Comments on NYT article: A sneaky security problem, ignored by the bad guys
Today I read an article on the New York Times website called A sneaky security problem, ignored by the bad guys
I had a conversion by phone and mail with its author Robert McMillan from IDG News before and I've answered him some questions about my Rustock.C research as he planned to write the above story. There are some quotes by Al Huger from Symantec in this article I would like to comment, as I disagree to most of his statements regarding rootkits.
"It's extremely difficult to write code for your kernel that doesn't crash your computer," said Alfred Huger, vice president of Symantec's Security Response team. "Your software can step on somebody else's pretty easily."
I think this statement comes from the mentioned crashes that Rustock.C produced while analyzing it. But in fact it just crashed if the decryption failed because the rootkit gets analyzed on another box, than the original infected one (check my slides for details). The Rustock familiy has proven to have stable code, as well as other creatures from its author like MEBROOT. If it crashed victims boxes all the time, they had reinstalled their OSes very quickly, but in fact i know people who had this beast on their boxes for 1 year without any crash and without even knowing about its existance.
"Huger agrees that while rootkits are still a problem for Unix users, they're not widespread on Windows PCs."
Yep, sure. How old is the last well known rootkit on Unix please? 3 or 4 years? And what about rootkits on Windows? Rustock, Srizbi, Ascesso, Mebroot.... A bigger list is here:
"Rootkits make up far less than 1 percent of all the attempted infections that Symantec tracks these days."
If i just count all those useless malwares created with lame kits or code written by some kiddies, then rootkits might be only 1 percent, but if i take a look at the real effective SpamBots, Banking Trojans and so forth, nearly all of them use rootkit techniques to hide its tracks.
Ok, that's all for now. Sorry for being so rude on Al's statements, but i had to clarify this.