14 DAY TRIAL // Security companies have issued a warning concerning the discovery of a new type of malware in the wild. Symantec refers to it as Backdoor.Rustock.A, and F-Secure has dubbed it Mailbot.AZ is a new breed of rootkit featuring advance detection and dodging techniques that make it virtually invisible to rotkit detectors.
"The rootkit is unique given the techniques it uses," stated analyst Symantec's Elia Florio. "It can be considered the first-born of the next generation of rootkits." Backdoor.Rustock.A mixture of stealth techniques renders it invisible on a compromised machine. It was tested on Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP and all these proved to be vulnerable. Moreover it seems that the rootkit has also compromised the recently launched beta version of Windows Vista, and is in this sense designed for the next generation of Windows OS.
The malware was tracked as been generated in Russia, and Symantec has warned that future versions will follow as it has already logged one variant, the Backdoor.Rustock.B rootkit.
After compromising a computer, the rootkit performs an impressive list of actions. It creates hidden alternate data streams "%Windir%System32:lzx32.sys"; it creates a hidden device service with "Win23 lzx files loader" device name and "%Windir%System32:lzx32.sys" image path and it creates a registry subkey that it associates to the hidden device service.
"Uses advanced Rootkit techniques to hide the registry subkeys it creates and to prevent access to the alternate data streams file. It hooks MSR_SYSENTER code and patches several area of Windows Kernel to change the functioning of the following APIs: ZwOpenKey, ZwEnumerateKey, ZwQueryKey, ZwCreateKey, ZwSaveKey, ZwDeviceIoControlFile, ZwQuerySystemInformation, ZwInitializeRegistry. Scans Windows Kernel image in memory for the following string and replaces it with a malicious code that executes the Rootkit functions: FATAL_UNHANDLED_HARD_ERROR," describes Symnatec.
It also identifies rootkit scanners and disguises itself to avoid detection, it bypasses firewall through altering the system modules used for network communications and may act as a covert proxy on the infected machine.