Are Rootkits Always Evil?

Now that the hububaloo has died down around the whole rootkit fiasco (exacerbated by boneheaded moves from the likes of Sony), let’s revisit the topic. Aside from the religious perspectives of whether rootkit-like techniques are good or bad, from an end users perspective – should you care if your security vendors use rootkit-like techniques?

First let’s define rootkit-like techniques. Here is the Wikipedia definition:

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge.

From a simplistic point of view rootkit-like techniques involve masking many of the registry entries and executables to make it difficult to uninstall a program and/or provide backdoors to allow someone else to control a computer.

One man’s opinion is that this is all much ado about nothing. To be clear, Sony was stupid, both in their methods of trying to protect their music (which did open backdoors) and also in how they handled the situation once it happened. For the purposes of this discussion, we need to separate out consumer use vs. business use.

Rootkits are never acceptable in consumer applications. Consumers do not know the difference and have no idea how to remove these kinds of applications or the fact that these approaches may open up a backdoor to the computer, so that is just a no-no. But Security Incite doesn’t really follow the consumer markets, so let's move on.

For business use, some of these techniques are not all bad. Sure, this is going out on a limb. Obviously you don’t want sanctioned software to open up backdoors. But using rootkit-like techniques to ensure that security software is not uninstalled is cool with me. Why? Businesses control the equipment they give to employees to do their job. They expect that employees will not uninstall security software because it’s inconvenient. But this is exactly what happens, more often than most folks care to admit.

Indulge me for a moment. IT decides to clamp down on unauthorized wireless networks. This is certainly not out of the ordinary, since connecting at Starbuck’s can present a liability and who knows what folks have running on their home networks. But employee geek is grumpy because he’s under-caffeinated, so he heads off to Starbuck’s for the triple espresso. When he can’t connect, he just uninstalls the security software and ta-da – he’s on the network. No harm, no foul. Of course, until some worm blasts the internal network that originates from that mobile connection.

So, is it out of line for a vendor of endpoint security products to use techniques to ensure that corporate policies are enforced? Even if these “techniques” could be interpreted to use rootkit-like methods of protecting the application? I don’t think so because the pragmatist in me is always focused on getting the job done, even if the solution has a little hair.

Now for a reasonably signficant caveat. This does involve trusting the security vendor to get it right, and as a customer, it is well within your right to delve DEEPLY into how they do things to get comfortable with the approach.

But in general, let the religious masses continue to throw spears at each other, while you focus on protecting your mobile devices. Even if it involves using some controversial techniques.