Language Selection

English French German Italian Portuguese Spanish

Malicious Bots Hide Using Rootkit Code

Filed under
Security

Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, according to researchers at Finnish anti-virus software company F-Secure.

New versions of Rbot, a malicious and ubiquitous remote control program, have features copied and pasted from a well known open-source rootkit called FU. The new features make Rbot invisible to system monitoring tools.

This is just the latest example of malicious programs borrowing strategies used by rootkits to evade detection on systems they infect, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp.

New versions of Rbot are identified almost daily, but recent variants come with a version of a software driver from FU, Hyppönen said.
When the driver is placed on an infected system, it allows Rbot to hide its process from the Windows task manager, or other task management tools that show users what programs are running on their Windows system.

The integration of FU with Rbot is crude and was probably done by an inexperienced hacker, or "script kiddie," who lifted the code wholesale from the FU source code, which was posted on the Internet by the rootkit's author, Jamie Butler (aka "Fuzen") as a proof of concept.

However, other malicious code authors are doing a more thorough job of tying rootkit features into their creations, Hyppönen said.

A recent variant of the Myfip worm, Myfip.h, incorporated features from FU that allowed it to manipulate data in the system kernel, or Windows core processing center, allowing it to hide its processes, he said.

The FU source code, available from Web sites like RootKit, is a rich source of information for malicious code writers. However, FU is not a true rootkit and doesn't try to evade detection.
That means that viruses and malicious programs that use FU components might still raise red flags from security programs that miss the virus processes running, but spot FU running on infected systems, he said.

Other virus authors seem to be catching on to tricks used by rootkit authors to avoid detection, also.

A recent version of the Sober worm, Sober.P, used a strategy called "I/O blocking" that doesn't prevent infected e-mails from being spotted, but can keep anti-virus products from detecting Sober.P on infected systems, according to experts.

F-Secure is testing a rootkit detection program called BlackLight that can spot some rootkits. Jamie Butler, author of the FU rootkit, has also released a free program called VICE that can spot FU, but most anti-virus companies don't have rootkit detection features in their products, he said.

Full Story.

More in Tux Machines

Announcing Season of KDE 2018

KDE Student Programs is pleased to announce the 2018 Season of KDE for those who want to participate in mentored projects that enhance KDE in some way. Every year since 2013, KDE Student Programs has been running Season of KDE as a program similar to, but not quite the same as Google Summer of Code, offering an opportunity to everyone (not just students) to participate in both code and non-code projects that benefits the KDE ecosystem. In the past few years, SoK participants have not only contributed new application features but have also developed the KDE Continuous Integration System, statistical reports for developers, a web framework, ported KDE Applications, created documentation and lots and lots of other work. For this year’s Season of KDE, we are shaking things up a bit and making a host of changes to the program. Read more

How To Get Started With The Ubuntu Linux Distro

The Linux operating system has evolved from a niche audience to widespread popularity since its creation in the mid 1990s, and with good reason. Once upon a time, that installation process was a challenge, even for those who had plenty of experience with such tasks. The modern day Linux, however, has come a very long way. To that end, the installation of most Linux distributions is about as easy as installing an application. If you can install Microsoft Office or Adobe Photoshop, you can install Linux. Here, we'll walk you through the process of installing Ubuntu Linux 17.04, which is widely considered one of the most user-friendly distributions. (A distribution is a variation of Linux, and there are hundreds and hundreds to choose from.) Read more

today's leftovers

'Turbo Boost Max 3.0' and Mesa 17.2.4

  • Turbo Boost Max 3.0 Support For Skylake Fixed With Linux 4.15
    The platform-drivers-x86 updates have been sent in for Linux 4.15 and include a range of improvements for Intel hardware support. One of the bigger items is support for Skylake CPUs with Turbo Boost Max 3.0.
  • Mesa 17.2.4 Graphics Stack Lands for Ubuntu 16.04 LTS and Ubuntu 17.10 Gamers
    Canonical's Timo Aaltonen reports on the availability of the Mesa 17.2.4 open-source graphics drivers stack on the X-SWAT updates PPA for Ubuntu 16.04 LTS and Ubuntu 17.10 systems. Ubuntu systems have always lagged behind the development of the Mesa 3D Graphics Library, the Linux graphics stack containing open-source drivers for Intel, AMD Radeon, and Nvidia GPUs, but they usually catch up with it through a specially crafted PPA (Personal Package Archive) repository that can be easily installed by users.