beforeyoukillyourcomputer.com

Over the past month, a new type of malicious software has emerged, using a decades-old technique to hide itself from antivirus software.

The malware, called Trojan.Mebroot by Symantec, installs itself on the first part of the computer’s hard drive to be read on startup, then makes changes to the Windows kernel, making it hard for security software to detect it.

Criminals have been installing Trojan.Mebroot, known as a master boot record rootkit, since mid-December, and were able to infect nearly 5,000 users in two separate attacks, staged on Dec. 12 and Dec. 19, according to Verisign’s iDefense Intelligence Team. In order to install the software on a victim’s computer, attackers first lure them to a compromised Web site, which then launches a variety of attacks against the victim’s computer in hopes of finding a way to run the rootkit code on the PC.

Once installed, the malware gives attackers control over the victim’s machine…

“It’s not some new attack vector that’s going to be hard to prevent,” he said. “It’s just something that people haven’t really paid attention to.”

Source/Full Story

Rootkits may be getting most of the attention within the security community. But it’s important not to overlook other, equally effective antiforensic techniques that malware writers have at their disposal for hiding their code from detection, according to a security researcher at the Black Hat 2007 conference.

Nick Harbour, a senior consultant at Alexandria, Va.-based security vendor Mandiant, outlined a few of those techniques during a presentation at the show. None of the methods are especially new, but they have been only scarcely documented.

One of the ways in which malware writers can hide their code from forensic discovery is via a method known as process injection. The technique involves the injection of malicious code into another legitimate running process on an end user’s system, Harbour said, speaking with Computerworld after his presentation.

There are several methods of process injection available to hackers. The technique allows them to conceal the source of the malicious behavior in a computer. The technique can be used to bypass firewalls on client devices and other security defenses, because the process that has been injected with the malicious code would appear largely normal, he said.

Source/Full Story

Enterprise anti-virus vendor Sophos on Aug. 23 released a free rootkit detection and removal tool alongside a warning that the stealthy malware threat is a legitimate security concern for businesses.

Sophos, of Lynnfield, Mass., said its rootkit cleaner offers an easy-to-use interface to scan all running processes, local hard drives and the Windows registry for rootkits.

The company joins a growing list of Internet security vendors adding rootkit-scanning capabilities to their product lines. Finnish anti-virus outfit F-Secure offers the BlackLight rootkit clean-up utility, while BitDefender and others are beta testing similar offerings.

Rootkits are programs that are used to give a remote user persistent access to a compromised system while avoiding detection from security scanners.

Now the company has released a free scanner that promises to identify known rootkits and selects, by default, malicious files for removal. Sophos said the tool will remove the rootkit component of the malware without compromising OS integrity.

The rootkit detection and clean-up tool will allow users to remove unidentified hidden files, but does not allow removal of essential system files when hidden by an identified rootkit.

Once the user runs a scan, Sophos said the screen prompts the user through the necessary steps until every rootkit has been removed.

Download

Source