Enough Arguing: Let’s All Agree on a Rootkit Definition, Says Symantec

By Michael Santo
Contributing Writer, RealTechNews

As you may recall, we earlier posted a story about Symantec’s use of rootkit-like features in SystemWorks. You may also recall that it received a lot of attention and comments, including a lot of discussion on was it a rootkit, what is a rootkit, etc., etc.

Symantec has started to back a vendor-neutral push to define rootkits unambiguously, because it feels since the word rootkit was used, it was unfairly criticized by the public.

“We have found that trying to pin down just how to describe what constitutes a rootkit depends heavily on whom you are talking to or which particular definition, of the many varied definitions available, you are reading,” (Vincent) Weaver (senior director of Symantec Security Response) said.

Theoretically, according to Symantec’s own definition, a rootkit is a component that uses stealth to maintain a persistent and undetectable presence on a computer. “Actions performed by a rootkit, such as installation and any form of code execution, are done without end-user consent or knowledge.”

A Google search query for the term “rootkit + definition” returns multiple results with various descriptions. Source: eWeek via Yahoo! News

We Say: Me? I tend to agree with Mark Russinovich, author of the Rootkit Revealer and the person who brought the Sony DRM issue to light … a rootkit is “Software that hides itself or other objects, such as files, processes, and Registry keys, from view of standard diagnostic, administrative, and security software.” Also, in the same blog post, he indicates “If a software developer ever believes a rootkit is a necessary part of their architecture they should go back and re-architect their solution.”

In a case like this, I’m not so concerned with defining the exact technology in use as I am with fixing the problem and getting the word out. My major issue with Symantec at the time of the original article was not so much with the problem, but that apparently they had to be informed about the issue by 3rd-party experts. I simply expect them, as “experts” themselves, to not make this type of mistake.