Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Invisible' rootkit heralds trouble ahead
Techworld ^ | 7/14/2006 | By Matthew Broersma

Posted on 07/17/2006 10:17:20 PM PDT by Swordmaker

Security researchers have discovered a new type of rootkit they believe will greatly increase the difficulty of detecting and removing malicious code.

The rootkit in question, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, uses advanced techniques to avoid detection by most rootkit detectors.

The rootkit is "unique given the techniques it uses," Symantec's Elia Florio wrote in a recent analysis. "It can be considered the first-born of the next generation of rootkits."

Rustock.A uses a mixture of old techniques and new ideas to make it "totally invisible on a compromised computer when installed," including a beta version of Windows Vista, Florio wrote.

Symantec believes the rootkit originates from Russia, and a string found in the rootkit's code indicates new versions will probably be forthcoming. Symantec has already logged a variant called Backdoor.Rustock.B.

F-Secure noted Rustock's use of NTFS' Alternate Data Streams (ADS) as one significant example of its advanced behaviour.

"Saving your data into Alternate Data Streams is usually enough to hide from many tools," wrote F-Secure researcher Antti Tikkanen in a company blog.

"However, in this case, the stream is further hidden using rootkit techniques... because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one."

F-Secure said it has released a new version of the BlackLight rootkit scanner, Build 2.2.1041, which can detect Rustock.

According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn't hook into any native API, and controls kernel functions via special IRP functions. It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample.

Rustock also scans for loaded rootkit scanners, then changes its behaviour to avoid detection, according to Florio.


TOPICS: Business/Economy; Computers/Internet; Conspiracy
KEYWORDS: malware

1 posted on 07/17/2006 10:17:24 PM PDT by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: Swordmaker
What a nasty little creature.

Additional info here: http://www.f-secure.com/v-descs/mailbot_az.shtml

2 posted on 07/17/2006 10:45:16 PM PDT by TChad
[ Post Reply | Private Reply | To 1 | View Replies]

To: rdb3; chance33_98; Calvinist_Dark_Lord; Bush2000; PenguinWry; GodGunsandGuts; CyberCowboy777; ...

3 posted on 07/18/2006 5:43:30 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker

If you get rooted the only safe thing to do it rebuild the system go back to a pree rootkit data restore, run the logs forward and pray..


4 posted on 07/18/2006 6:51:29 AM PDT by N3WBI3 ("I can kill you with my brain" - River Tam)
[ Post Reply | Private Reply | To 1 | View Replies]

To: N3WBI3
If you get rooted the only safe thing to do it rebuild the system go back to a pree rootkit data restore, run the logs forward and pray..

Yup. Glad I don't run windows. 

What really should worry folks though, is the work that is surely being done on VM-type rootkits that load before the OS. It will be interesting to see how these criminals make use of the new VM code coming out in the latest processors. 

5 posted on 07/18/2006 8:52:54 AM PDT by zeugma (I reject your reality and substitute my own in its place.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: zeugma

The first rootkits ever made were for Unix. And Linux vendors somehow can't even protect themselves from multiple hacks.

http://www.dailytech.com/article.aspx?newsid=3312


6 posted on 07/18/2006 4:34:01 PM PDT by Golden Eagle (Buy American. While you still can.)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Golden Eagle

Yeah, I know. It is news whenever a Unix server is hacked. For MS-Windows servers, it's just another day on the net.


7 posted on 07/18/2006 4:42:29 PM PDT by zeugma (I reject your reality and substitute my own in its place.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: zeugma

Windows.com was hacked? I'm quite certain that would make the news.


8 posted on 07/18/2006 4:47:06 PM PDT by Golden Eagle (Buy American. While you still can.)
[ Post Reply | Private Reply | To 7 | View Replies]

To: Golden Eagle

You are such a putz.


9 posted on 07/18/2006 6:17:46 PM PDT by zeugma (I reject your reality and substitute my own in its place.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: zeugma

Nothing but insults from you, typical.


10 posted on 07/18/2006 7:12:36 PM PDT by Golden Eagle (Buy American. While you still can.)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Golden Eagle

I calls it likes I sees it.


11 posted on 07/18/2006 7:49:28 PM PDT by zeugma (I reject your reality and substitute my own in its place.)
[ Post Reply | Private Reply | To 10 | View Replies]

To: zeugma

No you can't argue facts so you switch to insults. Quickly.

Did you see today where France's MoD said Open Office wasn't as secure as MS-Office? Hysterical, considering.


12 posted on 07/18/2006 8:14:14 PM PDT by Golden Eagle (Buy American. While you still can.)
[ Post Reply | Private Reply | To 11 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson