“Rootkit” revamped?

Wearing my “glossary guy” hat, one of the things I’ve noticed is how difficult it is to come to complete agreement on the precise definition of many terms that are used in infosec. There are, for example, three quite distinct meanings for the term “tar pit.” (And that’s in terms of networking alone.) (It is highly unlikely that we will ever be able to reduce the number of tar pit definitions to one: all the definitions came at about the same time, and all are important and equally valid.)

However, what really irks me is when defined and agreed upon terms start being misused, sometimes to the point where the original term becomes useless. There is, of course, “hacker.” (And I’ve given Hal a diatribe about “zero day” which will probably be coming out in the next ISMH.)

The latest endangered term seems to be “rootkit.” A rootkit has been defined as programming that allows escalation of privilege or the option to re-enter the compromised system with greater ease in the future. Often rootkits also contain functions that prevent detection of, or recovery from, the compromise.

Starting with the recent Sony “digital rights management” debacle, the general media now seems to be using “rootkit” to refer to any programming that hides any form of information on a system, and specifically any functions that impede the detection of malware. The latest reports are that Bagle and other malware/virus families now contain “rootkits.” Antidetection features in viruses are nothing new: there was a form of tunnelling stealth implemented in the Brain virus 20 years ago. Therefore, to use the term rootkit to refer to this activity can only degrade the value of the term.

It has been difficult to ensure that infosec specialists can at least talk to each other and exchange useful information. However, this may not last much longer if our “precious verbal essences” become contaminated.

Print Friendly, PDF & Email

Published by


Researcher, author, communications guy, teacher, security maven, management consultant, and general loudmouth Rob Slade. Also http://twitter.com/rslade

Comments are closed.