Hackers Serving Rootkits with Bagles

Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."

Re:The evolving virus

[arivanov]

The older DAV and co viruses from the late 90-es were polymorphic and changed their code from time to time.

In fact as far as underlying technology the current viruses have regressed back to simple non-polymorphic code. Not entirely surprising considering that they are written in a high level language nowdays. If you look at the recent crop there is anything including Delphi and VB used to write them with some EXE compression at the end applied to get the size down to a reasonable value.

As seen on their blog page...

[True ChAoS]

This has been written about before on the F-Secure security blog [f-secure.com]. There's also a nice pic of what all the different parts of bagel look like [f-secure.com] and how they interact.

Use RootkitRevealer from SysInternals.com.

[Futurepower(R)]

SysInternals' free program RootkitRevealer [sysinternals.com] is the best way I know to reveal the presence of rootkits.

In general, any program SysInternals provides is the best in its field, I've found.

Try the just updated (March 7, 2006) version of Autoruns [sysinternals.com] to find nasty stuff running under Windows.

--
Before, Saddam got Iraq oil profits & paid part to kill Iraqis. Now a few Americans share Iraq oil profits, & U.S. citizens pay to kill Iraqis. Improvement?

Re:Am I wrong

[jayloden]

No, it's definitely not just you. I work with [removing] IM-based viruses as a hobby project, and there has been a clear shift from simple executable file viruses to full rootkits. Along the way I've seen everything from loading with the shell or userinit to winlogon to bogus kernel drivers.

It's my personal (and professional) opinion that this is likely to become the norm. I give it another year or two before the majority of malware is all rootkit-based. It's far too easy to incorporate rootkit technology, and far too difficult to remove. It seems only a natural step in malware evolution.

I recommend Rootkits: Subverting the Windows Kernel [amazon.com] for further reading on the subject. The first two chapters were enough to convince me that rootkits are a more than viable path for malware to take. Perhaps more importantly, no matter what the security companies put into their software, once the system has been compromised, there is no way to trust the running system, period. The only way to verifiably clean a rootkit-infected system is to take it offline and scan it from a known clean (read-only) media.

I wouldn't call it regressed

[wantedman]

The trick to malware writing in DOS is to hide from DOS. We do that by placing malware in some unclaimed memory and rapidly change it to keep malware scanners from pattern matching the malware.

Windows changed that. Malware needs to be recognized by Windows, in some form or else it's not going to get it's messages and it's not going to be able to access the wonderful WinAPI, which will give it more power and make it smaller. There's no point in a spy changing their clothing to disguise themselves if they always have to wear a nametag.

Rootkits are the obvious solution to this problem, because it allows a program to be recognized by Windows and hide from programs using Windows to attempt to recognize it. We're only seeing rootkits now because it's getting harder to disguise malware by giving it a nondescript name.