Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

New Rootkit Plays Hard to Get

Researchers discover new exploit that effectively hides from popular malware detection tools

A newly discovered rootkit may not be particularly threatening in itself, but its unique method of concealment could pave the way for more malicious exploits, researchers say.

Symantec and F-Secure are both reporting the discovery of sophisticated malware that combines emerging rootkit technology with old Trojan horse strategies to create a new threat that could escape many current methods of rootkit detection.

The exploit, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, opens a back door in a compromised computer and allows it to be used as a covert proxy, enabling an attacker to use the computer to send email or build a botnet. Symantec calls the risk level of the rootkit "very low."

However, researchers at both Symantec and F-Secure say the sophisticated effort to conceal the exploit could presage more dangerous exploits in the future.

"It can be considered the first-born of the next generation of rootkits," said Elia Florio, a Symantec researcher, in an analysis of the discovery.

The rootkit doesn't have a process but hides inside the Windows driver and in kernel threads. It doesn't use any native APIs, and it can actually changes its code, making it a moving target for any rootkit detection system.

In addition, the rootkit uses Microsoft's New Technology File System (NTFS) Alternate Data Streams (ADS), which enables it to hide from many malware detection tools, according to Antti Tikkanen, a researcher at F-Secure. "It's very likely that many security products will have a tough time dealing with this one," Tikkanen says.

Even if a detection system does find the rootkit, it may not be able to keep the threat on its radar screen. The new exploit can discover rootkit scanners on the infected systems and then change its behavior to avoid detection, researchers say.

The rootkit probably originates from Russia, and there is a string of code in it that suggests a new version will be on the way, Symantec says. A variant that Symantec calls Backdoor.Rustock.B has already been spotted.

What can enterprises do to protect themselves? Symantec recommends the usual steps, such as enforcing passwords on end systems, installing patches, and turning off unnecessary services. The current threat is easy to contain and requires only a moderate effort to remove, Symantec says.

F-Secure says its Black.Light rootkit scanner, Build 2.2.1041, software has been updated and can detect the rootkit.

— Tim Wilson, Site Editor, Dark Reading

  • F-Secure Corp.
  • Symantec Corp. (Nasdaq: SYMC) Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio
     

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 6/5/2020
    Abandoned Apps May Pose Security Risk to Mobile Devices
    Robert Lemos, Contributing Writer,  5/29/2020
    How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
    Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: What? IT said I needed virus protection!
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-13842
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). A dangerous AT command was made available even though it is unused. The LG ID is LVE-SMP-200010 (June 2020).
    CVE-2020-13843
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS software before 2020-06-01. Local users can cause a denial of service because checking of the userdata partition is mishandled. The LG ID is LVE-SMP-200014 (June 2020).
    CVE-2020-13839
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via a custom AT command handler buffer overflow. The LG ID is LVE-SMP-200007 (June 2020).
    CVE-2020-13840
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 7.2, 8.0, 8.1, 9, and 10 (MTK chipsets). Code execution can occur via an MTK AT command handler buffer overflow. The LG ID is LVE-SMP-200008 (June 2020).
    CVE-2020-13841
    PUBLISHED: 2020-06-05
    An issue was discovered on LG mobile devices with Android OS 9 and 10 (MTK chipsets). An AT command handler allows attackers to bypass intended access restrictions. The LG ID is LVE-SMP-200009 (June 2020).