New Rootkit Plays Hard to Get

Researchers discover new exploit that effectively hides from popular malware detection tools

A newly discovered rootkit may not be particularly threatening in itself, but its unique method of concealment could pave the way for more malicious exploits, researchers say.

Symantec and F-Secure are both reporting the discovery of sophisticated malware that combines emerging rootkit technology with old Trojan horse strategies to create a new threat that could escape many current methods of rootkit detection.

The exploit, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, opens a back door in a compromised computer and allows it to be used as a covert proxy, enabling an attacker to use the computer to send email or build a botnet. Symantec calls the risk level of the rootkit "very low."

However, researchers at both Symantec and F-Secure say the sophisticated effort to conceal the exploit could presage more dangerous exploits in the future.

"It can be considered the first-born of the next generation of rootkits," said Elia Florio, a Symantec researcher, in an analysis of the discovery.

The rootkit doesn't have a process but hides inside the Windows driver and in kernel threads. It doesn't use any native APIs, and it can actually changes its code, making it a moving target for any rootkit detection system.

In addition, the rootkit uses Microsoft's New Technology File System (NTFS) Alternate Data Streams (ADS), which enables it to hide from many malware detection tools, according to Antti Tikkanen, a researcher at F-Secure. "It's very likely that many security products will have a tough time dealing with this one," Tikkanen says.

Even if a detection system does find the rootkit, it may not be able to keep the threat on its radar screen. The new exploit can discover rootkit scanners on the infected systems and then change its behavior to avoid detection, researchers say.

The rootkit probably originates from Russia, and there is a string of code in it that suggests a new version will be on the way, Symantec says. A variant that Symantec calls Backdoor.Rustock.B has already been spotted.

What can enterprises do to protect themselves? Symantec recommends the usual steps, such as enforcing passwords on end systems, installing patches, and turning off unnecessary services. The current threat is easy to contain and requires only a moderate effort to remove, Symantec says.

F-Secure says its Black.Light rootkit scanner, Build 2.2.1041, software has been updated and can detect the rootkit.

— Tim Wilson, Site Editor, Dark Reading

  • F-Secure Corp.
  • Symantec Corp. (Nasdaq: SYMC)