New invisible rootkit hits Windows including Vista

“Security researchers have discovered a new type of rootkit they believe will greatly increase the difficulty of detecting and removing malicious code,” Matthew Broersma reports for Techworld. “The rootkit in question, called Backdoor.Rustock.A by Symantec and Mailbot.AZ by F-Secure, uses advanced techniques to avoid detection by most rootkit detectors.”

“The rootkit is ‘unique given the techniques it uses,’ Symantec’s Elia Florio wrote in a recent analysis. ‘It can be considered the first-born of the next generation of rootkits.’ Rustock.A uses a mixture of old techniques and new ideas to make it “totally invisible on a compromised computer when installed,” including a beta version of Windows Vista, Florio wrote,” Broersma reports.

“Symantec believes the rootkit originates from Russia, and a string found in the rootkit’s code indicates new versions will probably be forthcoming. Symantec has already logged a variant called Backdoor.Rustock.B,” Broersma reports.

Broersma reports, “F-Secure noted Rustock’s use of NTFS’ Alternate Data Streams (ADS) as one significant example of its advanced behaviour… According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn’t hook into any native API, and controls kernel functions via special IRP functions. It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample.”

Full article here.

MacDailyNews Take: Tellingly, Windows Vista’s near-total obscurity does absolutely nothing for its “security.”

Mac OS X, virus-free for over five years and counting.

By the end of 2005, there were 114,000 known viruses for PCs. In March 2006 alone, there were 850 new threats detected against Windows. Zero for Mac. While no computer connected to the Internet will ever be 100% immune from attack, Mac OS X has helped the Mac keep its clean bill of health with a superior UNIX foundation and security features that go above and beyond the norm for PCs. When you get a Mac, only your enthusiasm is contagious.Click here to find out more.

Life’s too short. Get a Mac.

Related MacDailyNews articles:
Symantec researcher: At this time, there are no file-infecting viruses that can infect Mac OS X – July 13, 2006
Sophos: Apple Mac OS X’s security record unscathed; Windows Vista malware just a matter of time – July 07, 2006
Sophos Security: Dump Windows, Get a Mac – July 05, 2006
Security company Sophos: Apple Mac the best route for security for the masses – December 06, 2005

22 Comments

  1. Look, if Microsoft Vista goes down in flames, don’t think sweaty, towel-boy Ballmer and the Boys won’t try to take Apple OS X down with them. They have the bucks and the motive (if OS X succeeds, and Vista fails) to create a rootkit for Office for Mac, not to mention develop a few Mac viruses, to make it appear that the Mac is vulnerable.

  2. > It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample…

    This stuff is starting to sound like science fiction.

    > Vista’s anti-rootkit mechanism isn’t implemented in the 32-bit version.

    Why not?

  3. LordRobin: “Nevertheless, Microsoft has to cut the cord eventually. How they’re going to pull it off is the huge question.”

    —> I can’t even begin to imagine how they are going to do this either. Although, with the pace of virtualization technology moving forward as it is, I think that this is their only option to keep backward compatibility. They are going to have to write a new OS from the ground up *AND* use virtualization for backward compatibility. The hardware is capable of it now. Meanwhile during the wait, Linux will be making inroads. If MS can come out with a *totally* new OS and have some pretty seemless virtualization tech, they *may* be able to pull it off. IMO that is the only way they can cut the cord at this point.

    “Symantec believes the rootkit originates from Russia”

    —> Russia? Who would of thunk it? ” width=”19″ height=”19″ alt=”wink” style=”border:0;” />

  4. It would be really embarassing for MS if Vista turns out like XP in terms of virus vulnerabilities what with all the talk of superior secureness by of Vista and the delays of the product. Hey, if you think about the security situation in XP its already embarassing enough (its just that we go used to it).

  5. Ken:
    >Why not?

    No particular reason. There are 3 or so features that are not present in the 32-bit versions of Vista including Kernel Patch Protection (the anti-rootkit feature), memory address randomization to help mitigate code execution exploits, and signed driver requirements for system stability.

    None of these features require 64-bit but MS decided to make them 64-bit exclusives. Why? Who knows. Maybe it’s to force people to the 64-bit architecture or maybe MS is getting a cut from Intel and AMD for every 64-bit processor sold =p

    Ay Caramba!:
    >Help me out here, are all versions of Vista to be released all 64-bit?

    Nope, I believe all editions of Vista will come in 32 and 64-bit versions except for Entreprise and Ultimate.

    On a side note, the 64-bit version will lose one feature that the 32-bit version has: the 64-bit version of Vista cannot run 16-bit apps, so bye bye DOS apps. This loss in functionality IS due to the 64-bit architecture. The 32-bit version doesn’t have this problem and can run 16-bit apps just like XP can.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.