Rootkit creators turn professional

The rootkit is 'wrapped around' the virus to hide its payload

Signalling a trend towards increased 'outsourcing' of some elements of malware creation, security experts are reporting a surge in the level of professionalism and commercialisation in the creation of so-called rootkits. 

A rootkit is a tool that helps worm authors to slip past malware detection tools. The rootkit is 'wrapped around' the virus, and hides its payload from detection engines. After the rootkit has penetrated a system's defences, the worm can start doing its work.

Antivirus vendor F-Secure reported last week that it had detected a new rootkit designed to bypass detection by most of the modern rootkit detection engines. 

Traditionally a rootkit would be designed to evade only one security product, such as Symantec's or F-Secure's antivirus scanners.

"The professionalism of these rootkits is coming to another level," said Allen Schimel, chief strategy officer at StillSecure, a developer of intrusion detection, vulnerability management and network access control applications.

"These rootkits just cranked it up a notch in their ability to evade multiple antivirus products."

Adding a rootkit to a virus increases its chances of avoiding detection because modern antivirus applications do not just look for specific code, but incorporate behavioural analysis to catch worms.

A rootkit can also help a worm to remain undetected even after antivirus vendors have created signatures to catch the malware.

Rootkits go back to the early days of computer hacking, forming applications that open a backdoor into a user's system. This allows the hacker to access the computer remotely.

Such a tool was useful because it enabled hackers to use the computer as a launch-pad for new break-ins, or to store sensitive information without leaving a trail back to the hacker.

Rootkits are also being identified by most malware detection applications, so rootkit creators constantly update their wares in an effort to stay ahead of their opponents.

The version of the rootkit detected by F-Secure is called Golden Hacker Defender. It is a commercial product that can be bought for around €500, according to the security firm.

Although F-Secure does not have any information on its geographic origin, Ero Carrera, a virus researcher with the company, said that it is safe to assume that Golden Hacker Defender comes from Europe.

The availability of the tool also indicates that outsourcing has reached the world of worm creation. By not having to worry about avoiding detection by antivirus software, worm authors can concentrate on what they want their malware to do.

"There are people able to pay for this tool, so they are making money using it," Carrera told vnunet.com. "This means that there is a criminalisation of the virus world going on."

While large-scale disruptive worm attacks such as those caused by last summer's Zotob worm tend to get a lot of media attention, worms are increasingly used to recruit computers and servers for so-called botnets.

Operators of these zombie networks rent them out to send spam, blackmail websites with threats of distributed denial of service attacks or use them to host websites with illegal content such as child pornography.

"It is becoming more apparent that there is a market [for rootkits] and that [virus writers] are able to pay for additional tools to remain undetected," said Carrera.

For security vendors the rise of these professional rootkits signals that virus authors are raising their game in a move that could give them at least a temporary edge over computer users.

If these tools prove effective in penetrating a computer's defences, more worm authors are bound to start using them, warned Schimel.

"It's like testing explosives at a carnival and asking whether kids are going to use it. The genie is out of the bottle," he said.