Language Selection

English French German Italian Portuguese Spanish

Malicious Bots Hide Using Rootkit Code

Filed under
Security

Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, according to researchers at Finnish anti-virus software company F-Secure.

New versions of Rbot, a malicious and ubiquitous remote control program, have features copied and pasted from a well known open-source rootkit called FU. The new features make Rbot invisible to system monitoring tools.

This is just the latest example of malicious programs borrowing strategies used by rootkits to evade detection on systems they infect, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp.

New versions of Rbot are identified almost daily, but recent variants come with a version of a software driver from FU, Hyppönen said.
When the driver is placed on an infected system, it allows Rbot to hide its process from the Windows task manager, or other task management tools that show users what programs are running on their Windows system.

The integration of FU with Rbot is crude and was probably done by an inexperienced hacker, or "script kiddie," who lifted the code wholesale from the FU source code, which was posted on the Internet by the rootkit's author, Jamie Butler (aka "Fuzen") as a proof of concept.

However, other malicious code authors are doing a more thorough job of tying rootkit features into their creations, Hyppönen said.

A recent variant of the Myfip worm, Myfip.h, incorporated features from FU that allowed it to manipulate data in the system kernel, or Windows core processing center, allowing it to hide its processes, he said.

The FU source code, available from Web sites like RootKit, is a rich source of information for malicious code writers. However, FU is not a true rootkit and doesn't try to evade detection.
That means that viruses and malicious programs that use FU components might still raise red flags from security programs that miss the virus processes running, but spot FU running on infected systems, he said.

Other virus authors seem to be catching on to tricks used by rootkit authors to avoid detection, also.

A recent version of the Sober worm, Sober.P, used a strategy called "I/O blocking" that doesn't prevent infected e-mails from being spotted, but can keep anti-virus products from detecting Sober.P on infected systems, according to experts.

F-Secure is testing a rootkit detection program called BlackLight that can spot some rootkits. Jamie Butler, author of the FU rootkit, has also released a free program called VICE that can spot FU, but most anti-virus companies don't have rootkit detection features in their products, he said.

Full Story.

More in Tux Machines

Cumulus Linux 2.5 adds mainstream L2 features to bare-metal switching

As Cumulus Networks attempts to expand beyond the early adopters of its Cumulus Linux bare-metal switch operating system, it is adding Layer 2 networking features aimed at making it easier for enterprises to make the transition from legacy environments to the IP fabrics that most cloud computing customers operate. Read more

SimplyTapp launches open source tokenization project

“We don’t want to put any hindrance in the way of a bank launching cloud-based payments because they have to buy or rely on another ecosystem player for new technology and so we thought it was a perfect use case for an open source project. Open source allows a perfect line of audit where you can actually see the source code, modify the source code and make updates to the source code for your environment before you’re running it. Read more

Google’s Nest buys Linux automation firm, adds five partners

Google’s Nest Labs acquired Revolv, a maker of Linux-based home automation devices, and announced five new Nest-compatible devices. including the Pebble. After Google acquired Nest Labs in January $3.2 billion, placing a stake in the fast-growing home automation business, Nest acquired home surveillance camera maker Dropcam in June for $555 million. Now Nest announced it has acquired another major home automation company in its purchase of Revolv. The acquisition, which was announced with no dollar amount, came shortly after the Boulder, Colo. based company announced compatibility with the Nest Learning Thermostat and Nest Protect CO/smoke detector. Read more

MozFest 2014 begins today

More than 1,600 participants from countries around the globe will gather at Ravensbourne in East London for a weekend of collaborating, building prototypes, designing innovative web literacy curricula and discussing how the ethos of the open web can contribute to the fields of science, journalism, advocacy and more. Read more