April 26, 2006
Thoughts about McAfee's Rootkit Report
I noticed this morning a brief article over at Xatrix about rootkits on the rise, which sounded interesting. As it turns out, McAfee has put together some research indicating that "In the first quarter of 2006, the number of rootkits increased by 700 percent" and "Windows-based stealth components dominate the landscape, with an increase of 2,300 percent from 2001 to 2005". Wow! 2300 percent? Double-wow! Needless to say, these numbers seemed so astronomically high that I just had to dig into the methodology to see why that is.
After deliving pretty deep, I'm convinced that this whitepaper, like much of the research coming out of the AV industry, suffers from a common flaw: namely, results that are reflective of a given vendor's product are being used as a benchmark for interpreting broad events. What do I mean by that? Let me take you through an example of what I mean; take a look for a moment at the following startling graph from the McAfee whitepaper:
Seems pretty straightforward, right? Maybe, maybe not. Look closely at where the majority of the rootkit "growth" is coming from and you'll see that the lion's share is due to a relative small handfull of programs including "Backdoor-CKB", "Backdoor-BAC", and "W32/Feebs". To illustrate, let's do some digging on that huge spike of rootkit activity - the biggest one of the bunch - "Backdoor-CKB". Looking at the details, we find out that McAfee added detection capability for this rootkit somewhere between 10/2004 and 2/2005*. Looking again at the graph, we see that in 2005 we see an astronomical spike in the number of infections during that time period. It goes from nothing to the most popular rootkit (by far) within that same time window. Coincidence?
So which is it? Did this rootkit came out in 2004 and spread across the Internet faster than any other rootkit before or since *OR* was this rootkit there all along and the spike on the chart is reflective of when McAfee added the ability to detect it? To find out, we need to do a bit of backtracking to try and estimate when the rootkit came out. "Backdoor-CKB" is, of course, not called that by the folks writing and using it; they call it "PCShare" of which the current version seems to be PCShare 3.11. The earliest reference I can find on the Internet to a version of PCShare that we can be sure was classified as "Backdoor-CKB" (using the presence of pcclient.dll in the rootkit to make sure) is from late 2003 ("PCShare 2.0 Beta1".) We don't have a file listing for earlier versions to ensure that they would still fall under the same McAfee classification, but even so - since rootkits are not generally available on major hacker sites for a few months after being written, we can conservatively estimate that this rootkit was around at least since late 2002.
Late 2002 - two full years before it appears on the McAfee chart. For two years, it's gaining in popularity, getting more and more users, more and more infections. Then McAfee adds detection capability, bringing with it a tremendous spike in detection volume. Now, two years after that, McAfee is using this spike as part of the evidence to make the claim that rootkit infections are up 2300 percent. Hmmm... If I deleted half the signatures from the AV product on my laptop and I used that AV product's output to collect data for a report entitled "50% less malware this year", would that be accurate? Look, I've no beef with McAfee, and really it's good that vendors are making this type of research available for free - but I really think we need to approach vendor-sponsored research with clear eyes. Especially if the instrument that they are using to collect the data is their own commercial product.
* The "discovered date" is Feb 2005 while the "minimum dat" was published in Oct 2004. Since it's unlikely that protection was offered before it was discovered, we can assume that one of these dates is probably inaccurate.
Posted by Ed at April 26, 2006 09:32 AM | TrackBack