Moderating Blogger Comments

Today I noticed a strange comment to one of my blog posts that I hadn't approved. At first I thought my blog has been hacked and some spammer or malicious writer posted this comment or inserted malicious links/IFrame tags into my posts. I quickly checked all my posts for these (by clicking on "edit post", then "edit Html", and checking each "http href"and searching for "iframe") and found everything to be clean. I then looked at the comment...

While hovering my mouse cursor on the hyper link "here it is", I see the URL "hxxp://www.yourtypingbiz.info/billion-dollar-market.php" in the status bar at the bottom of my Firefox browser window. Clearly, this is a case of SPAM.

Now how did this comment get into my post without me approving it first? Well, I found out that my comments were actually "NOT moderated"! I thought I had turned on moderation of comments, but apparently I didn't. So some spammer simply posted such a comment (with a link to their phishing website) to all blogger blogs that do not have comment moderation turned on. They probably do this via a script in order to reach a multitude of blogs.

My next step was to simply delete the comment and turn on moderation of comments.

Digg This | Slashdot This | Add to del.icio.us

Malware via exploits

Malware authors are constantly banking on the "next-big-thing" in order to deliver their malicious payload/content onto un-suspecting user machines. Due to its huge user base, the Windows is un-undoubtedly the most targeted of operating system platforms.

Source of image: HorseHats.com

Malware delivery mechanisms have constantly been evolving from the old floppy disk days to the fast spreading Internet worms (attachments via e-mail). Today's malware delivery mechanisms are shifting more and more toward web technologies. Instead of directly delivering malicious content to user machines via e-mail attachments, malware are being hosted on a myriad of web servers world wide. Users are then enticed into somehow visiting these websites either by spamming out an e-mail with a link to a malicious website or by tainting search results to obtain a higher ranking to their malicious website. Such malicious links are also delivered via IM (Instant Messaging), bulletin boards, forums, etc.

Usually malicious websites also host recent (or in some cases older) browser/application/system exploits along with malware. An unsuspecting user who visits such a malicious website with an un-patched system or browser application is easily exploited and malware is delivered onto their system (drive-by-downloads). In case of fully-patched systems, all it takes is to entice the user or fool them into downloading and executing the malware. Such malicious web servers could be made accessible via HTTP or FTP and malicious code (HTML, JavaScript, PHP, CGI, etc.) embedded within web-pages. Malware authors could hack legitimate websites and redirect visitors to a host of malware via invisible IFrame tags. With the birth of Web2.0 technologies, and mobile platforms, newer avenues are being explored in terms of malware delivery.

In regards to Windows related vulnerabilities, with Microsoft scheduling its patch release on every second Tuesday of each month popularly known as "patch Tuesday", hackers and malware authors have coined the term "exploit Wednesday" where they exploit an un-patched vulnerability the day after Microsoft has released its patches for that particular month.

Information Gathering - Vulnerabilities and Exploits

Malware authors are constantly looking to find vulnerabilities in software in order to exploit them. The software they target could be Operating system libraries, application software, kernel mode drivers, etc. They either hack these up themselves or obtain them from published material on Fulldisclosure mailing list, or from published material via blog posts of vulnerability researchers and enthusiasts, or from a community of hackers, etc. There is also the open source vulnerability database (OSVDB) where detailed vulnerability information is published on or before the same day that a vendor patch is released.

Information and advisories about vulnerabilities can also be obtained from from the following sites listed below:

@Risk: The Consensus Security Alert
Bugtraq mailing list
Bugtraq archives at neophsis
CERT
CERIAS
CIAC.org
CVE
eeye advisories and ZeroDay tracker
Finjan Vulnerability List
FrSIRT
GovernmentSecurity (forum1, forum2)
IBM ISS (X-Force)
IDefense advisories
LWN.net
Microsoft security bulletin - List of vulnerabilities fixed since 1998
milw0rm
National Vulnerability Database
Net-Security
NIST.org
NTBugtraq
NTSecurity.net archives at neohpsis
Rapid7 vulnerability database
Rain Forest Puppy Advisories
SANS top20 list
Secunia
SecuriTeam
Security Alert Consensus
Security-database
SecurityFocus
SecurityLab
SecurityReason
SecurityTracker
Security Threat Watch archives at neohpsis
SecurityVulns
SecWatch
US-Cert
Virus.org
VulnDiscuss archives at neohapsis
VulnWatch archives at neohapsis
Xdisclose
Zone-H
Zero Day Initiative (TippingPoint)

A unique blog-roll of "month of vulnerability disclosure" was also started by certain people who decided to find vulnerabilities in various software and simply disclose them via independent blog posts. Listed below are a few:

MOAB - Month of Apple bugs
MOKB - Month of Kernel bugs
MOBB - Month of Browser bugs
MOSEB - Month of Search Engine bugs
MOAxB - Month of ActiveX bugs
MOBiC - Month of bugs in CAPTCHAs

Before the details of a vulnerability gets into Fulldisclosure, OSVDB, or such independent open blog-rolls, the researcher or hacker has several options as what he or she can do with the discovered vulnerability:

- Responsibly disclose the entire details of the vulnerability to the software vendor alone, for free.

- Sell it to certain companies that buy vulnerabilities such as IDefense (now part of VeriSign), Digital Armaments, Argeniss (now acquired by Gleg Ltd), Netragard, TippingPoint (now a part of 3com), and Immunity, that gives the buying company exclusive rights to the vulnerability.

- Place the vulnerability for an auction at Wabisabilabi and sell it to the highest bidder.

The ethics behind disclosing vulnerabilities has always been a subject of debate. Microsoft has coerced a few software vendors to join their Organization for Internet Safety (OIS) that strives to actively suppress vulnerability disclosure within their organizations.

The number of vulnerabilities have been increasing since 2006. Here are some stats:
Full stats from CERT.
A post on "The Register".

Windows Libraries - a haven for malware exploits

A large number of Windows applications leverage Windows libraries (modules that contain functions and data) as dynamic-link libraries (DLL) or OCX (libraries containing ActiveX controls). Such libraries allow their functionality to be updated and reused easily while reducing significant memory overhead when several applications use the same functionality synchronously. Thus, the discovery of a critical vulnerability in a library usually affects a wide range of applications from Microsoft and other third-party vendors that use that library. Hackers and malicious authors then try to find multiple attack vectors in order to exploit the vulnerability. For instance, a vulnerability in an image processing library could be exploited via Internet Explorer, Microsoft Office and Image Viewing software. Considering the massive base of Windows users, such an exploit ensures huge deployment.

Several such vulnerabilities have been discovered in the recent past, for which, many had exploit codes either made available or discovered before patches were released. This scenario is also known as "zero-day". Listed below are a few:

VML Exploit - (CVE-2006-4868, MS06-055) - a vulnerability in Vector Graphics Rendering engine (vgx.dll) could allow remote code execution via a specially crafted Vector Markup Language file. The vulnerable library is used by applications such as Microsoft Outlook and Internet Explorer which can be used as attack vectors.

WebViewFolderIcon Exploit (via setSlice method) - (CVE-2006-3730, MS06-057) - a vulnerability in Windows Shell, due to improper validation of input parameters when invoked by the WebViewFolderIcon ActiveX control via setSlice method, could allow remote code execution.

WMF Exploit - (CVE-2005-4560, CVE-2005-2124 MS06-001, MS05-053) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution while handling a specially crafted Windows Metafile (WMF) image.

EMF Exploit - (CVE-2005-2123, CVE-2005-0803) - a vulnerability in the graphics rendering engine (GDI32.DLL) could allow remote code execution via a heap-based buffer overflow or cause a application crash while handling a specially crafted Enhanced Metafile (EMF) image.

ANI exploit - (CVE-2007-0038, CVE-2004-1049, CVE-2004-1305, MS07-017, MS05-002) - a vulnerability in Cursor and Icon format handling could allow remote code execution or denial of service (kernel or application crash).

Web View exploit - (CVE-2005-1191, MS05-024) - a vulnerability in Web View DLL (webvw.dll) could allow remote code execution.

PNG exploit - (CVE-2004-1244, CVE-2004-0597, MS05-009) - a vulnerability in PNG Image Processing (by Windows Media Player 9 or via libpng 1.2.5 and earlier) could allow remote code execution.

JPEG exploit - (CVE-2004-0200, MS04-028) - a buffer overflow vulnerability in JPEG (JPG) parsing engine in GDIPlus.dll could allow remote code execution.

iPhone exploit - H.D. Moore (creator of the Metaspoilt Framework) has several blog entries consisting of step-by-step descriptions of how to exploit the Apple iPhone. Here, he exploits a vulnerable version of the libtiff library that is shipped with the latest update to the iPhone.

URL handling exploit - (CVE-2007-3896, MSA-943521) - a URL/URI handling bug in Shell32.dll with Internet Explorer or Mozilla Firefox installed could allow remote code execution. Attack vectors could be applications such as mIRC, Outlook, Adobe Reader, Skype, etc.

Microsoft Office file formats - have always been a target for digging out vulnerabilities that could be exploited by malicious authors. The SANS 2006 list and SANS 2007 list of office file format vulnerabilities provides information about a number of these bugs. This Security Focus article discusses the extent of vulnerabilities in Microsoft's Office documents in recent months, while this blog entry by Symantec discusses about malware exploiting such vulnerabilities. Ryan Naraine's blog also talks about malware authors creating tools to exploit vulnerabilities in Microsoft Word document format, while Microsoft itself releases a tool called MOICE with an intent to isolate potential exploitable elements.

Vulnerabilities in Applications

Vulnerabilities or un-patched bugs in commonly used applications such as image viewers, media players, browsers, file readers, etc. are also sought to be exploited by malicious authors. Listed below are a few examples:

- A vulnerability in Windows Media Player (CVE-2006-0006, MS06-005) while processing of a specially crafter BMP image could allow remote code execution.

- A vulnerability in Windows Media Player plugin (CVE-2006-0005, MS06-006) for non-Microsoft browsers could allow remote code execution.

- A recent vulnerability in Adobe Reader for Windows (CVE-2007-5020) while processing a specially crafted PDF file could allow remote code execution via another vulnerability in Shell32.dll (CVE-2007-3896). Adobe has already released a patch for this here. This vulnerability was discovered by Petko D. Petkov of gnucitizen.

- Several vulnerabilities in Adobe Reader (SA23483) could allow remote code execution or aid CSRF attacks. Improperly handled input passed to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow remote code execution. Improperly sanitized returned values by a vulnerable Adobe Reader browser plugin, when input is passed to a hosted PDF file, could allow remote code execution. Improperly sanitized input values to a hosted PDF file via a vulnerable Adobe Reader browser plugin could allow requesting of arbitrary URLs and hence facilitating a vector for CSRF attacks.

- A vulnerability in Adobe Photoshop for Windows (FrSIRT-1523) while processing specially crafted BMP, DIB, RLE files could allow remote code execution.

- A vulnerability in Apple QuickTime (FrSIRT-3155) while processing the "qtnext" parameter withing QuickTime Link Files (.qtl files), could allow remote code execution by tricking a user into visiting a specially crafter webpage or opening a malicious file. This vulnerability was discovered by Petko D. Petkov of gnucitizen.

- A vulnerability in Apple QuickTime (US-CERT-659761, CVE-2007-6166) while processing a specially crafted RTSP (Real Time Streaming Protocol) stream could allow remote code execution. Since QuickTime is a component of Apple iTunes, all such installations are vulnerable to the attack on all supported Windows and Mac operating systems.

- A vulnerability in Adobe Flash Player (CVE-2007-3456, APSB07-12) could allow remote code execution due to a "input validation error" (buffer overflow) via a specially crafted FLV or SWF file. Another recent vulnerability (CVE-2007-3457) due to insufficiently validating HTTP referrer headers, could allow remote attackers to conduct a CSRF attack via a specially crafted SWF file.

- A vulnerability in Database Component in MPAMedia.dll in RealPlayer (CVE-2007-5601, ) could allow remote code execution via certain play-list names via the import method to the IERPCtl ActiveX control in ierpplug.dll. RealNetworks has released a patch for this here. Malicious authors have known to be exploiting this vulnerability.

- A vulnerability in RPC on DNS server (CVE-2007-1748, MS07-029) could allow remote code execution.

- Multiple vulnerabilities in Microsoft PowerPoint (MS06-058, SA22127) could allow remote code execution.

- A vulnerability in the cPanel software (control panel software that is widely used by hosting providers such as Apachi web-hosting), could allow a remote attacker to gain access to the web servers and taint web-pages with malicious iFrame links.

- A vulnerability in Winamp could allow the execution of malicious code via a specially crafter MP4 file. Here is a post on "The Register" about it.

- A myriad of Anti-Virus products as well were reveled of vulnerabilities, according to a blog post here.

- A blog post by Aviv Raff here, details the vulnerabilities discovered in Gadgets (script-able applications) on Vista.

- A post here describes a myriad of security issues with Google such as a vulnerability in Google desktop and an XSS error in Gmail, among many others.

- A recently discovered XSS vulnerability in common Shockwave Flash files.

- A vulnerability in an ATI driver allows malicious code to be loaded into Vista's kernel, in spite of its latest security measures (such as PatchGuard and only allowing signed drivers to be loaded).

And the saga continues...

Digg This Slashdot This Add to del.icio.us

Emerging Malware Trends

Mobile Malware

With the growth in modern mobile platforms and devices, newer avenues are being explored in terms of malware delivery.

Source of image: http://iphonic.tv/iphone.jpg

Here are a few resources that show the introduction of malware in the areas of mobile platforms:

An overview of mobile device security by Kaspersky Labs introduces recently discovered worms and viruses on the Symbian, Windows CE, Palm OS and Linux platforms for devices such as PDAs, Pocket PCs, Windows Mobile, Cell Phones, SmartPhones, Handhelds, etc.

McAfee has an interesting white paper as well about mobile malware - threats and prevention.

An interesting presentation by Dr. Vesselin Bontchev at the Virus Bulletin 2007 conference is about the Virusability of modern mobile devices.

Another interesting paper by Peter Szor (security architect at Symantec Security Response) in June 2007 edition of Virus Bulletin magazine introduces to attacks on Linux iPod.

It is also worth mentioning of a "quality control process" gone bad on part of Apple Inc. that shipped a small number of its video iPods with an old Windows virus.

Threats and viruses on WAP (Wireless Application Protocol) enabled devices have already been predicted quite a few years ago. Viruses have also been found on the PalmOS (such as Phage and Vapor).

There are quite a few security companies offering anti-malware solutions for mobile platforms. Prominent among them are:

- Symantec's mobile security for handhelds (Symbian and Windows mobile)

- McAfee's VirusScan mobile

- Trend Micro's PC-cillin for mobile

- F-secure's mobile anti-virus

- Kaspersky's mobile anti-virus

- Airscanner - is freely available for personal and non-commercial use.

Digg This | Slashdot This | Add to del.icio.us

Detecting the "Storm Trojan" botnet - network traffic anomalies

Since its first appearance in early January 2007, the "Storm Trojan" has aggregated an astounding number of infected hosts or bots (about 1 million to 10 million computers). The botnet is of command-and-control (C&C or C2) nature over a peer-to-peer (P2P) network and implements the e-donkey or Overnet protocol to communicate data and actions to its nodes. Such a botnet is extremely difficult to track and take down owing to its de-centralized nature.

According to a blog post from Microsoft's Anti-malware team, their Malicious Software Removal Tool (MSRT) - which is updated and shipped once a month on Patch Tuesday - disinfected a large number of computers (about 2.6 million Window's machines) from variants of the "Storm Trojan".

Latest developments in researching the "Strom Trojan" have revealed that certain anomalies or spikes in network traffic can be used to detect hosts (or nodes) belonging to its botnet.

An interesting blog post about this is from eset. It shows the nature of spike in network traffic whenever a new node joins the "Storm Trojan's" de-centralized botnet. You can find the blog post here.

There is also an article by SRI on the Storm Trojan. You can find the article here.

There is also a post on "The Register" about "Storm Trojan's" new encrypted traffic being used to detect its botnet. You can find that post here.

Bleeding Edge research posted more info about this as well. Encrypted storm traffic and Storm side CC channel. They also maintain a list of compromised host IPs.

According to a blog post by Ryan Naraine, the creators of the "Strom Trojan" are now partitioning their botnet in order to make it available for sale to spammers and denial of service attackers. This discovery was done by Secure Work's researcher Joe Stewart who has been tracking the Storm botnet for a while.

A very interesting blog post by Websense, detailing the chronological appearance of the "Storm Trojan" can be found here.

Frank Boldewin recently posted a nice writeup on the internal workings of the "Storm Trojan" based on the variant Peacomm.C. You can find that here.

Note: "Storm Trojan" (a.k.a. Nuwar, Tibs, Peacomm, Zhelatin, Fathom, Storm Worm, Dorf, Trojan.Peed, Trojan-Downloader.Win32.Small.dam, CME-711, etc.)

Digg This | Slashdot This | Add to del.icio.us

The Eye of the Storm

The recent massive spam run by the makers of the infamous “Storm Trojan” resulted in numerous variants hitting our honey pots. Dynamic re-packing and server-side polymorphism allows the creators of the "Storm Trojan" to create new binaries every few minutes. The variants are then spammed out using the strong de-centralized botnet they have created in an attempt to thwart signature based detections. The "Storm" botnet is several million computers strong, most of which are un-suspecting users who have become victim to the trojan's social engineering tactics.

( Source of the picture: sro.hse.gov.uk )

Newer attack vector…

The most recent variants are being spammed as encrypted zip file attachments via spoofed e-mails. The password for the encrypted zip is included as a GIF image within the e-mail. The GIF image also includes a message posing as a security patch being offered by some arbitrary Customer Support Center. This new variant employs numerous anti-debugging techniques in order to thwart analysis. It is also packed with a polymorphic packer.

The Intent…

The Trojan displays tactical use of social engineering techniques arriving as an attachment to an e-mail. The goal is to lure an un-suspecting user to execute the Trojan which would render the victim machine part of a huge botnet. The primary purpose of the botnet being to send out penny stock spam (also called pump-and-dump penny stock) or to initiate Distributed Denial of Service (DDoS) attacks. Subsequent versions of the Trojan were distributed by means of embedding it within an open source e-mail worm.

Shying away from IRC!!

The botnet that is being created communicates over a peer-to-peer network (P2P) for its Command and Control (C&C) rather than the traditional IRC communication. This ensures creation of a “headless” botnet that is not bogged down by a single point of failure. The Storm Trojan’s implementation of Web HTTP and P2P methods of communication are indicative of the shift toward stealthier means of building a botnet. Such a de-centralized network allows for data and information to be "sync-ed" among each of the nodes of the botnet and to any of the newer nodes that are being added to the botnet. Each of the infected nodes will also carry a "peers list".

What drives the Storm?

When the Trojan is executed, it drops a kernel mode driver (wincom32.sys) that it registers as a service via the Service Control Manager (SCM). Initial versions of this driver did not attempt to hide any files or registry entries but did include stealth in order to execute its payload. Subsequent versions of this driver program started to incorporate more and more rootkit like functionalities in order to hide registry entries, files, and active communication ports.

This driver program is instrumental in executing the Trojan’s payload. The payload is an embedded executable within the driver program. In order to execute the payload the driver employs stealth techniques. The payload is injected from kernel space into the user space of “services.exe” and scheduled for execution by queuing an Asynchronous Procedure Call (APC) for it. Due to this, there is no “visible” process executing the payload if we were to use tools such as Window’s Task Manager or Process Explorer. Initial versions showed significant network activity via newly opened ports (UDP traffic). Subsequent versions of the driver program incorporated rootkit techniques in order to hide files and registry keys (by hooking the Service Descriptor Table) as well as any active communication ports (by hooking IRP_MJ_DEVICE_CONTROL of the ‘\Device\Tcp’ object).

Digg This | Slashdot This | Add to del.icio.us

ANI Exploits, NX-bit, DEP, Protected Mode… jargon

Since its discovery in the wild, there are now hundreds of specially crafted websites that host malicious ANI files that exploit the “Windows Animated Cursor Handling” vulnerability. This vulnerability is exploitable on fully patched Windows XP SP2 and Vista running Microsoft’s Internet Explorer 7 or Mozilla FireFox 2. Simply visiting such a rigged website will render a victim machine infected. The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. When such an attachment is viewed or opened with Outlook or Outlook Express the victim machine will be infected by a host of malware. Also, if a malicious ANI file is viewed using Explorer (file extension matters in this case), the exploit will be triggered.

Speaking of browsers, the damage is mitigated if Internet Explorer 7 is running in Protected Mode. This will still permit the malware to have read-only access to a user’s files, allowing it to steal and copy personal data, but will not be able to alter or delete any data. UAC (User Account Control) in Vista might only be able to prevent installation of persistent malware, but won’t prevent damage to user’s data unless the browser is running in Protected Mode. FireFox does not have Protected Mode under Vista, and if exploited using the ANI file vulnerability, will allow malicious code to execute with similar privileges as the logged on user allowing complete disk read and write. Do not get confused with “Safe Mode” in FireFox which is purely for debugging purposes.

The ANI exploit is preventable by enabling DEP (Data Execution Prevention) in Windows XP SP2 or Vista. When enforced with hardware NX/XD support, DEP will prevent the exploit from being triggered. Beginning with Windows XP Service pack 2 and Windows Server 2003 Service Pack 1, the NX features were implemented for the first time on x86 architectures. The NX bit (as termed by AMD which stands for No eXecute) or XD bit (as termed by Intel which stands for eXecute Disable), is a technology used in CPUs to separate areas of memory for storage of processor instructions (i.e. code) and for storage of data. The section of memory designated with the NX attribute indicates it to be used for storing data. Hence, even if processor instructions reside in such a section of memory, they cannot be executed. This prevents malicious programs from executing their own code which they might have inserted into another program’s data storage area. This is precisely what the ANI exploit does, and DEP (OS feature) combined with NX/XD (CPU feature) can prevent this from happening.

But Microsoft ships most of its Window’s operating systems with DEP turned off by default. It is on the user to turn DEP “on” for all applications. This might render a few applications not functioning properly, but I believe this is a price well worth the bargain. This should also teach application developers to adhere to safe programming practices.

Microsoft will be releasing an out-of-cycle patch for this vulnerability today.

Digg This | Slashdot This | Add to del.icio.us

New “Zero Day” Vulnerability in Windows Animated Cursor Handling

A new zero day vulnerability has been discovered in the way Microsoft Windows handles animated cursor files (.ANI files). The ANI file format is based on Microsoft's RIFF file format. There have been reports of specially crafted ANI files being hosted on websites that exploit this vulnerability. When an unsuspecting user visits such a "rigged" website, using any of the popular browser applications such as IE7 or Mozilla Firefox, the vulnerable Window's code will be invoked in order to parse/render the specially crafted ANI file which in turn will invoke the exploit code. Resulting this, malware will be silently downloaded and launched on the victim machine (drive-by downloads). Remote code will be executed with the privileges of the logged on user.

The malicious ANI files can also be embedded within specially crafted e-mails or attachments within e-mails. The exploit works independent of file extensions making it useless to simply block .ANI files on e-mail gateways. Simply configuring Outlook or Outlook Express to read mail in plain text will still parse the ANI file and hit the exploit. Simply "viewing" such a malicious ANI file using Window's Explorer will allow the exploit code to be triggered.

Microsoft has released a security advisory regarding this: http://www.microsoft.com/technet/security/advisory/935423.mspx

A CVE-2007-0038 has been assigned to this vulnerability.

It seems like the vulnerability is already exploited in the wild:
http://asert.arbornetworks.com/2007/03/any-ani-file-could-infect-you/

Digg This | Slashdot This | Add to del.icio.us

Rootkit techniques in today’s Windows based Malware

Recent Malware trends on Windows NT based platforms are adopting more and more Rootkit like techniques, i.e. employing cloaking and stealth. Such techniques are either embedded within the malware itself or simply assist the malware while existing as a third-party application. Two such proliferating malware that embed "rootkit-like" functionalities within them are W32/Haxdoor and W32/Goldun. The wide range of today's Window's based malware such as Trojans, Mass-mailers, Backdoors, Spyware & Adware Programs, use stand-alone/third-party rootkit programs in order to cloak files/folders, processes, registry entries, memory modules, handles, TCP/UDP communication ports, logins, log files, and any other resource used of the Operating System to conceal their malicious activity.

There are two types of rootkits: the ones that operate at Window's kernel level and the ones that stay at the user level. Kernel-mode rootkits are more powerful and much harder to detect, disinfect or de-activate. But these are more complicated to implement and require administrator privileges to be installed on a machine. A kernel-mode rootkit is usually a kernel mode device driver program which is loaded by the malware. User-mode rootkits are less powerful but still very efficient and much easier to implement and deploy. The most popular among the publicly available rootkits are the FU-rootkit (Kernel-mode rootkit) and Hacker Defender (User-mode rootkit).

The wide usage of rootkits in today’s malware is attributed to their ease of availability via the web. They are downloadable as ready to use rootkits or as source code for those who want to compile custom rootkits. Ther are online resources for both rootkit developers and security professionals who could use this information to educate themselves and learn the ways of the attacker in order to develop anti-rootkit techniques. Most advances in Windows based rootkits are posted on the internet in the form of discussion groups, news reads, blog posts etc.

Another reason to which the use of rootkits can be attributed is “a shift in intent of writing malware”. Viruses and worms are no longer written to prove skill or to draw attention but rather as a means to bank the green bucks! This shift in intention or rather the commercialization of malicious intentions has greatly increased the creation and proliferation of “crime-ware” (or snoop-ware such as spyware, keyloggers, backdoors, Trojans, etc.). These applications demand the use of stealth in order to "own the box" for as long as possible without being detected and without being able to be traced back to.

In order to combat today’s rootkits we require more of a pro-active approach rather than the traditional reactive approach. Merely adding signatures to definition files (i.e. if we are lucky enough to get our hands on the rootkit in the first place), is only “pushing the problem under the rug”. More wide-spread use of rootkits among malware is predicted in the near future and so will co-evolve the sophistication of rootkit detection tools and methods.

Digg This | Slashdot This | Add to del.icio.us