norrisa
Member
|
# Posted: 19 Jul 2006 10:33
Reply
The new trojan horse "rustock" uses rootkits to avoid the detection technology used by security software.
This new Trojan horse is so good at hiding itself that some security researchers claim a new chapter has begun in their battle against malicious-code authors.
Rootkits are becoming a emerging threat. They are used to hide software that makes system-wide changes that may be malicious.
In this case rootkit technology was used to hide a trojan horse that would open a backdoor on the system making it accessible to a remote attacker.
These methods make it completly invisible on an infected system when installed. This is also claimed to work on an early release of Windows Vista.
To avoid detection, Rustock runs no system processes, but runs its code inside a driver and kernel threads. It also uses alternate data streams instead of hidden files and avoids using application programming interfaces. Today's detection tools look for system processes, hidden files and hooks into APIs.
Currently the chances of being attacked by this rootkit is very slim.
F-Secure has updated its BlackLight rootkit detection tool so it can detect early versions of this rootkit. Symantec and McAfee are currently working on a way to detect this rootkit.
Andrew.
|
