Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Rootkit Plays Hard to Get

Researchers discover new exploit that effectively hides from popular malware detection tools

A newly discovered rootkit may not be particularly threatening in itself, but its unique method of concealment could pave the way for more malicious exploits, researchers say.

Symantec and F-Secure are both reporting the discovery of sophisticated malware that combines emerging rootkit technology with old Trojan horse strategies to create a new threat that could escape many current methods of rootkit detection.

The exploit, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, opens a back door in a compromised computer and allows it to be used as a covert proxy, enabling an attacker to use the computer to send email or build a botnet. Symantec calls the risk level of the rootkit "very low."

However, researchers at both Symantec and F-Secure say the sophisticated effort to conceal the exploit could presage more dangerous exploits in the future.

"It can be considered the first-born of the next generation of rootkits," said Elia Florio, a Symantec researcher, in an analysis of the discovery.

The rootkit doesn't have a process but hides inside the Windows driver and in kernel threads. It doesn't use any native APIs, and it can actually changes its code, making it a moving target for any rootkit detection system.

In addition, the rootkit uses Microsoft's New Technology File System (NTFS) Alternate Data Streams (ADS), which enables it to hide from many malware detection tools, according to Antti Tikkanen, a researcher at F-Secure. "It's very likely that many security products will have a tough time dealing with this one," Tikkanen says.

Even if a detection system does find the rootkit, it may not be able to keep the threat on its radar screen. The new exploit can discover rootkit scanners on the infected systems and then change its behavior to avoid detection, researchers say.

The rootkit probably originates from Russia, and there is a string of code in it that suggests a new version will be on the way, Symantec says. A variant that Symantec calls Backdoor.Rustock.B has already been spotted.

What can enterprises do to protect themselves? Symantec recommends the usual steps, such as enforcing passwords on end systems, installing patches, and turning off unnecessary services. The current threat is easy to contain and requires only a moderate effort to remove, Symantec says.

F-Secure says its Black.Light rootkit scanner, Build 2.2.1041, software has been updated and can detect the rootkit.

— Tim Wilson, Site Editor, Dark Reading

  • F-Secure Corp.
  • Symantec Corp. (Nasdaq: SYMC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Sodinokibi Ransomware: Where Attackers' Money Goes
    Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
    Data Privacy Protections for the Most Vulnerable -- Children
    Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
    7 SMB Security Tips That Will Keep Your Company Safe
    Steve Zurier, Contributing Writer,  10/11/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-8216
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
    CVE-2019-8217
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
    CVE-2019-8218
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
    CVE-2019-8219
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
    CVE-2019-8220
    PUBLISHED: 2019-10-17
    Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .