Language Selection

English French German Italian Portuguese Spanish

Malicious Bots Hide Using Rootkit Code

Filed under
Security

Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, according to researchers at Finnish anti-virus software company F-Secure.

New versions of Rbot, a malicious and ubiquitous remote control program, have features copied and pasted from a well known open-source rootkit called FU. The new features make Rbot invisible to system monitoring tools.

This is just the latest example of malicious programs borrowing strategies used by rootkits to evade detection on systems they infect, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp.

New versions of Rbot are identified almost daily, but recent variants come with a version of a software driver from FU, Hyppönen said.
When the driver is placed on an infected system, it allows Rbot to hide its process from the Windows task manager, or other task management tools that show users what programs are running on their Windows system.

The integration of FU with Rbot is crude and was probably done by an inexperienced hacker, or "script kiddie," who lifted the code wholesale from the FU source code, which was posted on the Internet by the rootkit's author, Jamie Butler (aka "Fuzen") as a proof of concept.

However, other malicious code authors are doing a more thorough job of tying rootkit features into their creations, Hyppönen said.

A recent variant of the Myfip worm, Myfip.h, incorporated features from FU that allowed it to manipulate data in the system kernel, or Windows core processing center, allowing it to hide its processes, he said.

The FU source code, available from Web sites like RootKit, is a rich source of information for malicious code writers. However, FU is not a true rootkit and doesn't try to evade detection.
That means that viruses and malicious programs that use FU components might still raise red flags from security programs that miss the virus processes running, but spot FU running on infected systems, he said.

Other virus authors seem to be catching on to tricks used by rootkit authors to avoid detection, also.

A recent version of the Sober worm, Sober.P, used a strategy called "I/O blocking" that doesn't prevent infected e-mails from being spotted, but can keep anti-virus products from detecting Sober.P on infected systems, according to experts.

F-Secure is testing a rootkit detection program called BlackLight that can spot some rootkits. Jamie Butler, author of the FU rootkit, has also released a free program called VICE that can spot FU, but most anti-virus companies don't have rootkit detection features in their products, he said.

Full Story.

More in Tux Machines

Today in Techrights

Software Freedom Conservancy Funding

  • Software Freedom Conservancy matching
    Non-profits that provide project support have proven themselves to be necessary for the success and advancement of individual projects and Free Software as a whole. The Free Software Foundation (founded in 1985) serves as a home to GNU projects and a canonical list of Free Software licenses. The Open Source Initiative came about in 1998, maintaining the Open Source Definition, based on the Debian Free Software Guidelines, with affiliate members including Debian, Mozilla, and the Wikimedia Foundation. Software in the Public Interest (SPI) was created in the late 90s largely to act as a fiscal sponsor for projects like Debian, enabling it to do things like accept donations and handle other financial transactions.
  • Clojars is Conservancy’s Newest Member Project
    Software Freedom Conservancy is pleased to announce the addition of Clojars as its newest member project. Clojars is a community-maintained repository for free and open source libraries written in the Clojure programming language. Clojars emphasizes ease of use, publishing library packages that are simple to use with build automation tools.

Leftovers: Software

  • systemd 233 about to be released, please help testing
    systemd 233 is scheduled to be released next week, and there is only a handful of small issues left. As usual there are tons of improvements and fixes, but the most intrusive one probably is another attempt to move from legacy cgroup v1 to a “hybrid” setup where the new unified (cgroup v2) hierarchy is mounted at /sys/fs/cgroup/unified/ and the legacy one stays at /sys/fs/cgroup/ as usual. This should provide an easier path for software like Docker or LXC to migrate to the unified hiearchy, but even that hybrid mode broke some bits.
  • Keep : A personal shell command keeper
    Introducing a new command line tool which solves the issue of memorizing commands or storing them somewhere which is difficult to find. With the grep and run commands, one can easily find their long forgotten commands and use them them right away.
  • qutebrowser v0.10.0 released
    I'm happy to annouce the release of qutebrowser v0.10.0! qutebrowser is a keyboard driven browser with a vim-like, minimalistic interface. It's written using PyQt and cross-platform. I haven't announced the v0.9.0 release in this blog (or any patch releases), but for v0.10.0 it definitely makes sense to do so, as it's mostly centered on QtWebEngine!
  • GNOME Pomodoro: A Pomodoro Timer With AppIndicator And GNOME Shell Support
    GNOME Pomodoro is, like the name suggests, a Pomodoro timer for GNOME. The application website mentions that it's currently only for GNOME Shell, however, an AppIndicator is also available.
  • 7 Awesome Open Source Build Automation Tools For Sysadmin/DevOps/Developers
    Build automation is a vital tool for devops, sysadmins, and developers. It is nothing but scripting or automating the process of compiling source code into binary. Sysadmins can use build tools to manage and update config files. Following is a list of awesome open source and popular tools associated with automating build processes on Linux or Unix-like system.

Android Leftovers