What type of interaction would trustworthy computing (also known as Palladium and TCPA) have with rootkits and OS security?

Greg Hoglund: I haven't looked at it. But, it will be defeated just like everything else. It will take a long time to mature. Assuming it ever sees the light of day, it will get beat up pretty badly coming out of the gate, but then get better over time. Don't trust technology, there is always risk. Maintenance and close attention is what keeps planes flying.

Have you already seen what's possible with Windows Vista?

Jamie Butler: I have not played with Vista yet. I am waiting for more software from Microsoft and security vendors to support 64-bit. Then, I am going to look at Vista 64-bit. I know Microsoft is starting to put some of the Next Generation Trusted Computing Base (NGTCB) technology into Longhorn, but it is being rolled out in stages. How much of Palladium actually makes it into the final product is yet to be seen.

In the book you write that Windows XP-SP2 introduced hot-patching, that is supporting the insertion of new code without rebooting. This feature is perfect for a rootkit playing with functions hooking. Is this another example of new features precedence over security?

Jamie Butler: Yes, this will be exciting for the rootkit community. Hot-patching is becoming a market necessity for large, critical servers, but it also plays into the hands of the attacker making things easier. Since hot-patching is a relatively new feature, we will have to see how it plays out.

OpenBSD's default kernel, called GENERIC, doesn't support LKM (Loadable Kernel Modules). Is this the best solution to fight kernel rootkits?

Jamie Butler: Well, it is a good place to start. However, many choose ease of use over security. Do you really want to have to administer this nightmare in a large company every time someone wants to install a peripheral device such as a printer? Also, even with driver loading turned off, people have shown that you can still introduce code into the kernel by writing to the file that represents physical memory or by exploiting kernel level buffer and heap overflows.

The book is focused on rootkits development, and includes just a single chapter at the end about defense, detection in particular. Don't you think that this book could be more useful to novice hackers than to those who would like to defend themselves, especially since we don't have access to Windows source code?

Jamie Butler: Rootkits have been around for years, and until this year they have been almost completely ignored. I wrote the FU rootkit as a proof-of-concept to bring more attention on the problem. The book is the same way. Vendors have been slow to adopt solutions. Greg and I are just exposing the true level of the threat. Be assured, your enemy already has the information. We only included one chapter on active defenses in the book because as soon as we spell out an algorithm for how to detect rootkits the rootkit authors will change their techniques.

Let's imagine that an admin is suspecting one of his Windows machines is owned by a rootkit. What would you suggest he do?

Jamie Butler: Well, there are some tools that can help identify rootkits. These are fairly young tools and rootkit developers have begun to hide from the rootkit discovery tools as well. One of the tools that an administrator might use to find evidence of a rootkit such as hidden files, Registry keys, and processes is Rootkit Revealer from Sysinternals. However, this tool does not identify processes hidden using data manipulation, which is what the FU rootkit uses. To detect the FU rootkit types of attacks, an administrator can use Blacklight by F-Secure. These are probably two of the more widely uses tools to detect rootkits in Windows. However, neither is perfect. If a rootkit is truly present, it is possible to hide from these tools as well, but it takes a great deal of effort in most cases. Also, once a rootkit is found, there is no good solution to get rid of it. Usually, a complete format and re-install of the computer is suggested because it is unknown how deeply the rootkit has compromised the machine.

Do you have any experience or story to share about rootkits hunting?

Greg Hoglund: Not really - I don't spend much time trying to detect rootkits. But, I do know that FU is one of the most widely deployed rootkits in the world. [It] seems to be the rootkit of choice for spyware and bot networks right now, and I've heard that they don't even bother recompiling the source - that the DLL's found in spyware match the checksum of the precompiled stuff available for download from rootkit.com. I think that is kinda lame, these spyware guys don't even bother to use the source.

Jamie Butler: This was an interesting story from someone at Microsoft who was trying to debug a problem caused by what turned out to be a rootkit.

How many companies or opensource projects used your code to develop or improve an anti-rootkit tool?

Jamie Butler: I am not sure how many companies use our research in their own tools, but I am sure that many monitor rootkit.com for developments. Symantec and others make signatures of the rootkits found there. Many anti-virus companies, forensics companies, and host based intrusion prevention companies have taken the class Greg and I teach called "Offensive Aspects of Rootkit Technology." Microsoft even seems to be more rootkit aware. They have stated that their 64-bit versions of the operating system will not allow hooking the system call table or the interrupt descriptor table. Hooking these is a common trick among rootkit authors. Also, modifications to process and thread objects are supposed to blue screen the new operating system. The FU rootkit is based upon modifying these and other key kernel objects so Microsoft evidently has taken notice.

This year seems to be the year of the rootkit. Other than file signatures, this is the first year we have really seen vendors take the threat of rootkits more seriously. Two tools were even released earlier this year: Rootkit Revealer from Sysinternals and Black Light from F-secure. Both of these were designed to find files, processes, and Registry keys that rootkits have hidden.

Is there any scenario where rootkits could be used legitimately?

Jamie Butler: There are many legitimate uses for rootkits and rootkit technology. However, some may be not use the terminology "rootkit." The same technology used by rootkits is used in security software to extend the protection of the operating system. An example of this is hooking the system call table in order to detect changes to the Windows Registry. Also, corporations use software to monitor their workers in order to enforce the company's IT policy. This corporate monitoring software uses stealth to hide its actions from the user so the user cannot remove it. The "stealth" that hides corporate spyware is the same that could be used in a rootkit. In addition to these examples, law enforcement can use rootkit technology to gather evidence on a suspect without the suspect's knowledge.