Talk:Rootkit/GA1

GA Review

Article (edit | visual edit | history) · Article talk (edit | history) · Watch

Reviewer: Pnm (talk) 02:29, 13 December 2010 (UTC)

GA review (see here for criteria)

1. It is reasonably well written.

   a (prose): b (MoS for lead, layout, word choice, fiction, and lists):

   Prose is OK. Sometimes wordy.^[1][2][3] Difference-based contains a very long sentence.^[4] Uses and Installation and cloaking sections could benefit from copyediting. Minor word choice issues: unencyclopedic-sounding phrase in Alternative trusted medium: "the best and most reliable method;" weaselly: "there are experts."

2. It is factually accurate and verifiable.

   a (references): b (citations to reliable sources):

   Some sections don't cite enough sources:

   • the entire Detection section except except Alternative trusted medium
   • Installation and cloaking
   • Public availability

   c (OR):

   Several sections contain examples of original research, synthesis, or attributions not backed up by the cited sources:

   • Sony rootkit scandal under History
   • Installation and cloaking
   • Detection
   • Removal
   • Public availability

   Examples:

   • "The public-relations fallout for Sony BMG was compared by one analyst to the 1982 Chicago Tylenol murders.^[5]"

   Not in source. The source describes the seriousness of the incident, not the public-relations fallout.^[6]

    Fixed – Replaced specific mention of Tylenol incident with a quote from the article. --Pnm (talk) 00:37, 17 December 2010 (UTC)

   • "The installation of rootkits is commercially driven, with a Pay-Per-Install (PPI) compensation method for distributors.^[7]"

   Dubious, unsupported by the source, and contradicts statements in Public availability. The source is about a single rootkit, which should be named.^[8]

   • "Given the stealth nature of rootkits, there are experts who believe that the only reliable way to remove them is to re-install the operating system from trusted media.^[9][10]"

   Synthesis. The sources support "some believe the only reliable way..." but neither source credits "the stealth nature of rootkits."

    Fixed – Removed "Given the stealth nature of rootkits." --Pnm (talk) 01:26, 17 December 2010 (UTC)

   • "Most of the rootkits available on the Internet are constructed as an exploit or academic "proof of concept" to demonstrate varying methods of hiding things within a computer system and taking unauthorized control of it."^[11]

   Misattributed, and dubious. The source says "some," not "most", includes the phrase "for now," and uses tone which further implies tentativeness/qualification.

3. It is broad in its coverage.

   a (major aspects): b (focused):

   Good work improving this in recent months.

4. It follows the neutral point of view policy.

   Fair representation without bias:

   Two issues:

   1. The paragraph on the Sony rootkit scandal obscures what it's trying to say in order to sound NPOV. It should be rewritten to be more direct, less detailed, and more objective. Amazingly it buries the link to the main article Sony BMG CD copy protection scandal near the end of the paragraph, yet links to Sony BMG eight times. The mention of the 1982 Chicago Tylenol murders has a referencing problem (explained above).

    Fixed – Rewrote section. --Pnm (talk) 00:37, 17 December 2010 (UTC)

   1. The lead gives undue emphasis to the view that rootkits are beneficial. (The lead sentence does so by omitting "unauthorized." The end of the lead paragraph says rootkits have "negative connotations.") Using connotation implies merely subjective negativity The primary use of rootkits is gaining and preserving unauthorized access to a computer system. There are some rootkits that benefit the system owner, but in those cases the system owner installs the rootkit on purpose. These should be treated as the exceptional cases they are.

5. It is stable.

   No edit wars, etc.:

6. It is illustrated by images, where possible and appropriate.

   a (images are tagged and non-free images have fair use rationales): b (appropriate use with suitable captions):

   The caption on the illustration of security rings is confusing. After reading ring (computer security) I'm still confused. I don't understand whether it's possible to show the hypervisor ring (Ring -1) in such a diagram.

   Incidentally, I do think the image at ring (computer security) is slightly better.

7. Overall:

   Pass/Fail:

   The minor issues can be corrected quickly. However, the sourcing and OR issues are serious, and will require careful review, source verification, and additional research. I don't think these steps should be rushed, so at this time I will fail the review.

Notes

1. "Once a rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms."
2. "It is not uncommon to see a compromised system in which a sophisticated, publicly-available rootkit hides the presence of unsophisticated worms or attack tools that appear to have been written by inexperienced programmers."
3. "System hardening represents one of the first layers of defence against a rootkit, to prevent it from being able to install. Applying security patches, implementing the principle of least privilege, reducing the attack surface and installing antivirus software are some standard security best practices that are effective against all classes of malware. Once these measures are in place, routine monitoring is required."
4. "For example, binaries present on disk can be compared with their copies within operating memory (as the in-memory image should be identical to the on-disk image), or the results returned from file system or Windows Registry APIs can be checked against raw structures on the underlying physical disks—however, in the case of the former, some valid differences can be introduced by operating system mechanisms like memory relocation or shimming. Difference-based detection was used by Russinovich's RootkitRevealer tool to find the Sony DRM rootkit."
5. "Sony's long-term rootkit CD woes". BBC News. 2005-11-21. Retrieved 2008-09-15.
6. It's not even a good example of bad public-relations fallout. On the contrary, J&J was widely praised for how it handled the Tylenol incident. The source doesn't contradict this.
7. Matrosov, Aleksandr; Rodionov, Eugene (2010-06-25). "TDL3: The Rootkit of All Evil?" (PDF). ESET. Retrieved 2010-08-17.
8. That is, unless it is verifiably typical. That would be a big deal.
9. Danseglio, Mike; Bailey, Tony (2005-10-06). "Rootkits: The Obscure Hacker Attack". Microsoft.
10. Messmer, Ellen (2006-08-26). "Experts Divided Over Rootkit Detection and Removal". NetworkWorld.com. Framingham, Mass.: IDG. Retrieved 2010-08-15.
11. Stevenson, Larry; Altholz, Nancy (2007). Rootkits for Dummies. John Wiley and Sons Ltd. p. 175. ISBN 0471917109.