Rootkits have been making the news with increasing frequency recently and I expect this trend will continue. eWeek recently quoted Microsoft's Anti-Malware Technology Team leader Jason Garms as saying more than 20 percent of malware removed from systems running Windows XP with Service Pack 2 are rootkits. That's right -- rootkits are installed even with SP2.
F-Secure, Finnish anti-malware vendor, is quoted at eWeek as saying the increase in rootkits can be directly attributed to adware/spyware pushers' use of rootkit technology to hide their dirty work and prevent uninstallation. Apropos spyware, from ContextPlus, was discovered using "very advanced rootkit technologies". Indeed, victims of Apropos spyware are frequenting forums asking for help. In fact, here's a user complaining about a slow computer, being hit with Zango, and was subsequently diagnosed by the helper to have Apropos spyware with a rootkit. More HijackThis log examples of Apropos here (note the very long Rootkit Revealer log) and here.
The fight against rootkits is escalating as well. This week chip maker Intel announced research on a hardware engine they dubbed System Integrity Services in an effort to detect intrusions of rootkits and other malware as they interact with system memory. Anti-spyware and antivirus vendors are adding technology for rootkit detection also. This eWeek article quotes spyware expert Eric Howes on rootkits and anti-rootkit technology.
He (Howes) says he began seeing rootkit features in spyware like Cool Web Search around 12 months ago.
Cool Web Search spyware used Windows kernel-level interactions to hide executable files and other telltale signs, he said.
Now those rootkit-style features are common, not just in Cool Web Search, but also in quasi-legal programs like EliteBar, advertising software from Internet Media, and ContextPlus, another form of spyware that uses rootkit techniques to hide, Howes said.
Anti-spyware vendors are also starting to use kernel-level technology. Webroot's Spy Sweeper included anti-rootkit features in its latest version, and now Aluria, recently acquired by Earthlink, is adding kernel mode features. Tenebril's SpyCatcher is also mentioned as having kernel-level technology and Sunbelt Software, maker of CounterSpy, is planning to add similar technology.
Jason Garms blogged about this month's update of the Microsoft Malicious Software Removal Tool including detection of the F4IRootkit, which is the name given to Sony BMG's XCP DRM technology from First 4 Internet. The F4IRootkit page gives instructions for checking if you have the rootkit installed:
Click Start, and click Run.
In the Open text box, type: cmd
Click OK. A command-line shell appears.
At the command prompt, type: dir %windir%\System32\$sys$filesystem\aries.sys
Press Enter. The system displays the name aries.sys if the file is present. Otherwise, the system displays "File Not Found".
The MSRT's update also includes detection for the Win32/Ryknos trojan, known to use the XCP rootkit.