Researchers Discover Rootkit Variation

March 27, 2008 – 4:49 AM

While there might not be new malicious threats under the sun, there are plenty of new ways to spin old virus attacks. Trend Micro researchers discovered last weekend a new variation of a MBR rootkit released in the wild, which contains new technology to prevent detection. When combined with Web threats, the new rootkit is proving to be both a destructive and prolific combination, security experts say.The rootkit models a similar virus from several years ago but with one added twist — the ability to circumvent a lot of anti-rootkit software and remain undetected.

“It’s a spin on an old attack,” said Jamz Yaneza, research project manager for Trend Micro. “This is typical of virus writers and mothership authors trying to find ways and means to make it more difficult.”

The malware then sits on the infected computer unbeknownst to the user, allowing attackers to infiltrate a system in order to steal passwords, financial information and other personal data.

“That’s the big issue with rootkits. They can hide almost anything,” said Yaneza.

“This is tax season,” he added. “It’s very timely and yet untimely.”

A Trend Micro blog post said that the old version of the MBR rootkit hooked the dispatch routine of the storage driver to hide the malicious content of the MBR. Anti-rootkit software bypassed the hook and called directly to the address “classpnpreadwrite” by searching it with the disassembly code of “classinitialize.”

Security experts said that the attack died down over the years as other forms of malware took its place. Lately malware authors decided to “put back this attack” while modifying code that would hide the threat.

The new version of the rootkit is distinguished by its ability to replace special data in the assembly code “classinitialize” to make anti-rootkits find the wrong address.

Yaneza said that the rootkit has affected a broad range of users who access the malware by clicking on infected links or visiting malicious Web sites. So far, the malware doesn’t appear to be targeted, but security experts say that will likely change, as attackers find ways to penetrate corporate networks with the rootkit. “That’s where everything generally moves,” said Yaneza.

Security researchers recommend proactive solutions, such as filtering, blocking Web threat downloads and avoiding malicious sites, before the rootkits get installed onto hard disk drives.

Despite these precautions, however, users still can be affected when the malware is served by stealthier methods, such as banner ads on legitimate sites or on links to blogsites that have been infected by attackers. “For people who aren’t using up to date software, these things will definitely get through,” said Yaneza. “Even if you’re in a clean site, you’re not 100 percent sure.”

Source: CRN