Rootkits Spawn New Malware

Viruses, bots tap into stealthy code to bypass detection.

Computer viruses and remote control programs called bots are adopting features from stealthy programs called rootkits to avoid detection, security experts say.

New versions of Rbot, a ubiquitous and malicious remote control program, copy and paste features from a well-known open-source rootkit called Fu.

The new features make Rbot invisible to system-monitoring tools and are just the latest example of malicious programs that borrow strategies used by rootkits to evade detection on systems they infect, according to Mikko Hyppönen, director of anti-virus research at F-Secure Corp., based in Helsinki, Finland.

Variants of Rbot emerge almost daily, but recent versions come with a version of a software driver from Fu, Hyppönen said.

When the driver is placed on an infected system, it allows Rbot to hide its process from the Windows task manager or other task management tools.

The integration of Fu with Rbot is crude and was probably done by a script kiddie who lifted the code wholesale from the Fu source code, which was posted on the Internet by the rootkits author, Jamie Butler (aka Fuzen), as a proof of concept.

However, other malicious-code authors are doing a more thorough job of tying rootkit features into their creations, Hyppönen said.

A recent variant of the Myfip worm, Myfip.H, incorporated features from Fu that allowed it to manipulate data in the system kernel, enabling it to hide its processes, Hyppönen said.

The Fu source code is a rich source of information for malicious-code writers. However, Fu is not a true rootkit and doesnt try to evade detection. That means viruses and malicious programs that use Fu components might still raise red flags from security programs that miss the virus processes that are running but that spot Fu running on infected systems, he said.

Other virus authors seem to be catching on to tricks used by rootkit authors to avoid detection, too.

A recent version of the Sober worm, Sober.P, used a strategy called I/O blocking, which doesnt prevent infected e-mail messages from being spotted but can keep anti-virus products from detecting Sober.P on infected systems, according to experts.

Many anti-virus products dont do what is known as "on access" scanning in memory that would spot such tricks because the scans slow performance too much, said Vincent Gullotto, vice president of McAfee Inc.s AVERT (Anti-Virus Emergency Response Team), in Santa Clara, Calif.

"There are just so many programs going in and out of memory," Gullotto said.

While Rbot, Myfip.H and Sober.P are still easy to spot, the convergence of rootkits, viruses and bots is bad news for computer users, according to Hyppönen. More sophisticated rootkits such as Hacker Defender are much harder to spot and could be coupled with bots or other malicious code to create potent threats, Hyppönen said.

F-Secure is testing BlackLight, a rootkit detection program that can spot some rootkits. Butler has also released a free program called Vice that can spot Fu, but most anti-virus companies dont have rootkit detection features in their products.

I, Rbot

Bots, worms adopting rootkit features

Bots, worms adopting rootkit features

* Rbot New versions can hide processes from Windows

* Myfip.H Worm adapts features of rootkit

* Sober.P Worm uses I/O blocking to hide from anti-virus products