Anti Rootkit Blog

McAfee has reported that it expects most malware to have a rootkit component by 2008. McAfee has published it quarterly bulletin for the initial quarter of 2006 and says that there is a noticable increase in the use of rootkits for hiding malware in the first quarter of 2006 compared with the whole of 2005.

McAfee in its report stated that during the last three years the use of rootkits in malware has increased by over 600%. In 2005 2% of all malware contained rootkit technology and techniques. It is expected that by the end of 2006 that percentage will be around 14% and over 80% by the end of 2007.

Rootkits are too obvious a tool for malware writers to ignore. A rootkit may keep the malware hidden from malware scanners for longer thus the writer gains more usage from the malware and ultimatly more money from spam and the likes being sent from the infected PC.

McAfee, in it’s report, complained about Internet sites that publicly publish rootkits and information that can be used by attackers to use. This indeed is a double edged sword as it provides criminals with the code to use in their malware but I think more importantly it provides big companies with enough information to use in their products for detecting rootkits.

Keep Safe

regards
Steo
www.antirootkit.com

There has been much debate recently regarding the availablity of rootkits on the internet like FU and other hard to find rootkits. The debate centres on the fact that they are available, are they being used by malware writers and hackers to write harder to find malware or are they being used by anti-malware writers to scan for new threats.Most of the rootkits available are more proof of concept programs that show how it is possible to hide software and data on a computer. A rootkit author who makes the rootkit publicly available with the source code can be seen by some people as a person who is helping malware writers. The authors themselves will tell you that they are making it available to big anti virus companies also. Many of the large anti virus companies like Symantec, McAfee do not have specific rootkit finding engines. Many rootkits can hide easily from most anti virus software.

McAfee executives have recently come out againt rootkit.com for helping spread rootkits around the world. Greg Hoglund of rootkit.com then came out with his own blast against the McAffee executive, an apparent friend of Hoglund. See the rant here on Greg Hoglunds Blog, interesting reading indeed.

The users over at rootkit.com are people with a lot of knowledge of the kernel and thus come up with many interesting new ideas and methods for hiding programs and data on computers. McAfee and other anti-virus software vendors have an entire community of developers and research and development that they have at their dispose. They should embrace the information that the site comes up with and use it in their software to find rootkits that are ultimately hiding viruses and spyware they are trying to find

Tibbar, a student, has created what is becoming widely known as the worlds first standalone Kernel Mode Bot. Tibbar ( Rabbit backwards ) has published his Proof Of Concept in his blog recently.

This is a new and interesting concept. Normally rootkits need help from programs outside it’s control to deliver it’s payload. Tibbars IRCbot is actually held within the rootkit and does not need the assistance of any outside program to operate.

Tibbar used code that is publicly available and modified it so as to create his kernelmode IRCbot. Many people have challanged Tibbar as to why he published this Proof Of Concept. Many people say that he is adding to the arsenal of malware writers. This may be true but what is also true is that the big Anti-Virus companies should pick up from this and help the ordinary users be protected from rootkits and stealthy malware.

Keep Safe

regards
Steo
www.antirootkit.com

Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference that in order to remove rootkits users will have to wipe their hard drive and reinstall the operating system again.

When a rootkit is installed on a PC it hides itself, files, running programs and network traffic from the user and the users anti-virus and anti-spyware scanners. A rootkit can be detected by looking into the kernel areas that can be used by rootkits. Once a rootkit is found though it can be removed but the files, etc that it was hiding may not be easily found. To this end the only way for users to know that the rootkit and the files it was hiding are completely gone is to wipe the drive.

This may be overkill as most “in the wild” rootkits hide variants of existing malware and viruses. By removing the rootkit the underlying malware can be caught by any decent anti-virus or anti-spyware scanner. Wiping a hard drive and reinstalling the operating system is not going to be an easy task more the majority of computer users. These users are the very users who will get hit by rootkits.

Keep Safe

regards
Steo
www.antirootkit.com