Archive for March, 2006

Bagle Worm now using Rootkits

Saturday, March 25th, 2006

A new rootkit has been found in the wild by and reported by F-Secure. This follows days from when Sana Security found the Rootkit.Hearse rootkit. This time the rootkit code has been bundled with the Bagle worm to make up a new Bagle variants.

This is a new departure for the Bagle worm which has been in existance for a while now. The Bagle worm is very powerful as it is but with the addition of rootkit techniques it makes it more powerful because of its stealth.

The Bagle variants Bagle.GE and Bagle.GF work together to setup a proxy on the infected PC so that the Bagle variant author can use the PC to send out Spam and other criminal related activity. The Bagle.GE variant holds the rootkit code and this in turn hides the files that the Bagle.GF variant uses.

F-Secure has reported that the rootkit code is limited and seems to be a test for worse to come.

Keep Safe

regards
Steo
www.antirootkit.com

Sana Security uncovers a scary Trojan.Hearse

Thursday, March 23rd, 2006

A new rootkit known as Trojan.Hearse has been discovered by Sana Security. It was discovered while researchers were investigating the W32.Alcra worm. What they found would alarm any user.

The worm as part of its payload contacted a Russian server and downloaded a Trojan along with a rootkit. The downloads when run are hidden by the rootkit from anti-virus and other anti-malware programs and are undetectable by normal methods.

The trojan when installed searches the PC for passwords and these are sent to another Russian server where they are stored. It also waits in the background for the user to visit a site that needs a username and password. When it sees that a user has visited such a site it logs the username and password and once again sends it to the russion server.

Sana Security found that the Russian server was not protected and that anyone with a common browser could view the logs that had been uploaded to the server. The logs show web addresses along with the username and password for the address. After a few days the server had stored information for 35,000 unique usernames across 7,000 websites. This shows how big the infestation has been.

Well done to the researchers over at Sana Security for uncovering this. I just wonder how many other infections like this are hidden and using the same techniques as Rootkit.Hearse.

Keep Safe

regards
Steo
www.antirootkit.com

Microsoft demonstrates Virtual Machine Rootkit – Subvert

Sunday, March 12th, 2006

Researchers at Microsoft Research and the University of Michigan have demonstrated that rootkits can be hidden within a Virtual Machine environment.

The researchers came up a Proof Of Concept code called Subvert that loads a Virtual Machine Monitor (VMM) that contains other malware of use to criminals like keyloggers, etc. The VMM is installed under an existing Operating system using vulnerabilities in the Operating system. When the PC is booted it loads the VMM which in turns loads the users normal Operating system, whether it be XP, Linux, etc. The user will not know the VMM is loaded as there will be no tell tale signs. The VMM does not use much processing power or memory and will not present any information to the normal OS.

“Any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection,” the researchers said.

Existing anti-rootkit tools commonly rely on comparing file system and API discrepancies to check for the presence of rootkits, a technique that wouldn’t be able to unearth virtual machine malware. The researchers hope their work will help security firms adapt their technology in order to combat the new class of threat.

Keep Safe

regards
Steo
www.antirootkit.com

World of Warcraft hackers use Sony BMG rootkit to cheat

Friday, March 10th, 2006

A group of hackers have shown how they can use the Sony BMG rootkit to help them cheat on World of Warcraft. World of Warcraft (WoW) is a very popular online game created by Blizzard Entertainment.

When WoW is installed another program is installed along with it called “The Warden”. It checks a player’s computer memory for running processes that match certain software tools that are considered cheats. The check is automatic, only reports violators, and explicitly allowed under the terms of service and end-user license agreement. Blizzard Entertainment have been accused of using “The Warden” as a “spyware” program.

WoW cheaters can now use their cheat programs, hidden using the Sony rootkit. All they have to do is to rename the files by putting a $sys$ in front of the filename.

Greg Hoglund has created a program called “The Governor” that will show users what “The Warden” spyware is doing in the background.

Keep Safe

regards
Steo
www.antirootkit.com