Eric Chien, a researcher at Symantec, of Cupertino, Calif., said rootkit features are even creeping into legal and quasi-legal advertising software, which is often flagged by anti-virus scanners.
In a presentation titled "Techniques of Adware and Spyware," Chien cited examples of rootkit features in advertising software such as Elitebar and CommonName.
While there is nothing illegal about the techniques used to hide these programs, the behavior is suspicious when used in combination with other controversial behaviors, such as user monitoring, Chien said.
Major global virus and worm outbreaks such as Code Red, Slammer and Sasser revealed the extent to which computer users, companies and even governments are interconnected in the shared ecosystem of the Internet. However, changes in the way malicious code is distributed have made Internet attacks and malicious-code outbreaks a local rather than global affair, said Kevin Hogan, a senior manager at Symantec.
"In the past, people would write worms and release them," Hogan said. "Now youve got bots and Trojans that are spammed out to particular companies or IP address ranges."
"We might have a virus thats rated Category 2, but weve got a customer who says that its a Category 3 or 4 for them," he said.
Anti-virus companies have historically shared malicious-code samples with one another to protect the broad Internet population. With focused attacks and the explosion in threats, anti-virus companies are being pulled in different directions to protect their customers. Increasingly, companies are prioritizing the viruses and malicious software their customers report and paying less attention to viruses submitted by competitors, FitzGerald said.
Over time, the specialization of attacks could create a balkanized anti-virus community in which different tools become specialized for a certain customer population but cannot detect viruses and malicious code from other parts of the Internet, FitzGerald said.
Even more worrisome for anti-virus vendors are changes in malicious-code distribution methods that circumvent anti-virus scanning engines on e-mail servers, network gateways or users desktops.
The DNS (Domain Name System) cache poisoning attacks in March and the growing popularity of index hijacking—in which Google search results are tainted with URLs for Web pages that download malicious programs—are evidence that online criminals no longer need to push their creations out to victims but can lure them to sites where the victims unwittingly pull down viruses, Trojans, keyloggers and other programs, according to a presentation by Igor Muttik, senior architect at McAfee AVERT (Anti-Virus Emergency Response Team).
The malicious content often passes as harmless Web traffic, evading detection by gateway and desktop scanning engines, Muttik said.
Anti-virus companies also must contend with countless examples of quasi-legitimate advertising programs that purport to provide "value" to computer users in exchange for access to their desktop computers and their Web surfing and shopping habits.
The programs are created and distributed by companies such as 180Solutions Inc. and Direct Revenue LLC and are often bundled with free, "advertising-supported" software, such as Kazaa peer-to-peer clients, which users agree to install.
Advertising software frequently modifies host systems in a number of areas and creates dependencies with other software on the system, which makes it more difficult to remove from computers than viruses, Symantecs Chien said.
Bundling relationships make it difficult to determine whether the user wants—or instead is legally bound to have—adware and opens anti-virus companies to the possibility of lawsuits from adware vendors, said Chien.
Moreover, software from advertisers often gets installed in ways that are clearly illegal, anti-virus experts agree. Chien said he observed software from 180Solutions bundled with pirated content, such as movies and cracked software.
Even when the software is distributed and installed legitimately, it can be almost impossible to untangle the thicket of interconnected Web sites, distribution servers and shell Web properties that are used to distribute advertising software, said Joe Telafici, director of operations at McAfee AVERT. Telafici is one of two McAfee researchers who spent a month analyzing "the Transponder Gang," a web of sites that distribute adware from Direct Revenue.
Telaficis team dug into a network of unique but structurally identical Web sites. The sites, such as pynix.com, mx-targeting.com and offeroptimizer.com, were linked to Direct Revenue adware. The investigative work revealed a complex infrastructure for distributing browser helper objects, plug-ins that collect information on the computer owners behavior in exchange for "services" such as Internet searching.
McAfee researchers found that the shell Web sites, which were little more than empty fronts, provided a patina of respectability to the adware, while also providing brand coverage for Direct Revenue, Telafici said.