Rarely does anyone write about the benefits of rootkits, and for good reason.  These sophisticated packages are very effective at hiding and defending their presence and that of their malicious payloads.

Whitelisting is an effective defense against rootkit droppers.  It doesn’t matter whether it tries to load as a print processor, a service or a driver, or whether it tries to attach to something already running.  If it isn’t approved, it doesn’t run.

But what happens if an endpoint is already compromised?  Whitelisting often starts with a baseline of known good software on the endpoint.  If the system is already infected with malware when this baseline is created, then the malware may get approved along with legitimate software.  But rootkits are different.

We recently had a customer roll out Bit9 Parity to systems that were infected with a TDL3 (aka TDSS) variant.  The system was presumed to be clean (it had an antivirus product installed, after all), so software already present was approved to run on that endpoint.  But the rootkit succeeded in hiding its pedestrian payload while the baseline was created.  This ensured the payload would not be approved because it was never seen.

Sure enough, when the payload ran, it was successfully blocked and reported, and its very presence was indication enough of an infection, which was subsequently eliminated.

Rootkits can sometimes be their own worst enemy.