During the last 7 months we've been able to gather some really interesting statistics thanks to Panda Anti-Rootkit on which rootkits are most actively infecting users as well as new emerging rootkit techniques being used in the wild.
Out of the tens of thousands of machines cleaned so far, the most prevalent rootkits in-the-wild are by far Beagle.FU and Adware/NaviPromo. Together they account for almost 64% of all rootkit detections. The different variants of Rustock come in third place with 16% of the infections, followed by Flush.K, Zlob.A and Peacomm.B.
The simplest technique used by rootkits to hide files, processes and registry entries are based on hooking the IAT/EAT functions of the processes. Rootkits can then intercept and hide the information sent from the system to the querying process. These hooks are done in user-mode and only affect the processes whose IAT/EAT has been hooked.
Kernel-mode rootkits on the other hand use a driver that normally modifies the Service Description Table (SDT) or the Interrupt Description Table (IDT) as well as more advanced techniques which modify the kernel data structure (DKOM), the registry MSR_SYSENTER and the IRP, effectively filtering calls to the drivers. In the following table we can see which technique each of the Top5 rootkits use.
Advanced rootkit techniques
Lately rootkits are using news techniques to evade detection by anti-rootkit utilities. To achieve this they install themselves into an NTFS ADS, which makes detection, and specially disinfection, much more difficult. Some good examples of these are Oddysee.B which installs itself in an ADS of NTOSKRNL.EXE, Rustock.A which installs in an ADS of the C:WindowsSystem32 directory and the atypical Unreal which installs in an ADS of the system drive.
One of the most common strategies for detecting objects hidden by rootkits are based on cross-view comparison algorithms. To detect that a file is hidden the anti-rootkit first parses the files using system API functions that have been hooked by the rootkit. The hidden file will not show on the results of this search. The anti-rootkit then performs a second search using more advanced low level access which is not intercepted by the rootkit and then compares both results. Thanks to this cross-view anti-rootkits can enumerate files which are hidden. However many of these cross-view techniques do not enumerate in low level the different system ADS and therefore these advanced rootkits go undetected.
Rustock is worth mentioning again when we're talking about ADS rootkits. It is probably the most dangerous rootkit in the wild, not only because it's the third most prevalent rootkit but also because of the advanced techniques it uses and malicious actions it performs:
- Hides in an ADS of the C:WindowsSystem32 directory.
- Hides its execution by injecting itself in kernel threads and avoids being detected as a hidden process.
- Gets rid of its own kernel structure entries typically searched for by anti-rootkits to detect hidden drivers.
- Searches for certain security products to further evade detection.
- Installs a hidden proxy to send spam.
Because of this Rustock is definately the most difficult rootkit to detect and specially to disinfect. Therefore it receives our "Most Interesting Rootkit" award.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
7 comments
Hi !
I want to download a Rookitt process free for home,
Is it possible ?
Cordially,
Dan (from France)
Dan, you can download our free Panda Anti-Rootkit from this blog. Or simply visit http://research.pandasecurity.com/archive/New-Panda-Anti_2D00_Rootkit-_2D00_-Version-1.07.aspx
Well I like how malware works… I only know Rootkits with .sys extensions, there are .exe rootkits ??
Rootkits are traditionally drivers (sys) but there are other techniques such as hiding in ADS, injecting into other processes, etc. which can be performed by exe’s.
It seems like rootkit these days are getting more and more advanced.
Have you guys figured out a way to deter the spread of Torpig / Mebroot?
@Clark, as a matter of fact Torpig/Mebroot/Sinowal implements a few different hiding techniques, some of which are very complex. Obviously we’re not going to discuss openly which techniques we detect & disinfect and which we don’t as it would be giving hints to the bad guys, but we are constantly monitoring Sinowal (and other similar complex threats) and adapting our techniques to be able to detect/disinfect them correctly. In fact we have a specialized team at PandaLabs dedicated to these types of complex threats.
every dofuser needs dofus kamas, but most of them can’t find a good cheap dofus kamas provider, so it’s a problem is they want to buy dofus kamas.now bawwgt will be your best choice on dofus