Infections from a nasty bit of malware, generally delivered by the Black Hole Exploit Kit, surged in November, hitting more than 83,000 machines.
Microsoft’s Malware Protection Center rates the Necurs rootkit threat as severe. Dubbed a rootkit by Kaspersky Lab, Necurs has many dimensions to it. Like most rootkits, it can hide its components from detection while also being capable of downloading additional malware, disabling a long list of security software and installing a backdoor. Attackers can maintain remote access to a machine this way in order to monitor activity, send spam or install scareware.
The key for Necurs is its ability to avoid detection and maintain a persistent presence on machines. It does so by using a command option system that obfuscates the means for determining which commands are valid, said Tim Liu in a write-up on the Microsoft Malware Protection Center blog.
“The author has a full Necurs command list and the attacker has the option to enable some of them or not,” Liu wrote. “Necurs doesn’t want its commands to be easily recognized by the antivirus researcher, so the command keys appear to be random numbers, garbage code or obfuscated code.”
The malware’s driver is regularly updated in order to remain hidden from antimalware detection. It is also capable eluding Windows’ built-in Kernel Patch Protection, which is supposed to prevent any modification of the kernel.
Kaspersky Lab first identified Necurs as a rootkit in May 2011; it said the 64-bit version of Necurs does not try to bypass Kernel Patch Protection, also known as PatchGuard, but instead uses a digital signature to skate past.
“The 64-bit driver is signed with something called a ‘testing digital signature’. If Windows – Vista and higher – were to be booted in ‘TESTSIGNING’ mode, the applications can launch the drivers signed with such a signature,” said Alexander Gostev, Chief Security Expert at Kaspersky Lab. “This is a special trap-door which Microsoft has left for driver developers so they can test their creations. Cybercriminals have also made use of this loophole which allows them to launch their drivers without a legitimate signature.”
Black Hole and its many variants is likely the most prevalent of the exploit kits in circulation. Commercial versions of the kit are available in underground forums. The downloaders live on compromised websites and install exploits that target any vulnerable functions or applications residing on the victim’s computer.
Black Hole Exploit Kit 2.0 was released in September and included among other enhancements, a random domain generation feature that dynamically moves attacks to new domains once an older compromised site is shut down. Also, exploits for vulnerabilities that have been patched were removed. Pricing for 2.0 also remained the same.