Rootkits are software code designed to hide from detection. So Kaspersky Lab's hunt for the elusive Rustock.C rootkit, rumored to exist for almost two years, reads like a detective plot.

Alexander Gostev, Kaspersky Lab's senior virus analyst, tells the tale in his blog Tuesday on Viruslist. According to Gostev, the Russian security firm Dr. Web in early May announced its experts had obtained a sample of Rustock.C in March but the sample it shared with the rest of the antivirus community lacked a 'dropper', the file designed to install the rootkit on the system.

"The sample of the rootkit's body distributed by Dr. Web was a 244,448-byte Windows driver," Gostev writes in his blog "Rustock and All That".

If the dropper had been provided, "this file could have significantly simplified the work carried out by other antivirus laboratories to analyze the rootkit and develop procedures to detect and treat Rustock.C. It might also have helped to clarify how the rootkit had originally spread."

The rootkit, the third variant in the Rustock series, hadn't been known to exist "in the wild," according to Kaspersky, so antivirus experts pondered the possibility that Rustock.C was nothing more than a "collector's item" and not widespread, which would have explained the time taken to find it.

Kaspersky Lab started in-depth analysis of the rootkit's encrypted code on May 12. After cracking the key, Kaspersky could view portions of the real code of Rostock.C on May 14.

By May 20, Kaspersky Lab had come up with its own methods for detection and treatment of the third Rustock. As part of the analysis, Kaspersky discovered it had 600 files that had been caught in its honeypots at different times after September 2007, and now believes that the rumors of Rustock.C as far back as 2006 "was created after a promotion of sorts in rootkit researcher circles -- possibly in response to the hysteria that accompanied the search for it," Gostev writes.

Kaspersky has identified four modifications of Rustock.C. The rootkit code works as a spambot, extracting the DLL from its body and executing it in the system memory of the target computer (it exists only in RAM and is never present on the hard drive in the form of a file), according to Kaspersky's analysis.