Myfip stealth worm prowls corporate networks

Aug 30, 2005: Rootkit scanner by F-Secure stops threat that is unseen by conventional AV solutions

A growing wave of stealth worms and malware using rootkit functionality specifically created to steal intellectual property has put corporations on the alert. One worm in particular, Myfip.H uses stealth kernel rootkit techniques to hide from the system administrator and conventional AV software. It is designed to infect computers and steal data. Stealth variants of common malware such as Mytob and Rbot are also a cause of growing concern for corporations.

An actively running stealth worm that uses rootkit technologies can remain undetected by ordinary AV software. This can happen if the system is already infected by a rootkit worm before the AV software is installed, or in the case of where a new worm has hidden its files and processes before the AV software update capable of detecting the worm has been installed. F-Secure has developed a new weapon to fight attacks that use rootkit technologies: the F-Secure BlackLight™ rootkit scanner. Test versions of the tool are available for free at http://www.f-secure.com/blacklight .

In its forthcoming F-Secure Internet Security 2006 security suite due for release this autumn, BlackLight™ will be included as an integrated scanning engine. The engine updates automatically with anti-virus updates and then scans hidden rootkit files found by BlackLight™ with anti-virus engines. BlackLight™ was first introduced as a beta version at the CeBIT fair in Hannover, Germany in March. Currently no other commercial AV solutions include rootkit scanning technology.

The F-Secure rootkit scanner will find stealth worms such as Myfip. Myfip first raised the alert among corporations last year for its ability to steal key intellectual property. The original worm which specifically targeted PDF files from infected computers emerged as the variant Myfip.H in February 2005 using stealth kernel rootkit techniques to infect computers and hide from the system administrator and conventional AV software.

During 2005 the amount of worms and bot-malware with rootkit functionality has risen rapidly. Stealth variants of common malware such as Mytob and Rbot have made rootkits a common class of malware.

Unlike other worms, like the destructive Zotob worm which hit CNN two weeks ago, Myfip.H is designed to cause as little interest as possible in order to carry out its mission and is not self-propagating. Transmission is via spam e-mail attachments. When the user clicks on the attachment, Myfip navigates through the local hard disk and the corporate network looking for predefined file types. It then sends found files back to the attacker.

Mikko Hypponen, Chief Research Officer at F-Secure said: “ Myfip is a good example of the new kind of malware which is used to perform very specific tasks, usually criminally motivated. Kernel-mode rootkit worms are a clear and present threat for corporations with intellectual property rights to protect. After the rootkit is active in the memory, traditional anti-virus software has real problems detecting it. Fortunately, F-Secure, which released its proprietary Blacklight™ technology specifically for detecting rootkit techniques in March this year has gone further than other AV vendors in its efforts to stop such threats in their tracks.”

About F-Secure Corporation

F-Secure Corporation is the fastest growing publicly listed company globally in the antivirus and intrusion prevention industry with more than 50% revenue growth in 2004. F-Secure services and software protect individuals and businesses against computer viruses and other threats coming through the Internet or mobile networks. Our award-winning solutions include antivirus and desktop firewall with intrusion prevention, antispam and antispyware solutions. Our key strength is our proven speed of response to new threats. For businesses our solutions feature a centrally managed and well integrated suite of solutions for workstations and servers alike. Focused partners offer security as a service for those companies that do not wish to build security expertise in-house. Founded in 1988, F-Secure has been listed on the Helsinki Exchanges since 1999. We have our headquarters in Helsinki, Finland, and offices in USA, France, Germany, Italy, Sweden, the United Kingdom and Japan. F-Secure is supported by a global ecosystem of service partners, value added resellers and distributors in over 50 countries. F-Secure protection is also available through mobile handset manufacturers such as Nokia and as a service through major Internet Service Providers, such as Deutsche Telekom, France Telecom and Charter Communications. The latest real-time virus threat scenario news are available at the F-Secure Antivirus Research Team weblog at http://www.f-secure.com/weblog/

For more information, please contact:

F-Secure Corporation Mikko Hypponen, Chief Research Officer PL 24, 00181 Helsinki Finland Gsm +358 (0)40 064 8180 Fax (09) 2520 5001