Interview with Rootkit Hunter author Michael Boelen

Michael Boelen: I'm a 22 years old guy, working for a small company (small webhosting, maintaining servers/services and application development). My task it to maintain the internal servers and perform administration for our customers. I live in The Netherlands at my parents. Computers are my hobby and my work, so I'm the author of Rootkit Hunter :-)

My main interests are networking, hardware, security and small application development. As many people, I like to read, but especially interested in computer related stuff.

MB: It's a special part of computer services, which attracts me because it's never the same. It's a dynamic world inside the big computer world. Although a lot of companies aren't aware of the consequences of (a missing plan for) security, I think it's a very important part. That's why almost everyone in the computer world will use/need some security enhancements sooner or later. In my case, open relays, Trojans and viruses were the first signals to have a better look at security.

MB: Rootkits are often little packages with some binaries, some sources and an easy-to-use installer. These packages are being created to 'stay root' after a successful comprise of a host. The installer in these packages do check the host and replaces the default binaries with the one in the package. Most times these are binaries like 'ps', 'ls', 'top', 'netstat', where traces of the hacker/cracker/scriptkiddie are being filtered, with one purpose: hide evil processes, network connections etc.

Because rootkits are unwanted and difficult to find without good searching, automated tools are being created. Although an UNIX specialist is often able to find bad things better/quicker than automated tools, it can be a very valuable tool. Of course it is a nice addition to UNIX specialists, but also for average UNIX users which aren't able to find out with things of a UNIX system are good or evil (like hidden files, bad strings, not usual network ports etc).

MB: The lack of active development is the most important one. I won't say my tool is better than the others, but I try to maintain it as active as possible. When users come with (nice) new ideas, most times I try to implement it as soon as possible.

MB: Yes, a lot of interesting information. I also have a better idea now (since the development) why hackers/crackers/scriptkiddies use rootkits and what to do to detect them. The most difficult part is to maintain an utility which keeps smart enough to detect suspicious traces on a system.

Most tools use the same approach, so I tried to combine as many as possible ways to detect these suspicious traces. And although it gets better every release, a lot of things have to be done.

Rootkits don't have a 'normal' trend like viruses/worms have, because viruses aren't often used for a single person to achieve his goal (beside breaking up systems, sending spam or planting a trojan). In fact, some individuals create rootkits for their needs at the moment they need them. These custom made rootkits contain often simple things like IRC bots, backdoors and sniffers. Within the next few months, those things will be getting special attention from me and added to Rootkit Hunter. Rootkits won't quickly disappear, so the war isn't yet over.

MB: I have really no idea, because most rootkits and backdoors are still being used by individuals and use private parts (although there are a lot of often used public tools). So I haven't seen any tools yet, which are build to hide for Rootkit Hunter. But I'll guess there will be variants already available.

MB: On both ways, because maintaining a 'rootkit hunter' is almost similar to maintaining an anti-virus tool, with one exception, viruses aren't made to be hidden for the system (yet?). So anti-virus developers try to discover as quick as possible new (unknown) viruses. The approach on rootkits is a little bit different. It means also adding unknown rootkits, but more important, adding new ways to discover all kinds of hack traces.

MB: I guess tools like this one, won't be quickly useless, because even if you have a secured system (like with SElinux and all other kernel and application improvements), it's always possible someone breaks your system. At that stage, tools like Rootkit Hunter (and the few others) can provide an administrator very useful information.

This interview gives me the opportunity to ask people an easy question: If you find something interesting for me, can you send it to me?

The question above gives an answer to your question, because although I can improve Rootkit Hunter a lot, I really need input from the users and the guys on the field. Rootkits, sniffers, ideas and even books are needed to keep on improving. Till now I have already got a lot of input, but I still need more information. So have a simple thought about the future: it only will be better, but only if I get support from the community!