Where are Rootkits Coming From?


The sharp rise in rootkit detections on Windows machines is a direct result of adware/spyware vendors using sophisticated techniques to hide processes and prevent uninstallation, according to anti-virus vendor F-Secure Corp.

The Finnish company, which ships an anti-rootkit scanner in its security suite, has identified ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs, as the company responsible for a large number of stealth rootkit infections.


F-Secure chief incident officer Mikko Hypponen said the company's BlackLight technology has discovered the use of "very advanced rootkit technologies" in Apropos, a spyware program that collects users' browsing habits and system information and reports back to the ContextPlus servers.
Like the typical spyware application, Apropos uses the data to serve targeted pop-up advertisements while the user is surfing the Web.


Unlike the average worm or bot that use rootkit technologies to avoid detection, Hypponen said the rootkit features built into Apropos aren't being used to hide the existence of the program on the machine.
"They're using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes," Hypponen explained in an interview.

The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process. When the files and registry keys have been hidden, no user-mode process is allowed to access them.

Hypponen said the rootkit removal statistics released by Microsoft Corp. were consistent with the response received from F-Secure customers using the anti-rootkit scanner.

"In the nine months since we released BlackLight, we're seeing the same things that Microsoft is reporting. We have definitely seen the FU rootkit being extremely widespread this year," he said. Hypponen noted that the open-source nature of FU and other rootkits has allowed spyware purveyors to add drivers from an existing rootkit and cut-and-paste the user-mode code for controlling the driver.

Microsoft lists FU among the top-five pieces of malware deleted by its free Windows malicious software removal tool. Two other stealth rootkits?WinNT/Ispro and Win32/HackDef?are also high on the list of removed malware.


According to F-Secure's Hypponen, the appearance of Win32/HackDef, otherwise known as "Hacker Defender," is a dangerous sign.
Although it's not as prevalent as FU on infected machines, he said malware writers regularly use "Hacker Defender" in bots and backdoors to mask the presence of the malware.

In addition, he said "Hacker Defender" is regularly used by malicious hackers on compromised corporate servers. "Therefore, despite the infection numbers of HacDef are most likely much below those of FU, these infections are usually far more serious."

"The FU rootkit is widespread and dangerous, but if I find HackDef or one of the other advanced rootkits like the one used in Apropos, I'd be much more concerned," Hypponen said.

He said the Apropos rootkit uses kernel-mode drivers that patch the Windows kernel "at a very deep level." It also modifies several important data structures and native API functions implemented by the kernel.


Hypponen said F-Secure researchers have also discovered a new tactic used by ContextPlus to wend its way around anti-spyware and other desktop security applications.
"The rootkit is not the only advanced trick they're using. We've seen ContextPlus using a polymorphic wrapper that constantly changes the appearance of the spyware file," he said.

"Every time you download the Apropos program from ContextPlus servers, it looks totally different. The download server is regenerating the program for every single download. That makes it a huge problem for traditional anti-spyware scanners," he said.



More here:
http://www.eweek.com/article2/0,1895,1897728,00.asp