- Microsoft will float cloud OS this month
- Top 16 Chinese iPhoneys
- Pimp your ride: Cool car technology
- Laptop stolen from McCain campaign
- Cisco, Microsoft roll out server, networking appliance
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:Application Performance Solutions | App Performance | Networking Solution | SafeGuard Enterprise Solution Center | SOA | Value of WDS
Rootkits are software code designed to hide from detection. So Kaspersky Lab's hunt for the elusive Rustock.C rootkit, rumored to exist for almost two years, reads like a detective plot.
Alexander Gostev, Kaspersky Lab's senior virus analyst, tells the tale in his blog Tuesday on Viruslist. According to Gostev, the Russian security firm Dr. Web in early May announced its experts had obtained a sample of Rustock.C in March but the sample it shared with the rest of the antivirus community lacked a 'dropper', the file designed to install the rootkit on the system.
"The sample of the rootkit's body distributed by Dr. Web was a 244,448-byte Windows driver," Gostev writes in his blog "Rustock and All That".
If the dropper had been provided, "this file could have significantly simplified the work carried out by other antivirus laboratories to analyze the rootkit and develop procedures to detect and treat Rustock.C. It might also have helped to clarify how the rootkit had originally spread."
The rootkit, the third variant in the Rustock series, hadn't been known to exist "in the wild," according to Kaspersky, so antivirus experts pondered the possibility that Rustock.C was nothing more than a "collector's item" and not widespread, which would have explained the time taken to find it.
Kaspersky Lab started in-depth analysis of the rootkit's encrypted code on May 12. After cracking the key, Kaspersky could view portions of the real code of Rostock.C on May 14.
By May 20, Kaspersky Lab had come up with its own methods for detection and treatment of the third Rustock. As part of the analysis, Kaspersky discovered it had 600 files that had been caught in its honeypots at different times after September 2007, and now believes that the rumors of Rustock.C as far back as 2006 "was created after a promotion of sorts in rootkit researcher circles -- possibly in response to the hysteria that accompanied the search for it," Gostev writes.
Kaspersky has identified four modifications of Rustock.C. The rootkit code works as a spambot, extracting the DLL from its body and executing it in the system memory of the target computer (it exists only in RAM and is never present on the hard drive in the form of a file), according to Kaspersky's analysis.
Rss FeedRss Feed
The Vista era of Windows is here. Yet most organizations will retain Windows XP alongside new Vista...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
Security Considerations When Deploying Remote Access SolutionsEffective network security is most successful when you use a layered approach, with multiple...
The Vista era of Windows is here. Yet most organizations will retain Windows XP alongside new Vista...
Turning information into a Competitive AdvantageCompanies today are realizing that competitive advantage is harder to sustain when based solely on...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Discover why Unified Threat Management Firewalls are ready for the enterprise today. High...
The Evolution of Network SecurityWe have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment