Wednesday, September 20, 2006

symantec and the poor man's 'rootkit'

can't we stop calling everything a rootkit? please?

i grow weary of pointing out terminology misuse over and over again - from stealth digital rights malware, to protected recycle bins, to anti-virus products, to alternate data streams (yes, ADS all by itself has been likened to a 'rootkit') - but if someone sinks to a new low, well the full range of this terminology abuse needs to be documented in order to underscore how idiotic it is...

the latest 'new low' comes from symantec where the 'rootkit' label is being (loosely) applied to a trojan that scans through the registry for programs that get run and then replaces one (or more?) of them with a copy of itself while saving a backup of the original to execute after the trojan gets executed...

so apparently now trojans that employ the non-viral equivalent of companion file infection are 'rootkits'... well gee, at that rate just about any kind of program paracitism (i hesitate to call it file infection as i reserve infection for self-replicators) is a 'rootkit' technique since just about all of them hide changes as well as or even better than companion infectors (overwriting infectors are about the only kind that does a worse job)... so nearly all file infecting viruses and other forms of paracitic malware are 'rootkits' - yeah, that's a wonderful message to be sending people who look to you for expert analysis, symantec... thanks a lot...

things weren't bad enough when virus was treated as an umbrella term, or when spyware became the new umbrella term, now it's going to be 'rootkit'... let's take this absurd "if it hides things it's a rootkit" business to it's logical conclusion, shall we? file permissions are a 'rootkit' technique, attrib is a 'rootkit', popups are 'rootkits', the cursor is a micro-'rootkit' - my trousers are a 'rootkit'...

0 comments: