rootkit

Zlob gang has modified their fake codec malware once again!  read more »

The ecard malware, also known as W32/Zhelatin worm, has changed its tactics again. Now, the mails are different from the old ones. These new mails come as a "membership confirmation mail" from web services like MP3 World or Dog Lovers club. An example is shown in below screenshot. It can be noticed that IP address is no longer visible in the mail:  read more »

Came across a new variant of Navipromo rootkit, which is almost undetected. Only CAT-QuickHeal was able to flag the file, that too heuristically. Navipromo hooks APIs in Ntdll.dll to hide its presence. More information about this new variant can be found here. However, Navilog1 tool can remove this infection.

InternetGameBox touts itself as software, which allows you to play online, flash based online games. But, InternetGameBox is much more than gaming! It's an adware which uses Navipromo rootkit to hide its traces! As soon as InternetGamebox client program is installed from their website, the installer drops few files to System32 directory and creates a randomly named process which is hidden from user mode APIs.

This is how InternetGameBox client looks like:  read more »

It's good to see that many Anti-Virus vendors are taking Rootkits 'seriously'! After BitDefender and AVG, now Panda, McAfee and Trend Micro have released standalone Anti-Rootkit tools. McAfee's Rootkit Detective and Trend Micro's Rootkit Buster are still in Beta stages, whereas Panda's Rootkit Cleaner is still in Alpha stage. These tools have considerably good features and detection capability. All three tools can detect and clean hidden processes, hidden drivers, SSDT hooks, hidden files and Registry entries.  read more »

Here's a Wiki definition for Rootkit:
A Rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer.  read more »

Mailbot.AZ (also known as PE386 or Rustock.A) is a kernel mode rootkit backdoor virus. It contains only one file-its driver-and it is stored as a hidden Alternate Data Stream (ADS) of System32 folder in NTFS systems. ADS itself isn't scanned by most of the security software and moreover the Mailbot.AZ driver ADS is hidden using kernel mode rootkit techniques. This makes the detection more difficult.  read more »