Dubbed Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, the code cannot be spotted by most current rootkit detectors.
Symantec claims that it is the first of the next generation of rootkits.
It uses a mixture of old techniques and new ideas to make it "totally invisible on a compromised computer when installed". Apparently it even worked well on a beta version of Windows Vista the Symantec crowd were playing with.
The rootkit probably came from the coding hot houses of Russia and a variant called Backdoor.Rustock.B has also been spotted.
F-Secure claims that its BlackLight rootkit scanner, Build 2.2.1041, can detect the new rootkit.
However it said that it was darn hard to come up with effective detection code because the new rootkit does not have a process.
The rootkit runs inside the driver and in kernel threads and controls kernel functions via special IRP functions.
It even scans for loaded rootkit scanners, then changes its tactics to avoid detection. More here. µ
Sign up for INQbot – a weekly roundup of the best from the INQ