Monday, June 12, 2006

Malware update: Rootkit that uses NTFS ADS

Wow, two of my favorite subjects, in one bit of malware...neat! Rustock (a la Symantec's nomenclature) was discovered on 1 June (the Symantec page was updated on 9 June), and reportedly uses rootkit techniques to hide the files and Registry keys it creates.

Section 2 of the technical report says that this malware uses "hidden data streams". Interesting use of terminology, as by default, NTFS alternate data streams are hidden. Take a look at chapter 3 of my book, specifically page 83, for more info on ADSs...but the short version is that since MS does not provide any native tools for Windows for viewing or locating arbitrary ADSs, they are essentially "hidden".

I've located other references to this malware, but they all point back to the Symantec page...

4 comments:

Anonymous said...

Try to google "System32:18467"
This new RK is really advanced...not only for the NTFS streams

EF

H. Carvey said...

EF,

I took a look at some of the stuff posted...not sure I see how this one is "really advanced"...but I could be missing something.

Care to elaborate?

Thanks.

Anonymous said...

See also ...
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907

Axel

Anonymous said...

Take a look to:
• pe386
• msguard
• lzx32

John