July 15, 2006

'Invisible' Rootkit Heralds Trouble Ahead

'Invisible' Rootkit Heralds Trouble Ahead - CIO Tech Informer - Blog - CIO: "According to researchers, other factors that help make Rustock invisible are that it has no process, instead running inside the driver and in kernel threads. It doesn’t hook into any native API, and controls kernel functions via special IRP functions. It removes its entries from kernel structures, and the SYS driver is polymorphic, changing its code from sample to sample." I started reading the article and I got really worried. The rootkit doesn't hook anywhere blah blah blah, so it's undectectable, so it's scray stuff... Anyhow I get to the end of the article and they have a solution for it already. So this article would not exist if they couldn't detect the malware in the firstplace. This is a cat and mouse game yet over again, the bad guys get better, the good guys are following behind. What I should worry about is how far behind are we? The futher away the more damage.

No comments: