Rootkits are a controversial subject. When the book (Rootkits, Subverting the Windows Kernel) came out and the associated site (rootkit.com) was started, the subject exploded. Of course the Sony DRM fiasco did also plenty to generate media buzz. Because of this, many detection tools were born. Some were created by traditional security companies and some by relatively unknown people. A small fraction of the people creating these tools have dubious ethical background (proven by the fact that they condone and solicitate illegal activities like DDoS-ing and defacing, seek to create rootkits which are not detectable by anyone, etc). Why doest this matter? Because these tools work by loading their code in the kernel and thus only work if they are started from an Administrator account. Metaphorically speaking: running these tools is like handing over the keys to your house to let them check if your security system works. When doing that you should make sure that you trust the right person!
Given my recent negative experience with the author of one such home-brew tool, I thought that I put together a list of ideas the developers of such programs should follow and ask them to
sign it (it’s written in quotes because obviously the signature will be a virtual one). So here is the list:
Manifesto of the ethical Anti-Rootkit writer
- I will give a high level description of the actions performed by my program which can be understood by even moderately technical savvy user (so called
power users) and I will follow that description to the letter (for example, if you state that
this tool allows the detection of hidden processes, the tool should only detect the processes, not terminate them. If the tool also terminates them, that should be included in the description).
- The program will not perform possibly dangerous operations without user consent. The message informing the user should contain a simple enough description of the action so that
power usersare able to understand it, and also list the possible risks.
- I will limit my kernel mode code to as little as possible.
- I will clearly list the supported platforms (operating system version and patch level) and give the user warnings if the s/he is using the tool on an unsupported platform.
- I do not approve or am engaged in illegal activities (like site defacement, DDoS, etc)
- All of my research is done on computers owned by me or by consenting people. In case I ask other people to test my programs / products, I will provide them with a detailed description of what the program does, what the associated risks of using this program are and what files / registry keys are associated with / modified by the program.
- I practice responsible disclosure. I notify vendors prior to releasing any information which could negatively impact the security of the people using their products.
If you are a vendor / author of an Anti-Rootkit program and would like to appear in the above list, send me an e-mail ([email protected]) from a verifiable e-mail address (meaning that the sending e-mail address either appears on the site of the program or is from the same domain) stating that you understand the above terms and follow them and I will include your products name in the list. You can also e-mail me if you have suggestions and/or comments or you can leave me a comment below. I will get back to you as soon as possible.
Q: what are the guarantees that the products who appear on that list really will follow the terms?
A: There is no guarantee. The inclusion in the list is voluntary and does not involve any verification on my part (because I don’t have the time to disassemble all the versions of all the anti-rootkits out there and do this whenever a new version comes out). Further more some criteria on the list are not clearly defined (like the one with as little code in the kernel as possible).
Q: What does it prove if a vendor / program appears in this list?
A: Strictly speaking in proves that somebody with an e-mail account representative of the product has e-mail-ed me that they understand and follow these principles and would like to be included on the list. In a more broader sense it proves that they have thought about these issues and (most probably) follow them.
Q: Can people / vendors be removed from the list?
A: If there is public evidence of them violating these principles, they will be removed and a description will be posted of the reasons for removing them with links to the evidence.
Q: Why are the terms so vague?
A: The list tries to be as inclusive as possible. If somebody signs it, (hopefully) it means that they at least thought about these matters and follow some basic ethical principles. And make no mistake, there are some out there, who don’t follow even these broad terms. Also, the fact that a person / vendor appears on this list does not mean that this is their code of ethics. It may very well mean that they have a much stricter code of ethics which is included in the above list.