Malicious hackers have fitted rootkit features into the newest mutants of the Bagle worm, adding a stealthy new danger to an already virulent threat.
According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners.
The use of offensive rootkits in existing virus threats signals an aggressive push by attackers to get around existing anti-virus software and maintain a persistent and undetectable presence on infected machines.
Rootkits are typically used by attackers to open a backdoor into Windows systems, collect information on other systems on the network and mask the fact that the system is compromised.
In the case of the Bagle.GE rootkit, F-Secure researcher Jarkko Turkulainen said the rootkit successfully hides processes, files and directories, registry keys and values and contains code that will prevent certain security related processes and kernel-mode modules from running.
It also contains commands to disable security software and delete security-related files whenever they are opened.
The Bagle threat started as a simple e-mail executable in 2004 but has grown and evolved over the years to become one of the most active threats against PC users.
Security researchers estimate that the numerous Bagle variants have infected more computers than any other virus group.
The Bagle authors have used the worm to seed and control botnets for use in spam runs and distributed denial-of-service attacks.
The different variants maintain a complex network of infected machines and are typically used to help newer versions spread and avoid detection.
Panda Software, an Internet security company with headquarters in Spain, said it has discovered at least three new Bagle worm variants with rootkit functions and warned that it is “highly probably” that new specimens will emerge in the near future.
Luis Corrons, director of the companys PandaLabs research unit, said rootkit features are easy to fit into existing worm and virus code.
“Generating and selling rootkits have become a real business model. Due to their capacity to slip past traditional security solutions and their versatility to hide on the system and carry out all types of malicious actions, rootkits have become an opportune tool for cyber-criminals looking to earn them high profits,” Corrons said.
F-Secure also found evidence of a rootkit in Gurong.A, a new worm that is based on the Mydoom code.
Both Mydoom and Bagle are considered “heavy hitters” in the world of malware research.
Like the Bagle rootkit, Gurong.A hides processes, files and launch points whenever the worm is active. It is also able to modify kernel-mode process structures to hide any process it specifies.
Gurong.A uses a range of social engineering tricks to propagate via e-mail and also spreads through shared folders in the Kazaa peer-to-peer application.
According to statistics from Microsofts anti-malware engineering team, more than 20 percent of all malicious code removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits.
The rootkits found by Microsofts malicious software removal tool include FU, an open-source rootkit popular among spyware writers.
In addition to FU, WinNT/Ispro family of kernel mode rootkits have been found and removed from Windows machines.