The sharp rise in rootkits–sneaky software used to conceal malicious code from security programs–is due to spyware and adware purveyors trying to prevent their wares from being easily uninstalled, security experts said Thursday.
Finnish-based F-Secure, which has integrated its BlackLight rootkit scanner into its security suite, claimed that since October, the most common rootkit in the wild is the one used by the Apropos spyware program.
Apropos uses a silent installer to disguise its planting on the hard drive, and a kernel-mode rootkit to hide from detection, said F-Secure. The rootkit starts automatically early in the boot process–to avoid detection by security software, which typically loads later in the boot-up procedure–and can hide files, directories, registry keys, and Windows processes.
Once on the drive, Apropos collects system information and data on the user’s browsing habits, then sends the data to servers at ContextPlus, which uses it to deliver targeted pop-up ads to the PC. “Usually rootkit malware tries to avoid detection,” wrote Mikko Hypponen, F-Secure’s chief incident officer, in the alert. “Apropos, on the other hand, shows the user pop-ups ad nauseam. Therefore, the motive of Apropos is not to use rootkits for hiding itself [but] is designed to prevent uninstallation and removal.”
Richard Stiennon, director of threat research for Boulder, Colo.-based anti-spyware vendor Webroot, agreed that rootkits are being used by spyware and adware vendors.
“In the first half of the year, all we really saw was proof-of-concept code rootkits in spyware,” said Stiennon. “Once they got that to work, though, since May really, we’ve seen several different rootkits in use.”
There are dozens of simple ways to hide from the Windows file system, some enough to defeat elementary defenses, noted Stiennon, but the more sophisticated spyware suppliers have turned to rootkits. “It’s still a minority of the spyware and adware that’s using rootkits,” he said. “But it’s the cutting edge for them. All the new stuff we’re seeing uses rootkit techniques.
“It’s more important to hide if you rely on revenue-generating software that most people want to uninstall,” he added.
The battle between rootkit-using spyware and adware makers and developers of security software, specifically anti-spyware programs, has been upped a notch or two in the last half of the year.
“In October, we updated Spy Sweeper to version 4.5, and added a generic rootkit detector,” said Stiennon. The new component lies at the same kernel level as rootkits so that it can monitor the disk drive without relying on Windows; it’s thus able to sniff out symptoms that reveal a rootkit is in place.
“Rootkits definitely make it harder to delete spyware and adware,” Stiennon said. “For example, some rootkits are replacing production .dll files in Windows with their own code. You can’t just remove those .dll files. Instead, you have to repair them.”
Rootkits gained notoriety when a security researcher in early November discovered that Sony BMG Music was using one to hide copy protection software on millions of its audio CDs. Since then, Sony has pulled the CDs from shelves, offered to exchange purchased discs, and provided an uninstaller.