We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,258 News Articles

Researchers discover 'invisible' rootkit

Will run on Vista too

A rootkit that will greatly increase the difficulty of detecting and removing malware from PCs has been detected by security researchers.

The rootkit in question, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, uses advanced techniques to avoid detection by most rootkit detectors.

The rootkit is "unique given the techniques it uses," Symantec's Elia Florio wrote in a recent analysis. "It can be considered the first-born of the next generation of rootkits."

Rustock.A uses a mixture of old techniques and new ideas to make it "totally invisible on a compromised computer when installed", including a beta version of Windows Vista, Florio wrote.

Symantec believes the rootkit originates from Russia, and a string found in the rootkit's code indicates new versions will probably be forthcoming. Symantec has already logged a variant called Backdoor.Rustock.B.

F-Secure noted Rustock's use of NTFS' ADS (Alternate Data Streams) as one significant example of its advanced behaviour.

"Saving your data into Alternate Data Streams is usually enough to hide from many tools," wrote F-Secure researcher Antti Tikkanen in a company blog.

"However, in this case, the stream is further hidden using rootkit techniques... because Mailbot.AZ is hiding something that's not readily visible, it's very likely that many security products will have a tough time dealing with this one."

F-Secure said it has released a version of the BlackLight rootkit scanner, Build 2.2.1041, which can detect Rustock.

According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn't hook into any native API, and controls kernel functions via special IRP functions. It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample.

Rustock also scans for loaded rootkit scanners, then changes its behaviour to avoid detection, according to Florio.


IDG UK Sites

Windows 10 for phones UK release date, price and new features: When will my phone get Windows 10?

IDG UK Sites

Three of the most expensive Limited Edition games ever made: Who's buying a $1,000,000 game?

IDG UK Sites

The future of Microsoft Surface: What to expect from the Surface Pro 4

IDG UK Sites

Best Mac: Apple Mac buyers guide for 2015: iMac, MacBook, MacBook Air, MacBook Pro, Mac mini and...