Toward the end of 2006, several penny stocks--stocks valued at or below one cent--saw momentary blips of upward activity. The sudden surge of interest wasn't a surge of confidence by shareholders based on some end-of-the-year corporate profit projection, rather it was criminal. Last summer, I wrote how Web 2.0 technology could be used to "pump and dump" penny stocks, but only in limited scenarios. This latest round of attacks was pretty old school, using botnets to broadcast the spam worldwide. Behind most of the recent spam attacks is a single rootkit, one that could be a model for security threats in the new year.
The rootkit, dubbed Rustock by security vendor Symantec, isn't new; it's been around for more than a year. In July 2006, News.com's Joris Evers reported on the original version. However, many end-of-the-year analyses from security vendors concluded that Rustock--also known as Mailbot.AZ by F-Secure--is the model for criminal hackers; in part, because it does a great job of hiding itself (making detection challenging), and also because it has been shown to infect even the new Windows Vista operating system from Microsoft.
Rootkits aren't new, but most people hadn't heard the term until October 2005, when Mark Russinovich reported that certain Sony CDs came bundled with a rootkit as part of their copy-protection scheme. Rootkits contain programs and programming tricks that conceal processes and hide files. They often install as drivers or kernel modules and therefore aren't checked--or at least, aren't checked as thoroughly--by traditional antivirus and antispyware defenses. Thus, rootkits are now tops on the criminal hackers' To Do lists.
Behind most of the recent spam attacks is a single rootkit, one that could be a model for security threats in the new year.
Windows Vista has new antirootkit technology, but it's available only in its 64-bit editions. Most people will be purchasing or upgrading to the 32-bit version of Windows Vista. Even so, security researchers such as Joanna Rutkowska, have demonstrated that Windows PatchGuard, which checks the integrity of drivers being installed onto Windows Vista 64-bit editions, can be circumvented, thus the need for third-party solutions.
So far, there have been three distinct versions of Rustock (Rustock.a, Rustock.b, and Rustock.c), and at the time of this writing, the antirootkit technology mentioned above has evolved to detect and remove these infections. Most current rootkit detection involves comparing lists, taking a high level view of all the processes running on a system, then taking a low level view and comparing the two. The comparisons are made of hidden processes, registry entries, drivers, operating system hooks, and files and folders. If there are no discrepancies, then chances are there are no hidden rootkits on the target system.
There are a handful of rootkit prevention applications on the market, with F-Secure Blacklight perhaps the best known. Most consumer Internet security suites for 2007 include some form of rootkit detection. Symantec has added its Veritas VxMS enterprise technology to Norton Internet Security 2007, and McAfee has X-ray for Windows within its McAfee Internet Security 2007. But rootkits are constantly evolving, so what works to prevent them today may not work tomorrow.
Rootkits are constantly evolving, so what works to prevent them today may not work tomorrow.
What makes Rustock so special is that it uses Alternative Data Streams (ADS), which is not a new trick but when combined with other methods can make detection much harder. Rustock runs inside the driver and kernel NTSF file threads, doesn't hook into any native APIs, and has no processes. Its SYS driver is polymorphic, meaning it changes from infection to infection. Worse, Rustock is aware of most antirootkit technologies on the market today and will change its behavior accordingly.
According to F-Secure, Rustock uses the following tricks: It executes from dynamically allocated memory. It removes its driver from the loaded modules list. It removes its driver object from the Object Manager. It deletes the legacy key and subkeys from the system registry and removes its service entry from the Service Control Manger.
Not your daddy's Internet
Rootkits used to be confined to the larger networks, most often running BSD Unix. Now that home desktops have greater speed, storage, and connections to larger databases, such as banking accounts and e-trading sites, it makes much more sense for criminal hackers to go after these systems. Home PCs are more numerous and often less well maintained.
Keep your Windows updated with the latest patches, and install one of the commercial Internet security suites available today; they'll provide the best defense against rootkits. For the more adventurous, there are some downloadable antirootkit applications; however, be very careful with these. Some offer a lot of false positives, and most come with little or no documentation. Are you especially concerned about rootkits lurking on your PC? Why or why not? TalkBack to me.