Microsoft Vista Software | Microsoft Vista Books | Linux Books | Ubuntu Books | Ruby On Rails Books

Friday, March 31, 2006

F-Secure Discovers Hackers Serve Rootkits With Bagle Worms

Malicious hackers have fitted rootkit features into the newest mutants of the Bagle worm, adding a stealthy new danger to an already virulent threat.

According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners.

The use of offensive rootkits in existing virus threats signals an aggressive push by attackers to get around existing anti-virus software and maintain a persistent and undetectable presence on infected machines.

Rootkits are typically used by attackers to open a backdoor into Windows systems, collect information on other systems on the network and mask the fact that the system is compromised.

In the case of the Bagle.GE rootkit, F-Secure researcher Jarkko Turkulainen said the rootkit successfully hides processes, files and directories, registry keys and values and contains code that will prevent certain security related processes and kernel-mode modules from running.

It also contains commands to disable security software and delete security-related files whenever they are opened.

F-Secure also found evidence of a rootkit in Gurong.A, a new worm that is based on the Mydoom code.

Both Mydoom and Bagle are considered "heavy hitters" in the world of malware research.

Read the rest here

No comments: