Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Spyware Danger Meets Rootkit Stealth



 By: Paul F. Roberts
2005-06-20
Article Rating:starstarstarstarstar / 2


There are 1 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A common spyware program called "Cool Web Search" is adopting rootkit methods to creep onto machines undetected, where it becomes very difficult to remove.

The makers of one common spyware program are borrowing techniques from another type of malicious program, known as "rootkits," to help evade detection on systems they infect, spyware experts say.

Recent versions of the Cool Web Search spyware have rootkit-like features that allow the spyware authors to hide their program files on Windows systems.

The new spyware variants are a sign of the increasing sophistication of malicious code authors, and of spyware makers, according to Roger Thompson, director of malicious content research at Computer Associates International Inc.

Rootkits are programs that give remote attackers administrative access to compromised machines. Using a rootkit, an attacker can peruse a compromised machines hard drive, set up or change user accounts, add, delete, or modify files, and communicate with other machines on a network or the Internet.

The programs often lurk in the background and are difficult to detect, even when they are known to be installed on a system.

Thompson said that new variants of the Cool Web Search spyware, detected in recent weeks, can hide configuration settings in the Windows registry and disguise their presence by hiding rootkit files in alternate data streams.

Resource Library:
"It makes a lot of sense for spyware [authors], because with spyware youre trying to hide, versus trying to spread," Thompson said.

Malicious remote-controlled bots are also adopting rootkit features to avoid detection. Click here to read more.

David Moll, CEO of anti-spyware software vendor Webroot Software Inc., said researchers at his company have also seen rootkit features appearing in spyware applications like Cool Web Search.

CA has retrieved samples of Cool Web Search from the Internet with the rootkit features built in, but says the features are not as sophisticated as those found in so-called kernel rootkits, which replace parts of Windows core processor with their own code, allowing the rootkit to be almost completely invisible to users and to many detection tools, Thompson said.

"The stuff Ive seen is probably homegrown, but most of this [rootkit] stuff is open source, so its easy to borrow a bit from here and a bit from there," he said. Cool Web Search is a ubiquitous piece of malicious code that is the most prevalent breed of spyware on the Internet, according to Webroot.

The software is typically installed on victims computers from malicious Web pages or e-mail messages that exploit Web browser vulnerabilities or use "social engineering" tricks to get users to agree to install the code.

Once on a system, Cool Web Search hijacks Web browsers, redirecting users to Cool Web Search member sites. The program may also come bundled with reams of other adware and spyware programs, experts say.

Not much is known about the parties behind Cool Web Search, though they are widely believed to be based in Russia or Eastern Europe.

Virus writers have also latched on to rootkit programs to help disguise their creations in recent months.

New versions of Rbot, a malicious "back door," or remote control, program, have features taken from FU, a well-known open-source rootkit, F-Secure Corp said in May.

Click here to read more about Rbot, a remote-controlled program that also utilizes rootkit methods.

Spurred by profits from online identity theft and from "pay-per-install" software vendors, spyware authors are innovating rapidly, especially when it comes to avoiding detection during installation, and afterwards, when spyware programs often transmit data from the compromised system, Webroots Moll said.

"Were seeing innovation in three vectors right now: infiltration, communication, and perpetuation," he said.

Cool Web Search showed up in 8 percent of all spyware scans by Webroot. The program has traditionally not been hard to detect, but has been very hard to remove once it is installed, pushing it to the top of the spyware pantheon, Moll said.

"Once you get it, you cant get rid of it, and thats proven to be a real heartache for people," he said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Spyware Danger Meets Rootkit Stealth
>>> Post your comment now!
rootkits
Informative article!! It also tells me that 1) there is money to be made in coming up with anti-rootkits and 2) all the safeguards we now possess...
Posted At: 03-13-08
By: Stephen
>>> Post your comment now!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


x}r㶲s\@♵M"b{)ٖZ-/K3^:U*$ER~u~|.dLb["h4y$ W7-gD.]sjS;q~@ [!%w> (+ԯ1mnf]S/ _hoL|Nx  tjGt0.Sk4Z57껲5G4o/ne0S-ZIa>)VNմIlZ/P8$x$ZB;$?*B4mG$zߦR`F蕁D ؗCY͢NaF3l˸+:4 HS(G~@?8rދ*1݇飅S wΨn{TTMSU@BlݹVжF^׵vCq>t;g=rԺx';Aڼ@o&1`jLTV+Rhf Rc@GG,/BK.oVqW-%MюR;2,fϷ 3+i3*,qT~6zvEzv l,aZ4 2_]2 -U5ms%gr>iu>Sɀ&dXaV|YkU[_lxmx8=kh`cRV>{dN;'-2 )H|[:)yu'P[, RGrF~DX*V0Uhf5 t @CX&%4ɄSHu t:f9A}I'ԃ6kiLuV!`BC`u{j '@kFPYXa6R\ 9jb3v!fBM?o"* brݠHPs^]ϧˊfoF"> 23r!DKI88gd{Ӱirq\oV͉2]X]uUjoE?t_wΨqj>޴NIsVЂ)3G#洋вn 7MGZ9HL*exsvU95b(7ZdL,5,{LtOi8`;}Bw'Դ@wH<: M/}@˥qn1@ LNa 8 V8; t#uө=W45W/h`GIkE 6]LR}t )qHhS0|w0[[aP#[ҽ[:z? a#0.Zm{Ae^~} ¢Pwݐ4P}@=Z9nc@|jN JG@i0xzOEЧg$D!-i]R@Az8 -,rr< /~#AvGBjy?mlry wrvn23,BV-KїPf%i2khƲń(VFN1|(0Vf)řxj&i &NHNu0OiH\UN`9|si?&4ğ;nX$]׾dχ _V̚S=S] ktմyJˁ2$vTD>L˄Fr6=c=϶Y$tuKtu`|d:N+'hm7?>{@,\nb4դ/4<3_O#kۖs7M2߄T 9u# \ă r}͚X 4ؐ9|&B77:7O)wj@atɕe.FiJ~*tr~#J}ݼ~h;h{q#%MAw=E梳xO:[VX nURueb$l =vaXZ @-",6@1++;WKc: _hihH*E6@\Z2,c %␘ 0ZmGwa=0_ܰ킡/%UVLYsX)Z52{5k掭l0!.(2n( 这,)؂ Yz:8:O\%z`۱u3$?;`ϟQ,C* R*}a5)403yb|Fȸ>qm?XĞi'L[QHz{=cTfha8lXl?78Hy¤SI_)+%UMH?K~1:2.eX PY.5mI]v 'Ywf$ Eiz2i$p}r)"™5r!| jx0A,Cןʼn¨0raԺU_~? 6#Xe[;pMbA >BS-c&B_M;$!O^'KRIC'Xk5E}c,IVt@CF ‘"]yj% }!T0|"j*V$D6pl)5tl*FuiMxm!8+I%$m'uX2]jL}tvǜ}h3ʋ2 iΓEVJjB =5GjZ͎=>iP2~2j&8x_ㄯ8W}ˬ7?Kg>kSM+\3>'=\V`QcƖ4FXXH]-'L͎O\NS$dTP95f> S#=A o#uIN:Ɲcݸz,WEn;&}kPkw(* xg4s'DcC6VNMFklE;8*6Xjl=vHN~Zsn驔Jg H*@:erzī7OwioUUAS;:)&DVѶU0HzW.q,wqIe1S2I*"Eֲ[,qde l&SJ_ʼnZkRS+GF`"U!7TP>z#_7)~(zC9m^>s꧴z-NoTjϢ C:%/Z&he~6%Kf?͕Z5?e DsBx`fKܧ@vܖ[J,]A Ba Q{lrK{]wѼZA8G̕=%(MXU\=QDu Z:̏T)wT :&iZIRkϢpӁ9tGFl~"ڊ twE2q{27(۞k-/$xG ?ws̾n02N t U5mb[-W+wc"i!`0dR{T{) ܗKrvZTKU+d< j;!O+tSN`+T.n_B'Wƒ"'!M+73,`J {qe?3 cS7wv׏ZM}{"}QL~Uv٩G#;?JnۧCR>Y'5/ ?Nٿt۽v00Vy/Џ Kxi/RCR>"jMթԾl~h0[ltJj2}m&A)`dQL?JnWaF.Zg(V@iD*ǝ^s)\6o>ėlO:~\ZR ^Zz0NԼh:dIN2axռN8>m48 Z&IEyĘ 3^6"B @ tnN[7Y0pz.vB3ZKUc)zF A0V<]wTGWX* 8̄o ナ`AQ1 KLG{iD& bT1J?ԟRFMQV=#ijIəπQIQ):*9Q_ZQkw?KJ}J_cNfo4~PV=8Y,rh縕vi\c~wSP݅{/Zr; 1dy!Br 7[%x -Mu>nSo2MĜykNEm =O?G0 chQ(bz&I[ɨ ݖ:p<5Gs:e?S"\ 06H PV,OҼe=lI1 iK"ih$bbVȆRo{ݼڜm yjXýMی3B凭J$h dgKE֊2 pkP I"+ b >g֢Ѭ]}+ ɏh8 =Na.O, zP/9U۾L+tO$ZЍڑqEt2Ti\'SX ]hrrӅ[ 䠏nߡ{v$smC'رD~zNh gs o. cgm:;@FP$w"BZ ("Ξ[ eu/hu5nWKoCӝ薃(H׺!ͫϽsP+]Ƃ>#QᛷG 6n2'|2JO$hﭑ~QOƭtov/F]F=foݷvcW};Ǎ>8tǠ^Ҁ#I1&ZQT@WdU)IW]Y)GG8LboZ`@L6#Oz= }#uoo=إG֛lp3Y* g@v4^ haIL]_@#=Iy=X<30pUe"ڮ^t4s8۲I`,Va3:qQmL'5c: DI ]]ed40 #+" mMJZa97Y8Mey PGP;JGl+N5]VL;ƒ17 ٤3y#F~gM%VJd]q"u#/(I=WaN}|`S2Jj9I4}L+1"7jyR6B&xt]i/)R>߬#9_ǐQ4ua&.z(IX*/_87iDJ1&ޓ'!q."ȓӟGx3Dh<}wo@6+Jjm]i/sV U uK:/Qލ(#N_+ml5ֿ-3$`Sf(83$G{+@O5 =FBVhI1a!P%,`.yy"<ޖ+mʊPSuE9 Ǯ/uXn,=|VIR9$!IBP_ڂYڍmkl۔ʦ U~q:˜ݱ:z*V`h0]l  m oW":0 6V@xz`X` N^xOxj9xDK?c bpL%F:zh1 cND|i;$<\6r[&ׯ(/K`8,)Zg]2 8w0000 Z-UL+z2LBKkzWX7gDT$X`Ez366A5aѵ5ֿᨾ}-)]}p?S9k1?|c<6@a!€$գ}gSsDoKA2ŋ n@ImRԻZY!ᑍIr9#XW"՛`+,Gb4Zޛ+;9מ?c0h '|y0.~c-x# z_xz_Yc{NVHK\ƺ jO1tbX؊5V|iQ yl 1Nqc"X)Eu3~}Xo ~_s-M 3QBerLge>M"3[2\Sإ6GeCsji'+Wo)2 {%!ms.QY6 l?gS3vRB+lL[  Ɗttb2dBcg+3_gE^[7ו۹}jQ+rϮY_2)rφm/ksɹfzm)w|M\ W{fK IEo͓iA|+3`nzsh~wLlWf<6.ZxM+hG P|F8 _˳8M=^Vk#fEN{gm^)KrkH n?6ozlïnJYf%2Ċ3Q+i錃ql GdZf&e<Lm~aW B >ϋ .-Nxtowwv]g4޵7 5x`>ׂ읩^_F%1Xd&&ZfM۞ '{atx-b= Tw߁^<@ 30&>]#=^g=T608~)n{ʞVS,8Y+ Zybu JɤQ?L(pg{W.@=i \Zn)Of+-`T#=t7rTp6&"z~EqG2(kX5Xm3È2CכdžmWc#kx|gBiƗi.b50eos0[jbdFyAx!Fv;Kb+@6Q$IL`kKAXK3b*Y"'"KIEЮ(>1_<xX2Lzm/+iyp\ Gi̢6qΌ"F$drm".]sIԪʁ\r~^ ::XuV%.g˘xVH=Қ0&ޤOEU6'a|Qi@ʑVH5i`-o>A5R9}jZbfچY <ֶ/=ֶz^C출uK[7]5S]<_q=%o73E'ձJYlݹ[{rCjyKE8ee_ˤC$=y >tk6fLµOA*d 8ISDC>Ubȣ|6J ;JJYTjG^)xyӓG4U0}jmȍF.05 ?yOs.kXl;̝5~V`}{Ə$HP.%$7_b?q,@N cˡWq\6Z(^:]YLےN IY?ڽ{^jB_7 "|ļK,Ad2uēF;1CWIе6A\Π{3EF-h>#4I cDku' +K,-^a9eUd[h,s;'¨EJa3r;c{e ,G Ki~RJHUTW"Y lgF &bP6iJJʇh5;P2*5&G̭3ǘ"xxa aF a?ϪͲ;IoP}sY?e=a ' 2u?|{yBJG=Jm~#}*틸3;-RlfUc:&yxM .oJ^j$'9֣/|T1/b#-ᰔ#fg|$z嘘̥7d{@\^q 81q,E|E|z['Ae}>l1dn +62 1՘ފ_Ѻm~F~h/U{Z7]Ѷ-d=*:}GDy”*R Cccf 'lI=0W N8e [z_c54uh`:zS~pV%Ւ s ;X+3۟oʁ.ARrO0ឩHSHVdL4"&(qTiK$<49࿿tLYunOKZ&a k(E$[TvۈxE0t߰Þ1;mzfmdm/u "O5cZ|F"{X#&3)- y/@} (aU 7T,5?B5DuSSJH0^Djj㹂 .X`,rnwj"Ox}1d@M+%>gٕa)걪S͕/0;ehs=M镬B*9^Ȑq{ZGL€،\{cݹ0A39ܐ&9iHq}kwqs'%}RGݪ;ǝ'gMWhY>|i5ۼЗ6xteAή-fL)D3\h"^ûKwE Ccq~^ Ҧ;'Q]xe3ʋ, KNi21S<=iuZ>6v7^L#'uԦF(h5{q`1D*'MMBp4ħEG:WB#2yT}n"g(9(%oV41-[Ny;9@VN .?CN?|ۅy{uyhC9CL*BnNg(_ٮq3>e2>2@\9_^%e^ ?唟CyN?9P~S{3W ?W9sw3~'?/9q sO9z9kuG௏9 ?~rC[(+[h6[Ku3Ay3GΚ׸pz~;}sS^.4s\}W WK(gsVڍNV`{CJg_7G+@I}}9M+ťfW*7KD앆cn5:Ab}a/ c|2y& )htVydS˼=>w懴Ix崝#&J2˯-7cENZ9.~QFxd\$h{U26#{"ijvʞ?#%Y!/ܻGzʉnS'/\2A<ĎnOArr mn1+x? 4` K}Ry緶xvY.}j,7mϋ9y}2cپOh] /K6:7Dq3[ ňàs H? }Vj?fz:x}fOCvHyѿn~htR/O> *8x:S w}Y&@Y8'}(hعjzGrt9pùzksn \wn :)xӁT״} J\ߑNn0lFGDd10q5ɪ"+5w9 8]V(*D`I9#2B4|OӴW]7tS+rc<{+4pY-}"z5>YxcEv+cAV73/ ~*_v3*m؏d S7 5v;3Ũ逕@ NS &kc5q) ?՞ٕv"n42Nw1z6h*G ?n 3ɕ@y hbգh9đPrO~22VH''dn!Br&߼)=tφU U/ADZeXY򿧖qǭd<@T6? hCI.^,˃aͱyCc`bȜ." 8luy1M<r*WpG1q6`= }j`$->Xv;iXev#601jxU>}r)1-XhcЁ7 OCeWn΀`htF(.24"f>̆IW"nrg=T#0? u'K6&oiW -]^AK5 D =bHO$ fB~nҒ.'%лx^JT6^џZǬIBn`Z(>/tA#Ӳ!fIw&UM~gik-x=%4Id`4s `C{)B9 H|\+<##1Y Mк {kͅ*u8w ic:4. N甽1¢m5u׌ezԦu"䶯I׵98~MC >%Ͷ U^{#D3dƨz< &h :"QF&A}F垓gg_6b Gy&3@3p6+S2m)y'ir};[|A^[|QؗG@1agGێQgW_NwD.L?!#R.ڐOF{)0XPw4 m<'6}Nu;Cv:j;;˖  Mm+#84">Լ lQF޺׸6Vx}҄ ]@1Su .Ыv>cx 'Lᵰ65GT1ue|nHJUƧf2{O:Lgз57`8[| ނgܨN~<+1<&`cܢ_\nP\jӟ&H.\Tvbbq Y9gf;i5wm+Ѝϰ|3'ȱb@xϖέ{~k#'>gsx}z!}/ő׈,,L[˅OىBWѰ0 L;,lqED%e2rACb 0F #:`2 19,G xI1%h3l䣈mAb ?ڵ-caG?f,ɀGAMzU]Z 12Mo,/`kV"Kz'gE= !`5>g~C{%9w:a0>~09&rX >鄥6s`=U`0Z.<,(`,Lv"VTHkMΡmbOqR!%fƲ"7cP!wX]-B@:S .x C,$ˋ}P cyx ŧ$NSM1}b2<'\B/1,#{ŠN|ZkhYY'5/yH%D}Sw= QRO(Uƥ2p;\R|ҹ$`֍;^z\J\SK4%WY/ϦO*L Kq>lgLp -ϱeRZ`l/Z6v?|%