Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Where are Rootkits Coming From?

    By
    Ryan Naraine
    -
    December 7, 2005
    Share
    Facebook
    Twitter
    Linkedin

      The sharp rise in rootkit detections on Windows machines is a direct result of adware/spyware vendors using sophisticated techniques to hide processes and prevent uninstallation, according to anti-virus vendor F-Secure Corp.

      The Finnish company, which ships an anti-rootkit scanner in its security suite, has identified ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs, as the company responsible for a large number of stealth rootkit infections.

      F-Secure chief incident officer Mikko Hypponen said the companys BlackLight technology has discovered the use of “very advanced rootkit technologies” in Apropos, a spyware program that collects users browsing habits and system information and reports back to the ContextPlus servers.

      Like the typical spyware application, Apropos uses the data to serve targeted pop-up advertisements while the user is surfing the Web.

      Unlike the average worm or bot that use rootkit technologies to avoid detection, Hypponen said the rootkit features built into Apropos arent being used to hide the existence of the program on the machine.

      “Theyre using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes,” Hypponen explained in an interview.

      /zimages/1/28571.gifRootkit detection coming to Windows AntiSpyware. Click here to read more.

      The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process. When the files and registry keys have been hidden, no user-mode process is allowed to access them.

      Hypponen said the rootkit removal statistics released by Microsoft Corp. were consistent with the response received from F-Secure customers using the anti-rootkit scanner.

      “In the nine months since we released BlackLight, were seeing the same things that Microsoft is reporting. We have definitely seen the FU rootkit being extremely widespread this year,” he said. Hypponen noted that the open-source nature of FU and other rootkits has allowed spyware purveyors to add drivers from an existing rootkit and cut-and-paste the user-mode code for controlling the driver.

      On the F-Secure Weblog, Hypponen described FU as “a very simple rootkit to cut-and-paste into worms and bots.”

      He said FU only hides processes, not files or registry keys.

      “Currently worm and bot authors are mainly interested in hiding their processes from Task Manager. They are not that keen on hiding files since most Windows users do not know which files should be in their “System32″ folder, anyways,” Hypponen said.

      Microsoft lists FU among the top-five pieces of malware deleted by its free Windows malicious software removal tool. Two other stealth rootkits—WinNT/Ispro and Win32/HackDef—are also high on the list of removed malware.

      According to F-Secures Hypponen, the appearance of Win32/HackDef, otherwise known as “Hacker Defender,” is a dangerous sign.

      Although its not as prevalent as FU on infected machines, he said malware writers regularly use “Hacker Defender” in bots and backdoors to mask the presence of the malware.

      In addition, he said “Hacker Defender” is regularly used by malicious hackers on compromised corporate servers. “Therefore, despite the infection numbers of HacDef are most likely much below those of FU, these infections are usually far more serious.”

      /zimages/1/28571.gifSecurity vendors clueless over rootkit invasion. Click here to read more.

      “The FU rootkit is widespread and dangerous, but if I find HackDef or one of the other advanced rootkits like the one used in Apropos, Id be much more concerned,” Hypponen said.

      He said the Apropos rootkit uses kernel-mode drivers that patch the Windows kernel “at a very deep level.” It also modifies several important data structures and native API functions implemented by the kernel.

      Hypponen said F-Secure researchers have also discovered a new tactic used by ContextPlus to wend its way around anti-spyware and other desktop security applications.

      “The rootkit is not the only advanced trick theyre using. Weve seen ContextPlus using a polymorphic wrapper that constantly changes the appearance of the spyware file,” he said.

      “Every time you download the Apropos program from ContextPlus servers, it looks totally different. The download server is regenerating the program for every single download. That makes it a huge problem for traditional anti-spyware scanners,” he said.

      ContextPlus did not respond to numerous e-mail queries for comment.

      Eric L. Howes, an anti-spyware researcher and consultant, said ContextPlus has been notoriously difficult to track down. Several domains associated with the company are registered anonymously or by registrants in France and Poland.

      /zimages/1/28571.gifClick here to read about the chaotic world of defining spyware.

      “I wouldnt be surprised to learn they were somewhere in the U.S.,” Howes said in an e-mail exchange with Ziff Davis Internet News. “All in all, its rather bizarre.”

      Howes said F-Secures identification of ContextPlus and Apropos was rather significant. “Rootkits are commonly associated with out-and-out-malware created by black hats hacking servers and planting backdoors. Yet F-Secure is now saying the most common deployer of rootkits is a commercial adware firm.”

      On the ContextPlus Web site, the company is described as a “one-to-one desktop marketing” concern.

      /zimages/1/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Ryan Naraine
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×