Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Servers

    Malicious Bots Hide Using Rootkit Code

    By
    Paul F. Roberts
    -
    May 17, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, according to researchers at Finnish anti-virus software company F-Secure.

      New versions of Rbot, a malicious and ubiquitous remote control program, have features copied and pasted from a well known open-source rootkit called FU. The new features make Rbot invisible to system monitoring tools.

      This is just the latest example of malicious programs borrowing strategies used by rootkits to evade detection on systems they infect, said Mikko Hyppönen, manager of anti-virus research at F-Secure Corp.

      New versions of Rbot are identified almost daily, but recent variants come with a version of a software driver from FU, Hyppönen said.

      When the driver is placed on an infected system, it allows Rbot to hide its process from the Windows task manager, or other task management tools that show users what programs are running on their Windows system.

      The integration of FU with Rbot is crude and was probably done by an inexperienced hacker, or “script kiddie,” who lifted the code wholesale from the FU source code, which was posted on the Internet by the rootkits author, Jamie Butler (aka “Fuzen”) as a proof of concept.

      /zimages/6/28571.gifClick here to read more about attempts at rootkit detection.

      However, other malicious code authors are doing a more thorough job of tying rootkit features into their creations, Hyppönen said.

      A recent variant of the Myfip worm, Myfip.h, incorporated features from FU that allowed it to manipulate data in the system kernel, or Windows core processing center, allowing it to hide its processes, he said.

      The FU source code, available from Web sites like RootKit, is a rich source of information for malicious code writers. However, FU is not a true rootkit and doesnt try to evade detection.

      That means that viruses and malicious programs that use FU components might still raise red flags from security programs that miss the virus processes running, but spot FU running on infected systems, he said.

      Other virus authors seem to be catching on to tricks used by rootkit authors to avoid detection, also.

      A recent version of the Sober worm, Sober.P, used a strategy called “I/O blocking” that doesnt prevent infected e-mails from being spotted, but can keep anti-virus products from detecting Sober.P on infected systems, according to experts.

      Other e-mail worms have attempted to use I/O blocking, which Hyppönen called the “poor mans rootkit,” to evade memory scans by anti-virus software. Sober.P improved on earlier attempts, and can even block scans by the powerful System account on infected systems, according to information posted on the Web site of Kaspersky Lab, a Russian anti-virus company.

      Many anti-virus products dont do what is known as “on access” scanning in memory that would spot such tricks because the scans slow performance too much, said Vincent Gullotto, vice president of McAfee Inc. Avert.

      “There are just so many programs going in and out of memory,” he said.

      /zimages/6/28571.gifRead more here about the latest Sober worm variant.

      While Rbot, Myfip and Sober.P are still easy to spot, the convergence of rootkits, viruses and bots is bad news for computer users, Hyppönen said. More sophisticated rootkits such as “Hacker Defender” are much harder to spot, and could be coupled with bots or other malicious code to create potent threats, he said.

      “Its almost scary. You can install [a program] on your hard drive and play around with it. You know its there, but no matter how hard you try to look for it, you wont see it,” he said. “Potentially, one could write a bot that could not be detected at all.”

      F-Secure is testing a rootkit detection program called BlackLight that can spot some rootkits. Jamie Butler, author of the FU rootkit, has also released a free program called VICE that can spot FU, but most anti-virus companies dont have rootkit detection features in their products, he said.

      /zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Paul F. Roberts
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×