F-Secure Shines BlackLight on Malicious Rootkits

Security vendors roll out new detection technologies to find and delete malicious stealth programs.

Finnish anti-virus specialist F-Secure Corp. on Thursday announced plans to add rootkit-detection features to its product suite, joining a growing list of security vendors tackling the stealthy threat.

At the CeBIT show in Hannover, Germany, F-Secure lifted the wraps off the new BlackLight Rootkit Elimination Technology, offering the tool as a free beta through Apr. 30.

After that, the company plans to integrate the rootkit-detection capabilities into its anti-virus, firewall, intrusion detection and anti-spyware products.

"This is a unique piece of technology that looks deeper into the operating system to find hidden rootkits. Weve already seen worms using rootkit functionality, so we know its a serious threat," said Ero Carrera, a virus researcher at F-Secure.

According to F-Secures findings, at least two worms—Maslan and Myfip—have used rootkit tricks to hide their process by manipulating operating system kernel data structures.

/zimages/2/28571.gifRead more here about F-Secure adding detection for new Bropia worm variants.


Maslan, for example, is a multi-component stealth worm that drops an IRC (Internet Relay Chat) backdoor to a computer.

It can be controlled remotely by an attacker to hijack personal data, organize a denial-of-service attack to spread in e-mails and to remote computers by using known security vulnerabilities.

"Very soon, rootkit-detection will be a required feature in anti-virus or anti-spyware software," Carrera said.

/zimages/2/28571.gifClick here to read eweek.com columnist Larry Seltzers view on the threat of rootkits.

With BlackLight, F-Secure is promising technology to detect objects that are hidden from existing security tools while offering a simple interface for removing threats.

The company said BlackLight has the ability to ignore non-malicious objects and provide warnings only on real rootkits.

F-Secure isnt the only software vendor flagging rootkit as a growing threat.

Lab rats at Microsoft Research have released Strider GhostBuster Rootkit Detection, a prototype tool that will eventually be released as a Microsoft product.

Microsoft officials declined to comment on F-Secures BlackLight moves.

Sysinternals Freeware, a site that offers Windows utilities, also rolled out RootkitReveal, a tool capable of finding registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.