New Rootkit Plays Hard to Get

Researchers discover new exploit that effectively hides from popular malware detection tools

2 Min Read
Dark Reading logo in a gray background | Dark Reading

A newly discovered rootkit may not be particularly threatening in itself, but its unique method of concealment could pave the way for more malicious exploits, researchers say.

Symantec and F-Secure are both reporting the discovery of sophisticated malware that combines emerging rootkit technology with old Trojan horse strategies to create a new threat that could escape many current methods of rootkit detection.

The exploit, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, opens a back door in a compromised computer and allows it to be used as a covert proxy, enabling an attacker to use the computer to send email or build a botnet. Symantec calls the risk level of the rootkit "very low."

However, researchers at both Symantec and F-Secure say the sophisticated effort to conceal the exploit could presage more dangerous exploits in the future.

"It can be considered the first-born of the next generation of rootkits," said Elia Florio, a Symantec researcher, in an analysis of the discovery.

The rootkit doesn't have a process but hides inside the Windows driver and in kernel threads. It doesn't use any native APIs, and it can actually changes its code, making it a moving target for any rootkit detection system.

In addition, the rootkit uses Microsoft's New Technology File System (NTFS) Alternate Data Streams (ADS), which enables it to hide from many malware detection tools, according to Antti Tikkanen, a researcher at F-Secure. "It's very likely that many security products will have a tough time dealing with this one," Tikkanen says.

Even if a detection system does find the rootkit, it may not be able to keep the threat on its radar screen. The new exploit can discover rootkit scanners on the infected systems and then change its behavior to avoid detection, researchers say.

The rootkit probably originates from Russia, and there is a string of code in it that suggests a new version will be on the way, Symantec says. A variant that Symantec calls Backdoor.Rustock.B has already been spotted.

What can enterprises do to protect themselves? Symantec recommends the usual steps, such as enforcing passwords on end systems, installing patches, and turning off unnecessary services. The current threat is easy to contain and requires only a moderate effort to remove, Symantec says.

F-Secure says its Black.Light rootkit scanner, Build 2.2.1041, software has been updated and can detect the rootkit.

— Tim Wilson, Site Editor, Dark Reading

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights