NEWS FROM THE LAB - Tuesday, May 17, 2005

Cut'n'Paste Rootkit-Bots Posted by Mika @ 05:28 GMT

As you probably know, there are a ridiculous number of variants for certain Bots. A recent development has been the addition of rootkit drivers into some Bot variants. Most likely Bot authors do not possess the skills required to write their own drivers, so they just add a driver from an existing rootkit or PoC and cut-and-paste the user-mode code for controlling the driver.

For example, some variants of Rbot drop a recompiled version of FU rootkit's driver onto the infected machine and use that to remove their process entry from Windows task manager. Another example of this behavior has been the use of JiurlPortHide driver for hiding network connections.

F-Secure BlackLight, if you recall, looks for discrepancies between two views - a tainted view and a clean view. This is how it finds rootkits. We have had some questions on BlackLight beta detecting FU rootkit. I will try to clarify the issue here:

FU rootkit exploits the fact that Windows process list and scheduler have virtually nothing to do with each other. FU removes a process from the kernel process list but magically the program will continue running as if nothing happened. FU is actually not a full-flexed rootkit - For example, it does not hide its driver file. When a malicious program, lets say Rbot, uses FU driver for hiding its process, BlackLight beta will show this Bot-process as hidden. However, BlackLight will not find the FU driver itself since it is not hidden in any way.

FU hiding processes (6k image)