NEWS FROM THE LAB - Tuesday, April 12, 2005

Rootkit wars? Posted by Mika @ 11:57 GMT

Our F-Secure BlackLight beta release has apparently gained a lot of attention among both users and rootkit authors. There is actually a lively debate going on about how to make rootkits that can hide from BlackLight. The discussion seems to be escalating and web sites have even been attacked. We are, needless to say, following the situation closely. Here's the story in brief.

In early April a spyware group posted an article on rootkit.com where they advertized their products and presented source code for evading detection from BlackLight. This technique involved avoiding processes that were named "blacklight". A maintainer of rootkit.com commented on the post, essentially saying that they thought the technique was rather unsophisticated. We have a previous weblog entry and a workaround on this same case.

On April 5th someone launched a DDoS attack on rootkit.com. Few days later a similar attack was started against websites of the Hacker Defender rootkit, apparently after the author of this rootkit had commented the case. These sites are still down.

Paul Roberts has written an article on the incident. The article states that there is a connection between the posting on rootkit.com and the attacks. It further says that "the attacks are believed to be the work of a group of Bulgarian and Turkish hackers known as the SIS-Team".