Hackers Serving Rootkits with Bagles

Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are."

Am I wrong

[3.5 stripes]

Or is it just me who's been reading about rootkits and keyloggers now becoming standard payloads in worms/virus/web exploits?

In the end, they're just another piece of cut and paste code for script kiddies.

Human intervention still needed...

[clevershark]

No matter how nasty worms get a user still has to execute them for his/her PC to become infected -- and even then with a decent setup there's still the possibility/probability of a correctly-setup anti-virus prog checking the message between the user's click(s) and the execution of the malware.

So, malware makers are not so much "ahead of the game" as "still reliant on the problem that exists between the keyboard and the chair."

Re:The evolving virus

[Illserve]

It's hard to see why genetic algorithms are an inherently good way to design computer virii. The fitness landscape is not well suited to GA'S, it's too rugged. GA's need a particular structure of problem to function well, one in which every change produces an incremental benefit or impairment.

Changing which registry key a worm modifies, or what files a virus affects will cause wildly varrying effects, 99.9999% of which will cause either no discernable effect, or blue screen the system. This is not a good setup for the GA to figure out what works best.

So despite the similarity in name and function with biological viruses, computer virii (and worms, trojans etc) are not really evolvable, but need to be engineered.

Rootkits are the new bootsector

[billcopc]

Years.. no, decades ago, everyone was scared shitless of boot sector viruses. Today it's rootkits. This isn't rocket science, it's about friggin time these things hit the mainstream. It's obvious that today's software relies on many layers of abstraction provided by the OS. Infiltrate one of those layers and you've fooled the entire system. It's no different than the men with wires going to their ears saying "You didn't see anything, move along", except your software's too dumb to see that the man is lying. There is no ultimate solution to this, software is software and no matter how well you try to secure the OS, all it takes is a little patch to disable all your security. The closest thing to a secure OS would be some sort of read-only boot device, and I really mean READ-ONLY, not just "mount -o ro". Boot off the DVD-Rom.. even then, just one glitch in the programming could open up the whole system to in-memory patching.

What we CAN do to relieve this plague is take away the motivation behind viruses. They don't exist just for fun, they serve a purpose.. DDoS is a lucrative racket. If we can somehow make an infected PC less valuable to the attacker, to the point where it's not even worth infecting, the virus threat will slow down to a crawl. Why don't we have more Linux viruses ? Because it's a high-risk, low-potential target. If Microsoft could accomplish the same level of security with the average Windows PC, virus authors would have to go out and get real friggin jobs for once.