Rustock Trojan Prepares For Future Threats

Malware threats taking the form of hybrid attacks will become most pronounced in hacking activities in the coming years. The 'Rustock Trojan virus' crafted specifically to counter heuristic security systems will become commonplace for most skilled attackers. The tactics of this year's most sophisticated threat will become the essential part of exploits in the future.

Patrick Martin, a senior product manager of Symantec security response team remarks -" Rustock is a family of backdoor Trojan horses that first emerged a year ago". The techniques that Rustock is using will be the basis for all future threats. Attackers are therefore searching what techniques would be compatible with the Trojan. These new techniques will be threats of the future.

Rustock functions by a combination of old and new techniques, which create a malware that remains hidden and therefore undetected by many rootkit detectors such as Rootkit BlackLight, Revealer, and IceSword.

To locate a rootkit on a PC, it requires counting the number of running processes from two different angles. First the anti-virus software counts the processes from a high level, similar to a Windows Task Manager. Then the software comes down to a much lower level to count the processes again. If the number is same, the situation is acceptable. But if the number is different, it means there is a problem.

Rustock avoids this standard detection method by taking the processes within the driver and kernel threads. Since the process count does not change, the normal anti-virus software will bypass it totally.

Rustock uses some classic surreptitious techniques to evade detection. It can recognize active virus detection software so that it changes its behavior to avoid that software. It conceals its driver in ADS (alternate data stream), and then moves away from the list of hidden drivers. The Trojan virus does not hold onto any APIs. The virus being polymorphic in nature keeps changes its code automatically.

Polymorphic exploits first came in light in the 1990s, but today such attacks rarely appears, says Martin. Rustock has brought back the practice as a defense against security software that use pattern detection and threat signatures to track malware.

Related article: Rustock Become The World’s Largest Spam Botnet

» SPAMfighter News - 12/18/2006