After reaching a record high in early 2011, rootkit malware has consistently dropped, with last quarter’s figure the lowest McAfee has tallied since 2008.
“We attribute the decline to the adoption of 64-bit microprocessors, which make it more difficult to attack the operating system kernel,” the company said in its Quarterly Threat Report.
The 64-bit microprocessor and OS designs increase system security due to enforcements such as digital signature checking and kernel patch protection for software that seeks to run at the highest privilege level inside the kernel, the firm explained.
That said, attackers have begun to find ways around 64-bit defenses. Hijacking digital certificates, exploiting kernel vulnerabilities, creating shell companies to digitally sign rootkit malware and attacking the built-in security safeguards of operating systems are all tactics to get around 64-bit safeguards.
“We believe that these techniques and others will result in an increase in rootkit-based attacks,” McAfee said. “This quarter, new rootkit infections rose again, though the chief culprit was a single 32-bit family, which may represent an anomaly.”
In addition to the slowing of the sample count, McAfee said that it has also seen a significant drop in the techniques that rootkits can employ to gain kernel privileges.
“No longer are attackers able to hook the kernel as freely as they once did or even install malicious device drivers,” it said. “These protections have certainly increased the cost to build and deploy rootkits on 64-bit platforms.”
The most recent example of a malicious detour was demonstrated by Uroburos, a sophisticated rootkit that may have been developed by Russian intelligence services, which went undetected for three years. Its purpose is to infiltrate large networks using a peer-to-peer structure to get to and steal data even from those PCs that aren't directly connected to the internet. Such computers are more likely to contain the victim's most confidential data.
McAfee explained that Uroburos took advantage of an old VirtualBox kernel driver that had a valid digital signature and a known vulnerability, exploiting it to disable the digital certificate check by the operating system and load its unsigned malware.
Bottom line, rootkits are dangerous because of their use of stealth to infect a system – so it allows them to remain hidden and potentially steal information for an extended period. The longer the period of infection, the greater are the chances of attackers stealing or destroying corporate and individual data.
“Unfortunately, the roadblocks set in place by 64-bit systems now appear to be mere speed bumps for well-organized attackers, who have already found ways to gain entry at the kernel level,” said McAfee.