Security experts have warned of a new generation rootkit that is “totally invisible” to detection software.
Rootkits are pieces of malware that actively conceal their existence using stealth technology, but can usually be picked up using specialist rootkit detection software.
But security firm Symantec warned that its lab had discovered a rootkit that slips past the detectors. A post on Symantec’s security response blog says the Backdoor.Rustock.A rootkit “consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used”.
Backdoor.Rustock.A was “totally invisible on a compromised computer when installed”, the Symantec blog warned, adding, “It even seems able to achieve all of its stealth functionality without any problems on a beta version of Microsoft Windows Vista.”
While rootkit detectors can detect hidden processes, “Rustock.A has no process”, Symantec said. Instead malicious code runs inside the driver and in kernel threads.
The rootkit used a series of techniques to bypass other methods used by detection software. It was able to scan for strings of code that would identify rootkit detection software and change its behavior to avoid detection.
Backdoor.Rustock.A is believed to originate in Russia and contains the string "G:\bot-mailer\007spambot-01\driver\objfre". Symantec warned: “We'll undoubtedly see new versions of this malware.”
Vote for your IT greats
Who have been the most influential people in IT in the past 40 years? The greatest organisations? The best hardware and software technologies? As part of Computer Weekly’s 40th anniversary celebrations, we are asking our readers who and what has really made a difference?
Vote now at: www.computerweekly.com/ITgreats