Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Rootkit Plays Hard to Get

Researchers discover new exploit that effectively hides from popular malware detection tools

A newly discovered rootkit may not be particularly threatening in itself, but its unique method of concealment could pave the way for more malicious exploits, researchers say.

Symantec and F-Secure are both reporting the discovery of sophisticated malware that combines emerging rootkit technology with old Trojan horse strategies to create a new threat that could escape many current methods of rootkit detection.

The exploit, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, opens a back door in a compromised computer and allows it to be used as a covert proxy, enabling an attacker to use the computer to send email or build a botnet. Symantec calls the risk level of the rootkit "very low."

However, researchers at both Symantec and F-Secure say the sophisticated effort to conceal the exploit could presage more dangerous exploits in the future.

"It can be considered the first-born of the next generation of rootkits," said Elia Florio, a Symantec researcher, in an analysis of the discovery.

The rootkit doesn't have a process but hides inside the Windows driver and in kernel threads. It doesn't use any native APIs, and it can actually changes its code, making it a moving target for any rootkit detection system.

In addition, the rootkit uses Microsoft's New Technology File System (NTFS) Alternate Data Streams (ADS), which enables it to hide from many malware detection tools, according to Antti Tikkanen, a researcher at F-Secure. "It's very likely that many security products will have a tough time dealing with this one," Tikkanen says.

Even if a detection system does find the rootkit, it may not be able to keep the threat on its radar screen. The new exploit can discover rootkit scanners on the infected systems and then change its behavior to avoid detection, researchers say.

The rootkit probably originates from Russia, and there is a string of code in it that suggests a new version will be on the way, Symantec says. A variant that Symantec calls Backdoor.Rustock.B has already been spotted.

What can enterprises do to protect themselves? Symantec recommends the usual steps, such as enforcing passwords on end systems, installing patches, and turning off unnecessary services. The current threat is easy to contain and requires only a moderate effort to remove, Symantec says.

F-Secure says its Black.Light rootkit scanner, Build 2.2.1041, software has been updated and can detect the rootkit.

— Tim Wilson, Site Editor, Dark Reading

  • F-Secure Corp.
  • Symantec Corp. (Nasdaq: SYMC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How to Better Secure Your Microsoft 365 Environment
    Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
    Attackers Leave Stolen Credentials Searchable on Google
    Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-3142
    PUBLISHED: 2021-01-28
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-35128. Reason: This candidate is a reservation duplicate of CVE-2020-35128. Notes: All CVE users should reference CVE-2020-35128 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
    CVE-2020-35124
    PUBLISHED: 2021-01-28
    A cross-site scripting (XSS) vulnerability in the assets component of Mautic before 3.2.4 allows remote attackers to inject executable JavaScript through the Referer header of asset downloads.
    CVE-2020-25782
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera 720P System with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientManage::ServerIP_Proto_Set during incoming message handling.
    CVE-2020-25783
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated heap-based buffer overflow in the function CNetClientTalk::OprMsg during incoming message handling.
    CVE-2020-25784
    PUBLISHED: 2021-01-28
    An issue was discovered on Accfly Wireless Security IR Camera System 720P with software versions v3.10.73 through v4.15.77. There is an unauthenticated stack-based buffer overflow in the function CNetClientGuard::SubOprMsg during incoming message handling.