In the last few days there has been an appearance of a new rootkit that has capabilities of bypassing Firewalls and Intrusion Detection systems.
The rootkit hooks the following kernel functions to hide its registry keys:
ZwOpenKey
ZwEnumerateKey
It also hooks the following kernel routine of NTFS filesystem driver to hide its files: \FileSystem\Ntfs\IRP_MJ_CREATE
\FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL
It patches TCP/IP network drivers chain to bypass completely firewalls, IDS systems, and network sniffer tools. The rootkit also works in Windows Safe Mode.
The rootkit is used to hide a Trojan that is used to send out spam. The trojan connects to servers to collect the configuration data it needs to send out the spam.
This rootkit also tries to delete competitor rootkits found on the users PC. ntio256.sys and wincom32.sys are two of its known targets.
The rootkit is currently being sent to users PC’s via hacked websites. Recently it was estimated that over  10000 websites were hacked and the rootkit installer was planted on the sites waiting for visitors to come along. When an unsuspecting user visited one of these sites an iframe is launched and various vulnerabilities are checked for by the malicious installer.
Here is a Youtube video showing the websites using Iframes and the MPack installer attacking a PC.
From the Symantec Blog….
“Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.”
“We guess that the author of Trojan.Srizbi could be the same as Rustock’s because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.”
No doubt the rootkit writers are on an interesting path and this just goes to show that every day that passes newer techniques are being invented by malware authors.
Keep Safe,
regards
Steo
www.antirootkit.com
