Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes

More than 20 percent of all malware removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits, according to senior official in Microsoft Corp.'s security unit.



Jason Garms, architect and group program manager in Microsoft's Anti-Malware Technology Team, said the open-source FU rootkit ranks high on the list of malicious software programs deleted by the free Windows worm zapping utility.

"I can tell you that FU is the fifth most removed piece of malware. We're finding the FU rootkit in many different versions of Rbot," Garms said, referring to the IRC controlled backdoor used to illegally infect Windows PCs with spyware.

In addition to the FU rootkit, Garms said the WinNT/Ispro family of kernel mode rootkits features in the top-five list every month.

WinNT/Ispro, like FU, is often bundled with illegally installed spyware to allow an attacker to modify certain files and registry keys to avoid detection on an infected machine.

"Hacker Defender," another rootkit program that is available for sale on the Internet, has also been detected and deleted regularly.

Garms shared statistics culled from the worm cleansing tool in an interview with Ziff Davis Internet News and warned that the high rate of rootkit infections confirm fears that virus writers are using the most sophisticated techniques to hide malicious programs.

For the most part, the rootkits are being detected and removed from Windows XP (gold) versions but infection rates on XP SP1 and XP SP2 machines are also high.

The Ispro rootkit, for example, was prevalent on 50 percent of all Windows XP machines without a service pack. About 20 percent of all scans of machines running XP SP1 and SP2 also found the rootkit.
The numbers are roughly the same for the FU rootkit while the Win32/HackDef stealth rootkit is lower down on the list, Garms said.

Beyond rootkits, the rate of XP SP2 infections from malware that use social engineering techniques is staggering, Garms said.

"The social engineering tactic is working for virus writers. People are still clicking on attachments and links in IM messages and becoming infected. Even with all the education programs, there's still a large number of customers being tricked everyday," Garms said.


More here:
http://www.eweek.com/article2/0,1895,1896605,00.asp