The Root(kit) of all Evil: Software Criminals are Winning the Arms Race

Tue, 08/12/2014 - 11:40am
Randy C. Hice

In one brief lapse of concentration, I didn’t examine the URL on a “Windows update” and my venerable Dell Dimension 8300 was infected with a rootkit virus when I clicked “OK” to upgrade Internet Explorer. Ah, sad news in the Hice household. The patient is terminal, and I’m keeping it alive on life support. I keep wallowing in self-pity and ask myself, “Why me?” I feel as though I’m somehow responsible for the illness.

Well, OK, I’m definitely responsible, why lie?

I may as well have been sharing blood-soaked hypos with a drug addict, but what I did was equally careless. In one brief lapse of concentration, I didn’t examine the URL on a “Windows update” and my venerable Dell Dimension 8300 was infected with a rootkit virus when I clicked “OK” to upgrade Internet Explorer. Now, the only cure is to shoot the damned, gangrenous thing right through the CPU and bury it. I haven’t brought myself to do it just yet, but that time is coming. I’m just slowly preparing for The End by migrating data to other machines.

Rootkit viruses come in many flavors and with many malignant purposes. They are designed to replace needed operating system files so that most virus checkers look right past the files as they scan for traces against their data files. Rootkit effects can range from simply allowing browser hijackers to continue to run on a machine, to providing a free and open backdoor into your computer. With such access, professional hackers can traverse a system, even a network, and create all sorts of Hell.

I’m sure you’re wondering why Norton, McAfee, Avast, BitDefender, Kaspersky…well, name your champion antivirus application, can’t, excuse the pun, root out rootkits. They can’t. Trust me on this. Oh, some poorly-designed rootkits are susceptible to the wiles of these tools, but the better ones are not designed by some acne-faced teen looking to trumpet his or her skills, these things are designed by grizzled computer experts for financial gain. Even tools meant for rootkit removal are useless in the vast majority of cases. Hell, you may be lucky to even be aware of one operating on your system.

Think of it. If you were tasked with designing a pernicious rootkit virus, and had unlimited time, money and skills, what would you put into the design document?

  • Easy mechanism for infection: mimic Microsoft update screens exactly, disguise URL so it isn’t easily traceable to Russia, Romania, China or Poughkeepsie
  • Replace obscure OS files to hide under the radar of AntiVirus software, even infect the kernel of the OS
  • Disable antivirus (AV) updates
  • Disable antivirus
  • Disable rootkit remover downloads
  • Replace rootkit remover or AV displays with “Nothing found” reports
  • Continue to morph as certain AV or rootkit removers get too close

Sound like science fiction? Nope, the rootkit virus on my machine does at least all of the above. I’ll come to that in a moment.

Where there’s misery, there’s margin. A cottage industry has cropped up keying on search terms for specific rootkits. Some appear to be from “industry experts,” complete with blogs, photos and such, but are actually storefronts for what is known as ScareWare. This term describes software that is often offered for “free” to the public. But, in most cases, the only “free” part is the scanner which magically finds dozens of viruses, “registry errors,” and associated crud on a system. Of course, the scanner is free, but removal requires a license. Oh sure, there are thousands of searches each hour for “free rootkit removal tools” (or virus, etcetera), but one has to be aware some of those may actually be at best, a waste of time and worse case, disguised viruses.

So, as a computer professional with a (hopefully) temporary lack of judgment, I concluded that the surest and, in fact, the easiest removal is the Nuclear Option. This involves a complete formatting of the hard drive and reloading of software. But, I wanted to see what all of the “expert” opinions on the Internet might suggest, so away I went.

I was infected with a rootkit I’ll call Bummer.for.You (not the real name, but why advertise to the world I have an open trapdoor on my system?) I’ll call it BFY to save time from here on. I realized something was amiss by running a paid version of a popular anti-malware system called Malwarebytes. Malwarebytes is smart enough to identify traces of BFY, buried in the registry, and even good enough to quarantine it, but BFY comes back minutes or hours later. The side effects I have noticed were the persistent recurrence of certain browser hijackers, one of which is dfo.donemace. Seemingly more annoying than insidious, dfo.donemace constantly assaults the senses with calls to upgrade browsers, video players and what have you. But there could definitely be lots of other fun activities going on.

OK, so my first instinct was to look on the Internet for specific tools with proven success against BFY. Ninety-five percent of the hits were from different columns/blogs/Web sites, and many appeared rather consistent in their solutions. Yeah, most said configure Windows Explorer to reveal hidden files, most told of specific processes to look for and kill (none were present), many suggest registry changes. Some made the process sound so odious that only a fool would attempt it rather than download a tool, typically SpyWare Hunter, but often TDSSKILLER, SOPHOS or even a beta of Malwarebytes rootkit remover. I ignored SpyWare Hunter after many bad experiences were relayed on the Internet involving this tool.

Sophos seemed to be the most effective against BFY, so I downloaded, but the tool was prevented from updating. Smart money said the BFY rootkit fearing Sophos, prevented the update. It already had disabled Malwarebytes a few times. No worries, I booted in Safe Mode and was on my way. Downloaded the updates, and Sophos found something, but not the same stuff Malwarebytes found when I booted in Safe Mode and ran it.

There’s no shortage of experts, the complexion of BFY changes so much that each treatment is different.

This reminds me of upcoming cancer treatments based on “designer treatments” that are good for one patient, and one patient only. The same is true for rootkits.

Now, I played with these different tools and advanced level treatments for maybe a week, a few minutes at a time, 30 minutes max, and none worked. So, I had planned on exercising the nuclear option. Just one problem: this machine runs XP, and the Windows 7 Upgrade Advisor flagged a few issues, and there’s a chance that I might have to by some new components to get around the compatibility warnings from Windows 7 Upgrade Advisor. Hmmmm….

The machine in question is not my mainstream machine; indeed, we have no less than 10 working computers in various flavors: desktops, laptops, netbooks and tablets…all on a LAN with my Dell server that hands out IP addresses to all of the machines. Not to mention, four networked printers, scanners, faxes and copiers — all on my network.

But the poor, infected XP box, well, I use that for personal e-mail and writing. Most of my columns for Scientific Computing were written on the old XP box, as well as novels, screenplays and other publications.

So, let’s see, the cheapest version of Windows 7 Professional (Windows 8 is out of the question for this old computer), is about $70. Likely, I would need a new video card, and why format the disk drive when a new terabyte disk is so cheap? Ah, well, and then there’s my time. What is that worth? Yeah, many computer professionals have formatted drives and reloaded OS. If you’re organized, and have saved your original distribution media and drivers, it really is a straightforward process. If you’ve done none of that, well, you’re in for some fun, especially when it comes to drivers and such.

Now, all industry wonks say the majority of computers that will be sold in the next few years will be tablets. But there are many people, like me, that have tablets already, and while they are cool and portable, desktops are far easier to work on, especially if you’re going to upgrade components. I transmuted an old Dell desktop into a screamingly fast gaming computer with a massive power supply, big time processor, new motherboard, warp-speed video card, ridiculous memory and four terabytes of storage, and did so for hundreds of dollars, not the thousands an off-the-shelf gaming machine would cost. I was also able to show my then 14-year-old how to do it. I had him install every component. It took a little doing to get the power supply connections right, but the whole process was like an hour.

So, back to desktops. When I shoot the XP machine, a desktop is going to be the replacement. I looked at a local store and an HP machine with 4 gig of memory, a terabyte of storage, and preloaded with Windows 8 is $249. Wait, what?

It’s true. The same machine 10 years ago would have been $1500 — how the mighty have fallen. Competition, cheap labor, China. If Lamborghinis came down in price like computers, we’d all be driving to work at 200 MPH.

So, in the constant arms race between virus authors and virus killers, for now, the rootkit criminals are winning the war. On your next computer, keep the distribution media and be prepared. The nuclear option may your only option, or maybe you just toss the machine in the trash, buy a new one, and call it a day.

Randy Hice is Director, Strategic Consulting at STARLIMS, and the author of the thriller novel Agbero. He may be reached at


Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.