The makers of one common spyware program are borrowing techniques from another type of malicious program, known as “rootkits,” to help evade detection on systems they infect, spyware experts say.
Recent versions of the Cool Web Search spyware have rootkit-like features that allow the spyware authors to hide their program files on Windows systems.
The new spyware variants are a sign of the increasing sophistication of malicious code authors, and of spyware makers, according to Roger Thompson, director of malicious content research at Computer Associates International Inc.
Rootkits are programs that give remote attackers administrative access to compromised machines. Using a rootkit, an attacker can peruse a compromised machines hard drive, set up or change user accounts, add, delete, or modify files, and communicate with other machines on a network or the Internet.
The programs often lurk in the background and are difficult to detect, even when they are known to be installed on a system.
Thompson said that new variants of the Cool Web Search spyware, detected in recent weeks, can hide configuration settings in the Windows registry and disguise their presence by hiding rootkit files in alternate data streams.
“It makes a lot of sense for spyware [authors], because with spyware youre trying to hide, versus trying to spread,” Thompson said.
David Moll, CEO of anti-spyware software vendor Webroot Software Inc., said researchers at his company have also seen rootkit features appearing in spyware applications like Cool Web Search.
CA has retrieved samples of Cool Web Search from the Internet with the rootkit features built in, but says the features are not as sophisticated as those found in so-called kernel rootkits, which replace parts of Windows core processor with their own code, allowing the rootkit to be almost completely invisible to users and to many detection tools, Thompson said.
“The stuff Ive seen is probably homegrown, but most of this [rootkit] stuff is open source, so its easy to borrow a bit from here and a bit from there,” he said. Cool Web Search is a ubiquitous piece of malicious code that is the most prevalent breed of spyware on the Internet, according to Webroot.
The software is typically installed on victims computers from malicious Web pages or e-mail messages that exploit Web browser vulnerabilities or use “social engineering” tricks to get users to agree to install the code.
Once on a system, Cool Web Search hijacks Web browsers, redirecting users to Cool Web Search member sites. The program may also come bundled with reams of other adware and spyware programs, experts say.
Not much is known about the parties behind Cool Web Search, though they are widely believed to be based in Russia or Eastern Europe.
Virus writers have also latched on to rootkit programs to help disguise their creations in recent months.
New versions of Rbot, a malicious “back door,” or remote control, program, have features taken from FU, a well-known open-source rootkit, F-Secure Corp said in May.
Spurred by profits from online identity theft and from “pay-per-install” software vendors, spyware authors are innovating rapidly, especially when it comes to avoiding detection during installation, and afterwards, when spyware programs often transmit data from the compromised system, Webroots Moll said.
“Were seeing innovation in three vectors right now: infiltration, communication, and perpetuation,” he said.
Cool Web Search showed up in 8 percent of all spyware scans by Webroot. The program has traditionally not been hard to detect, but has been very hard to remove once it is installed, pushing it to the top of the spyware pantheon, Moll said.
“Once you get it, you cant get rid of it, and thats proven to be a real heartache for people,” he said.