New Necurs Rootkit Detected, Says Microsoft
A new malicious program dubbed Necurs, which over the recent time was found contaminating innumerable computers, is spreading in the wild, state security researchers from MMPC (Microsoft's malware Protection Center). It is reported that 83,427 different PCs have been infected with Necurs during November 2012 alone.
Security Company Kaspersky Lab identified the malware as a rootkit, which MMPC rated as an extremely hostile threat. It has plentiful capabilities. So as typical to a rootkit, Necurs conceals itself from nearly all security software as well as downloads more malicious programs and especially plants a backdoor. This way it helps the attackers to keep accessing the infected system from the remote so activity on that machine can be monitored, while spam gets distributed alternatively scareware is installed.
According to Security Researcher Tim Liu of MMPC, the main capability of Nercus is to bypass identification while persistently remain on the target system. For this, it utilizes one command mechanism which spoils the tools used for recognizing valid commands. Threatpost.com published this in news on December 7, 2012.
Liu posts that Necurs' creator has one entire instructions list for the malware while the attackers can choose any from it to activate the instruction(s). Since Necurs is cautious of not letting anti-virus software recognize its chosen instruction(s), it therefore makes its command codes look like random numbers, obfuscated program else trash program.
Fascinatingly, the Necurs triggering component provides powerful anti-security abilities. There's a specific objective of the triggering element i.e. to prevent all of the rootkit's parts from getting eliminated. Importantly, keeping watch over this threat indicates the routine updating of the trigger, which apparently, some other malware groups like Winwebsec too have been employing in addition to Necurs.
In the meantime, MMPC highlights that for Necurs to disable whole ranges of anti-virus solutions its technique is easy yet effective. The rootkit changes the executable pictorial's entry point from the memory while displays a failed condition.
Further, MMPC concludes that users have been reporting of problems with the active security option of MSE (Microsoft Security Essentials) that got disabled soon after they started their PCs.
Related article: New Spam Mail Charges For IPod
» SPAMfighter News - 14-12-2012