NEWS FROM THE LAB - Wednesday, December 7, 2005

So, how common are these rootkits? Posted by Mika @ 09:35 GMT

Since F-Secure is the first vendor to have a built-in rootkit scanner in its security suite, we are very often asked how many rootkit variants there exist. This question is not that easy to answer with precise numbers, as there are very few malware named "Rootkit.Win32.Something". Most malware that uses rootkit techniques is called "Backdoor.Win32.Something", "Worm.Win32.Something", "Virtool.Win32.Something", etc. However, since our BlackLight rootkit scanner (generic rootkit detection) has now been available for 9 months we have a pretty good feel on what the rootkit menace currently is all about.

F-Secure BlackLight Technology

In a recent eWeek article Microsoft says that more than 20 percent of all malware it has removed from its Windows XP sp2 customers are rootkits. "The open-source FU rootkit ranks high on the list of malicious software", the article states.

We definitely can agree that FU has been extremely widespread during 2005. There is a simple explanation to this. FU is a very simple rootkit to cut-and-paste into worms and bots. It should be noted that FU only hides processes -- not files or registry keys. Currently worm and bot authors are mainly interested in hiding their processes from Task Manager. They are not that keen on hiding files since most Windows users do not know which files should be in their "System32" folder, anyways.

In our view, Hacker Defender (Backdoor.Win32.HacDef) is not as common as FU. However, various bots and backdoors use the HacDef rootkit to do their hiding. In addition, we regularly see this rootkit being used by hackers on compromised corporate servers. Therefore, despite the infection numbers of HacDef are most likely much below those of FU, these infections are usually far more serious.

One might say that the Sony BMG DRM has to be the most common rootkit, because it was shipped on a huge number of music CDs. This would be a logical assumption, but we have not received that many reports of BlackLight finding this particular rootkit. BTW, Sony has finally released a stand-alone uninstaller for their DRM software.

We believe that since October 2005 the most common rootkit out there has clearly been Apropos spyware. The reason for Apropos to use rootkit techniques is very different from your average worm or bot. Usually rootkit malware tries to avoid detection. Apropos, on the other hand, shows the user pop-ups 'ad nauseam'. Therefore, the motive of Apropos is not to use rootkits for hiding itself. The very advanced rootkit functionality in Apropos is designed to prevent uninstallation and removal.