Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows Rootkit Wars Escalate

Posted by ryuzaki0 on Thursday July 13, 2006 @03:42AM from the most-secure-version-of-windows-ever dept.

An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

1 of 342 comments (clear)

Min score:

Reason:

Sort:

Re:Vista compatible? by Short+Circuit · 2006-07-13 04:40 · Score: 5, Interesting

It doesn't hook any public APIs, but it does hook some internal ones. Quoth the Symantec link:
Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]

If that's not functionality that should require Windows binaries to be signed, I don't know what is.

--
tasks(723) drafts(105) languages(484) examples(29106)