootkit makes the problem all the more challenging. User mode rootkits are more common and security vendors have achieved only sporadic success at blocking, if not eradicating these. But it's kernel mode rootkits that cause anti-virus and anti-spyware vendors to lie awake at night having nightmares (or have to stay up late handling the complaints of disgruntled customers).

"Kernel mode is much harder because you won't see a separate process that can be terminated," says Shukla. "In extreme cases, it can remove all traces of itself from the disk and completely hide inside the kernel. BIOS and virtual machine based rootkits are so bad that even rebuilding the PC will not remove them."

SpyWall, however, spots rootkits and successfully cleans a system so it won't be reinfected. SpyWall detects rootkit presence via a combination of techniques that include behavior analysis at the application and kernel layer, OS and application audit, analysis of executable content in memory, detection of hidden files and processes etc.

Once located, it uses a patent pending method to freeze system state to take away its ability to regenerate or launch counterattacks and neutralizes the threat. Thus the system can be restored to a healthy, rootkit-free state.

Further, Trlokom provides strong central management capabilities for remote installation and management. This enables efficient, on-demand central management of Trlokom's anti-spyware client software and web security policies. It is possible, therefore, to install the software, definitions, and upgrades remotely throughout the enterprise. If a machine is infected and unusable, IT can scan that PC remotely and eradicate the problematic spyware. As an extra feature, the central management enables monitoring or Web browser by users and installed software components.

Unlike other anti-malware systems on the market, Spywall has a small footprint and very low system resource consumption. The client version is priced at $14.99,and support is additional. For client information and a trial version, see www.trlokom.com/ product/ spywall.php and for central management tool information and trial version:see www.trlokom.com/ product/ trlokom_central_management.php. ENS