The Inquirer-Home

"Invisible" Rootkit found in the wild

Difficult to detect and remove
Mon Jul 17 2006, 08:21
SECURITY EXPERTS have found a really nasty rootkit which is next to near impossible to detect and remove.

Dubbed Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, the code cannot be spotted by most current rootkit detectors.

Symantec claims that it is the first of the next generation of rootkits.

It uses a mixture of old techniques and new ideas to make it "totally invisible on a compromised computer when installed". Apparently it even worked well on a beta version of Windows Vista the Symantec crowd were playing with.

The rootkit probably came from the coding hot houses of Russia and a variant called Backdoor.Rustock.B has also been spotted.

F-Secure claims that its BlackLight rootkit scanner, Build 2.2.1041, can detect the new rootkit.

However it said that it was darn hard to come up with effective detection code because the new rootkit does not have a process.

The rootkit runs inside the driver and in kernel threads and controls kernel functions via special IRP functions.

It even scans for loaded rootkit scanners, then changes its tactics to avoid detection. More here. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?