Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion


"Invisible" rootkit heralds trouble ahead..

By UncleRob ·
I recently read an interesting article concerning a new form of rootkit which is much more difficult to detect (I thought rootkits were already difficult to detect!), the bit that caught my attention was the fact that this rootkit was already tested on a windows vista beta 2 machine which is sad because I had hoped vista would make it more difficult for malware/virii/rootkits to infect a machine - I guess that's not the case.

Have any of you ever had the misfortune of dealing with/removing rootkit infections on your pc? What software did you use to remove the rootkits on those systems?

?Invisible? rootkit heralds trouble ahead
Original Article by: Matthew Broersma, (14 Jul 2006)

Security researchers have discovered a new type of rootkit they believe will greatly increase the difficulty of detecting and removing malicious code.

The rootkit in question, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, uses advanced techniques to avoid detection by most rootkit detectors.

The rootkit is "unique given the techniques it uses," Symantec's Elia Florio wrote in a recent analysis. "It can be considered the first-born of the next generation of rootkits."

Rustock.A uses a mixture of old techniques and new ideas to make it "totally invisible on a compromised computer when installed," including a beta version of Windows Vista, Florio wrote.

Symantec believes the rootkit originates from Russia, and a string found in the rootkit's code indicates new versions will probably be forthcoming. Symantec has already logged a variant called Backdoor.Rustock.B.

F-Secure noted Rustock's use of NTFS' Alternate Data Streams (ADS) as one significant example of its advanced behavior.

"Saving your data into Alternate Data Streams is usually enough to hide from many tools," wrote F-Secure researcher Antti Tikkanen in a company blog.

"However, in this case, the stream is further hidden using rootkit techniques... because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one."

F-Secure said it has released a new version of the BlackLight rootkit scanner, Build 2.2.1041, which can detect Rustock.

According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn't hook into any native API, and controls kernel functions via special IRP functions. It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample.

Rustock also scans for loaded rootkit scanners, then changes its behavior to avoid detection, according to Florio.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Rootkits and such

by jmgarvin In reply to "Invisible" rootkit heral ...

A) Blue Pill - From the sound of it is a way to sell (or promote) Red Pill. It "creates" a virtual machine for the rootkit to run in. The whole idea is beyond complicated and it only works with the new AMD chips that alway direct hardware virtualization. They also only tested this in Vista, but claim it will effect Linux and Unix...I tend to disagree for a number of reasons, but I haven't seen Blue Pill in action, so I could be wrong (but probably not).

B) Memory Resident Rootkits - The idea has been around for a while and I've seen a number of proof of concepts. However, the biggest problem is getting the resources. While they are VERY hard to detect (right now), with a viable resource monitor and intellegent IDS, it is possible to track them down.

The scary thing about rootkits, to me at least, is that businesses are using them as "tools" to "help" the user. Soon, we'll be rootkitted by any installed software. Seems like a bad idea to me.

Collapse -

BlackLight is probably the best rootkit scanner

FSecure's BlackLight rootkit scanner is probably the best rootkit scanner in the industry. However, I am surprised that BlackLight is able to detect Rustock kind of rootkits that run inside kernel threads.

Given the large number of false positives that the rootkit scanners throw up, I doubt whether any such rootkit detection will be of any use- as one cant identify a definite malicious rootkit.


Collapse -

blue pill

by lowlands In reply to "Invisible" rootkit heral ...

That looks scary, but detectable. Check out the link to the Blue Pill story for something that might have an even bigger impact once abused,1895,1983037,00.asp

Collapse -

Blue Pill is a way to sell/promote Red Pill

by jmgarvin In reply to blue pill

While it sounds interesting, I'd like to see it implemented on more than Vista...

This is also (or so it seems) more of an AMD bug than anything else...

Collapse -

Who Benefits?

by mageistere22 In reply to "Invisible" rootkit heral ...

Who and to What Real purpose keeps inventing
Rootkits, Trojans etc.
Methinks the A Virus providers find in there
Employment, and profits

Related Discussions

Related Forums