BARCELONA — Rootkit programs are increasingly mimicking anti virus programs: adopting self protection features and even application whitelists to maintain control over the systems they control, according to a presentation at the annual Virus Bulletin Conference.
Rachit Mathur, a research scientist at McAfee, told an audience of anti virus researchers here that self protection features have become common in many leading families of rootkits, such as the TDSS and TDL4 rootkit. Application white lists that allow only applications approved by the rootkit authors to run are used to disable hostile programs, while built-in monitoring features to shut down anti malware programs and prevent critical malware components from being disabled have also been observed in newer generation rootkits.
Mathur said McAfee researchers are increasingly finding evidence of attempts to kill anti virus and anti rootkit drivers using attacks at the kernel level of an infected system. While malware attempts to shut down anti virus programs within the user mode environment have been well documented, kernel mode attacks to snuff out AV programs are a newer development, and much harder to thwart, Mathur said.
Self protection features are just a few of the techniques malware authors are using to make their software harder to detect and, once detected, impossible to remove. Mathur said that techniques like file forging – in which rootkit authors hide malicious code within existing, legitimate system files have become common in malware families like TDSS and BlackEnergy. File forging can make it difficult for rootkit detection programs to spot the malicious code. Malware authors are also experimenting with memory forging – directly altering the infected system’s kernel memory to throw off scanners.
Easy access to the Windows kernel is one reason for the continued effectiveness of evasion techniques, said Mathur, who co-authored the paper with fellow McAfee researcher Aditya Kapoor. “Once the rootkits enter the kernel they seem invincible and they can easily circumvent any and every protection that is in place,” the authors wrote.
In contrast, most malware detection is still reactive – relying on a known malware “signature” or behaviors to betray the malware after it has already infected a system. The authors call for proactive detection tools that can catch the rootkit or provide a trusted view of the infected system that would reveal the presence of a rootkit, Trojan horse or other malicious program.
Rootkit programs are general purpose toolkits that give remote attackers total control over a host system. They have shown rapid evolution since they first appeared in the late 1990s and early Millenial period, Mathur said. In recent years, rootkits like TDSS have developed new features to help them spread between infected systems on a network and, then, evade detection.