Ghostware: A rising security threat
Scared of ghosts? If they’re on your computer, you should be.
Roman Lubynsky is a technology consultant based in Boston. A frequent speaker and writer on technology topics, he has an MS in Management of Technology from MIT. Roman can be reached at firstname.lastname@example.org
Just when you think you’re safe because you’ve got that new Internet security suite software installed, there’s a new reason to be concerned. Viruses, worms, spyware, adware, and Trojan horses—while your new firewall, anti-virus and anti-spyware software can do a reasonable job stamping out these threats, there is a growing new evil that can elude these tools.
The computing term for this menace is “rootkit.” But some refer to it as ghostware because, much like Harry’s Potter’s invisibility cloak, it creeps deep within the crevices of the operating system and then hides other malicious code from detection.
What is it?
Rootkits have been around for many years, originating as benign tools for Unix machines. Not malicious code in themselves, these tools can be used to access a computer and then install and hide bad programs through a range of clever tricks. The end result is that you can’t see or detect these activities using regular system tools or programs because the operating system itself is used to cloak them.
For example, in Windows machines you won’t find any traces of them in your Startup folder, in the Task Manager, or see any of their files in Windows Explorer. Once they take up their stealthy residence, current virus protection software will likely not find the infection.
This ghostware can then be used for unfettered and unnoticed access to your machine, its files and also monitoring your activity. Hackers can use it to seize full control of a computer and access to the network, loading the malware of their choice. Then they can easily examine and transfer sensitive files, capture confidential information like passwords and bank logins, and even turn your machine into a zombie that blasts out spam e-mails—all while your security software reports everything is clean.
A rising problem
Microsoft recently reported that 62 percent of Windows PCs are infected with serious threats and that rootkits are being increasingly used to circumvent standard security scans and hide those infections. It is believed that this is the new weapon of choice used by organized online criminal groups yielding multiple billions of dollars through identity theft.
McAfee reports that rootkit infections rose more than 600 percent last year, but the numbers are really unknown since there’s no way to reliably track the actual start and spread. And while Windows machines are the primary target because there are so many, every system and OS is vulnerable.
What can you do about it?
Improperly protected computers are the principal way they get onto your system, so make sure you’re running a full array of security tools with up-to-date subscriptions. This should prevent bad stuff, including known rootkits from getting onto your machines. Also, be very judicious when installing any new software on your computers; only install things that come from known and trusted sources. And finally, periodically run a scan using one of the new specialized rootkit detection programs.
Rootkit detectors have been around for awhile, but they were mostly very techie applications that most users would find baffling. Recently, a number of firms have released much more user-friendly tools that the average user can use effectively. Running a scan can take awhile and the results may be ambiguous. If you have no hidden objects, then you’re probably fine. If the special searches produce unexplained hidden items, the only reliable resolution is to reformat the drive and do a clean install of the OS and all software.
A Google search will direct you to multiple sources like Microsoft and McAfee where you can find free detectors. I’ve been using one from Sophos, a respected security software publisher (sophos.com). A scan of my main system revealed a handful of hidden processes and files; after deeper examination, I found all of them to be legitimate. However, a scan of my laptop indicated a possible threat, so I wiped that drive clean and re-installed everything from the ground up.
This new scourge is enough to contemplate pulling that network cable from all PCs; but don’t give up—be aware and proactive. Just remember that crooks can be just as innovative as the good guys, and they often have a lot more spare time on their hands; and that they’ll always be creating new threats.