Language Selection

English French German Italian Portuguese Spanish

Malicious Bots Hide Using Rootkit Code

Filed under
Security

Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, according to researchers at Finnish anti-virus software company F-Secure.

New versions of Rbot, a malicious and ubiquitous remote control program, have features copied and pasted from a well known open-source rootkit called FU. The new features make Rbot invisible to system monitoring tools.

This is just the latest example of malicious programs borrowing strategies used by rootkits to evade detection on systems they infect, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp.

New versions of Rbot are identified almost daily, but recent variants come with a version of a software driver from FU, Hyppönen said.
When the driver is placed on an infected system, it allows Rbot to hide its process from the Windows task manager, or other task management tools that show users what programs are running on their Windows system.

The integration of FU with Rbot is crude and was probably done by an inexperienced hacker, or "script kiddie," who lifted the code wholesale from the FU source code, which was posted on the Internet by the rootkit's author, Jamie Butler (aka "Fuzen") as a proof of concept.

However, other malicious code authors are doing a more thorough job of tying rootkit features into their creations, Hyppönen said.

A recent variant of the Myfip worm, Myfip.h, incorporated features from FU that allowed it to manipulate data in the system kernel, or Windows core processing center, allowing it to hide its processes, he said.

The FU source code, available from Web sites like RootKit, is a rich source of information for malicious code writers. However, FU is not a true rootkit and doesn't try to evade detection.
That means that viruses and malicious programs that use FU components might still raise red flags from security programs that miss the virus processes running, but spot FU running on infected systems, he said.

Other virus authors seem to be catching on to tricks used by rootkit authors to avoid detection, also.

A recent version of the Sober worm, Sober.P, used a strategy called "I/O blocking" that doesn't prevent infected e-mails from being spotted, but can keep anti-virus products from detecting Sober.P on infected systems, according to experts.

F-Secure is testing a rootkit detection program called BlackLight that can spot some rootkits. Jamie Butler, author of the FU rootkit, has also released a free program called VICE that can spot FU, but most anti-virus companies don't have rootkit detection features in their products, he said.

Full Story.

More in Tux Machines

KDE: Simple by Default, Powerful When Needed

KDE (back when it was still the name of the desktop environment) and our applications historically stood for powerful features and great flexibility and customizeability. This is what our users love about our software, this is why they choose Plasma and KDE software instead of one of the other Free desktop offerings. And it is also something they would fight tooth and nail for if we wanted to take it away (as many a KDE maintainer who dared to remove a feature he thought was unnecessary can tell). Read more

BitTorrent Bleep alpha released for Android

As an alpha it still has some issues “As with any Alpha, there are some known issues and bugs to work out. Android users will need to set the app to “Wi-Fi Only” unless you have an unlimited data plan; this is only for the time being while we iron out and issue related to battery and data-plan. And while you can move a username from desktop to mobile, Bleep does not yet support moving an existing account from Android to the desktop. And while you can receive messages on multiple devices; messages sent will not be seen across all devices. As with our previous release, communications happen only when all parties are online – you cannot send offline photos or group chats asynchronously.” Read more

During Akademy 2014

This year there were lot of fast track (10 minutes) talks on different areas around KDE. All of them were quite interesting, some of them are: Bruno Coudoin talked about how and why GCompris moved to QtQuick with the support of KDE. What all challenges project faced while moving from GTK to Qt. Daniel Vrátil talked about his one year journey with Akonadi Martin Gräßlin gave an overview of current state of Kwin in adding Wayland support and future plans. Kevin Ottens talked about KDE craftsmen where analysis was on the way we handle our software production, how can we make our software even better. Kai Uwe Broulik talked about current status of Qt port on Android and iOS. Currently, 3 iOS apps in Apple store and 8 Android apps in Google play since December 2013. Read more

Leftovers: Software