The new pest, dubbed "Rustock" by Symantec and "Mailbot.AZ" by F-Secure, uses "rootkit" techniques crafted to avoid the detection technology used by security software, Symantec and F-Secure said in recent analyses.
"It can be considered the first born of the next generation of rootkits," Elia Florio, a security response engineer at Symantec, wrote in a blog late last month. "Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used."
Rootkits are considered an emerging threat. They are used to make system changes to hide software, which may be malicious. In the case of Rustock or Mailbot.AZ, rootkit technology was used to hide a Trojan horse that opens a back door on an infected system, putting it at the beck and call of an attacker, according to Symantec.
In their continuing race with security software makers, the creators of this latest rootkit appear to have looked closely at the inner workings of detection tools before crafting their malicious code, said Craig Schmugar, virus research manager at McAfee, which calls the pest PWS-JM.
"Security companies are trying to stay one step ahead of the bad guys, but the bad guys already have the technology that is available from the security vendors," he said. "A number of techniques have been combined to really strengthen and harden this particular threat. They have done a pretty good job at closing all the doors."
The mixture of cloaking methods makes Rustock "totally invisible on a compromised computer when installed," including on a PC running an early release of Windows Vista, Symantec's Florio wrote. "We consider it to be an advanced example of stealth by design malicious code."
To avoid detection, Rustock runs no system processes, but runs its code inside a driver and kernel threads, Florio wrote. It also uses alternate data streams instead of hidden files and avoids using application programming interfaces. Today's detection tools look for system processes, hidden files and hooks into APIs, according to Florio's post.
Additionally, Rustock defeats rootkit detectors' checks for the integrity of some kernel structures and the detectors' efforts to detect hidden drivers, Florio wrote. Furthermore the SYS driver the rootkit uses is polymorphic and changes its code from sample to sample, according to the blog posting.
Still, chances of people being attacked by this rootkit and its malicious Trojan horse payload are slim, experts said. "People are blogging about it not because it is highly prevalent, but because of the challenges it poses to existing rootkit detection tools," Schmugar said. Symantec and F-Secure also both state the threat is not widespread.
F-Secure updated its BlackLight rootkit detection tool that can detect current versions of the pest, it said in a blog. Symantec and McAfee are still working on tools to detect and remove rootkits from computers.
Ah, and it seems like it was just yesterday that I was reading about how to design malware which hides better than rootkits.
Oh, wait it was six months ago...
from
http://www.invisiblethings.org/papers.html#bhfed2006
<quote>
It's about new generation of stealth malware, which I call Stealth by Design (SbD) malware, that does not use any of the classic rootkit technology tricks, but still offers full stealth! The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting this new kind of SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems.
<unquote>
also see
http://www.blackhat.com/html/bh-federal-06/bh-fed-06-speakers.html#Rutkowska
Maybe one of these "antivirus" companies should hire Joanna and make her a 'Fellow'* like MS just did with Russinovich, from Sysinternals. <8^}
signed,
40+year coding veteran
* Apology, Joanna. Just couldn't resist.