Recent Articles

Frame Relay End-To-End Keepalives
One of the first things you learned about Frame is that the LMI also serves as a keepalive, or a heartbeat - and if three consecutive LMIs are missed, the line protocol goes down.

Configuring And Troubleshooting VTP
Not only is your CCNA exam going to have questions on VLAN trunking protocol, almost any network that has more than one VLAN is going to have VTP running.

10 ISIS Details You Must Know!
Earning your CCNP certification and passing the BSCI exam depends on knowing the details of many Cisco technologies, ISIS chief among them...

The Last Windows OS?
Sometimes the game is over even though somebody on the losing team is still running like mad toward home plate. SCO, for example, has released a version 6 of its Unix OS, but they haven't sold many upgrades...

07.20.06

A Dangerous Development In Rootkit Evolution

By Doug Caverly

Like so many security threats, rootkits are getting more dangerous. But now this breed of malware has taken a big leap forward.

Security researchers have identified a stealthy new rootkit that seems specifically (and skillfully) designed to avoid being detected by some of the more common rootkit detectors.

CNET has covered the new threat, which Symantec has dubbed "Backdoor.Rustock.A." Symantec employee Elia Florio wrote, "It can be considered the first born of the next generation of rootkits."

He went on to call it "an advanced example of ‘stealth by design' malicious code."

Florio listed a number of reasons in the company blog "that Rustock.A is turning heads" - it's not what one would consider an encouraging compilation. "Rootkit detectors can detect hidden processes, but Rustock.A has no process," he stated.

Additionally, "the malware contains aggressive rootkit technologies because it scans for the following strings in loaded programs, and then changes its behavior to avoid any detection."


Florio found that it could hide from BlackLight, Rootkitrevealer, and Rkdetector. Rustock.A is "totally invisible on a compromised computer when installed," he said.

And don't count on the next version of Windows to turn things around.

Rustock.A "even seems able to achieve all of its stealth functionality without any problems on a beta version of Microsoft Windows Vista (6.0.5270)," Florio wrote.

The Symantec employee also had something to say about the rootkit's origin, and its future.

"We believe that Rustock.A is probably a Russian creature, and it contains the string ‘G:\bot-mailer\007spambot-01\driver\objfre,' which leads us to believe that we'll undoubtedly see new versions of this malware."

About the Author:
Doug is a staff writer for SecurityProNews. InternetFinancialNews, SearchNewz, and WebProNews.
About SysAdminNews
SysAdminNews is a collection of articles, news and commentary designed to keep system administrators informed about the latest trends impacting their profession. Updates and Advice for System Administrators

SysAdminNews is brought to you by:

SecurityConfig.com NetworkingFiles.com
NetworkNewz.com WebProASP.com
SysAdminNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com ITManagementNews.com

-- SysAdminNews is an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2006 iEntry, Inc.  All Rights Reserved  Privacy Policy  Legal

archives | advertising info | news headlines | free newsletters | comments/feedback | submit article



Database Forum Updates and Advice for System Administrators SysAdminNews News Archives About Us Feedback SysAdminNews.com About Article Archive News Downloads WebProWorld Forums iEntry Advertise Contact Jayde