4 min read

Stealthy Worms, Trojans Seen Tripling In Number

Attackers are increasingly turning to stealthy rootkits to keep anti-virus vendors from detecting and deleting malicious worms or Trojan horses, a Russian security firm says.
Attackers are increasingly turning to stealthy rootkits to keep anti-virus vendors from detecting and deleting malicious worms or Trojan horses, a Russian security firm said Monday.

"Over the last 12 months, we've seen a large jump in the use of rootkits," said David Emm, a senior technology consultant with Kaspersky Labs, a Moscow-based anti-virus vendor.

Since the first of the year, the number of rootkit-equipped worms or Trojans that Kaspersky's analyzed has tripled, noted Emm and Roel Schouwenberg, a senior research engineer with the company.

"Increasingly, the line between hackers and virus writers gets blurred," added Emm. "This is one more area where people writing viruses, and Trojans in particular, as well as adware, have borrowed tools from the hacker world. With malicious code writing now a profitable business, they want to cover their tracks."

Rootkits -- the term harks back decades and originated in the Unix world -- are tools used by malicious code writers to hide their work from detection software. Rootkits do this by intercepting system functions, including those used by anti-malware programs to understand what's happening on a PC, and replacing the data returned with legitimate values. Other stealth tactics taken by rootkits mask network activity and changes to the Windows registry.

One of the reasons for the surge in rootkit use, said Schouwenberg, is because access to rootkits is too easy. "'Script kiddies' can easily get access to rootkit source code on the Internet," he said.

While the percentage of rootkit-equipped malicious code is still very low, the stealth technology is starting to show in real-world attacks. "We're beginning to see them used in real situations," Schouwenberg said. "We're not as far away from a major [worm] outbreak that uses a rootkit than most people think," he added.

The problem, of course, is detecting something that by design, is stealthy, the same trouble foreign air-defense systems face against U.S. stealth aircraft like the F-117.

Using traditional anti-virus techniques of finding a worm or Trojan sample --often one submitted by a customer or other researcher -- then analyzing that sample and producing a signature to counter it, work far less effectively when rootkits are involved.

"Sometimes we can get a [rootkit-equipped Trojan or worm ] sample from the malicious author's Web site, but when it's a script kiddy targeting specific companies or individuals, users often don't know when something is wrong, or if they do, they have no idea it's malicious code at work," said Schouwenberg.

That's why it's important to create an anti-rootkit defense that can spot numerous kinds of malware using generic rootkit signatures. "That's part of a wider trend of malicious code detection in general," said Emm.

Some security vendors, such as the Finnish firm F-Secure, are working on stand-alone rootkit detectors, while Microsoft has added limited rootkit sniffing capabilities to its Windows Malicious Software Removal Tool. Kaspersky Labs, meanwhile, is planning to roll rootkit detection into the next major upgrade of its products, dubbed version 6.0. (The 6.0 editions are currently in beta testing; Kaspersky Internet Security 2006 Beta, for instance can be downloaded from the BetaNews Web site.)

"The anti-rootkit subsystem detects hiding of system processes and displays a warning," said Emm. When some types of rootkits kick into action, Kaspersky's products will notify the user that one process is trying to inject itself into another process (a rootkit stealth tactic).

Once Microsoft's next-generation Windows Vista lands on desktops, said Emm, it should damper rootkits for the short term. "The architecture will block some rootkit techniques by limiting what processes can do and restricting access to the kernel."

For now, the best defense, said Schouwenberg, is to run Windows as a user, not an administrator. In Windows XP, that means running under a Limited account rather than an Administrator account.

"That's the best advice we can give," added Emm.