« Average users does not stand a chance with Rootkits
Phoney Free iPhone but a Real Rootkit »

First Full-Kernel Rootkit Malware spotted in the wild.

In the last few days there has been an appearance of a new rootkit that has capabilities of bypassing Firewalls and Intrusion Detection systems.

The rootkit hooks the following kernel functions to hide its registry keys:
ZwOpenKey
ZwEnumerateKey

It also hooks the following kernel routine of NTFS filesystem driver to hide its files: \FileSystem\Ntfs\IRP_MJ_CREATE
\FileSystem\Ntfs\IRP_MJ_DIRECTORY_CONTROL

It patches TCP/IP network drivers chain to bypass completely firewalls, IDS systems, and network sniffer tools. The rootkit also works in Windows Safe Mode.

The rootkit is used to hide a Trojan that is used to send out spam. The trojan connects to servers to collect the configuration data it needs to send out the spam.

This rootkit also tries to delete competitor rootkits found on the users PC. ntio256.sys and wincom32.sys are two of its known targets.

The rootkit is currently being sent to users PC’s via hacked websites. Recently it was estimated that over  10000 websites were hacked and the rootkit installer was planted on the sites waiting for visitors to come along. When an unsuspecting user visited one of these sites an iframe is launched and various vulnerabilities are checked for by the malicious installer.

Here is a Youtube video showing the websites using Iframes and the MPack installer attacking a PC.

From the Symantec Blog….
Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.”

“We guess that the author of Trojan.Srizbi could be the same as Rustock’s because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.”

No doubt the rootkit writers are on an interesting path and this just goes to show that every day that passes newer techniques are being invented by malware authors.

Keep Safe,
regards

Steo
www.antirootkit.com

This entry was posted on Friday, June 29th, 2007 at 9:50 pm and is filed under News, New Rootkits, Other Malware, wincom32, peacomm. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “First Full-Kernel Rootkit Malware spotted in the wild.”

  1. Nitin Says:
    June 16th, 2008 at 7:33 am

    Hi,
    my pc is infected by IRP_MJ_DIRECTORY_CONTROL srizbi!rootkit
    pls help me i’m using mcafee antivirus 8.5i enterprise edition with latest update.

    pls help!!

    reply to my mail nitin_sawant89@rediffmail.com

Leave a Reply