- Mythbuster busts his own tale
- 10 open source companies to watch
- Sony recalls 73,000 Vaio laptops
- Tool to evade China's Web censorship
- Chrome and Firefox and add-ons
Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
Rootkits are software code designed to hide from detection. So Kaspersky Lab's hunt for the elusive Rustock.C rootkit, rumored to exist for almost two years, reads like a detective plot.
Alexander Gostev, Kaspersky Lab's senior virus analyst, tells the tale in his blog Tuesday on Viruslist. According to Gostev, the Russian security firm Dr. Web in early May announced its experts had obtained a sample of Rustock.C in March but the sample it shared with the rest of the antivirus community lacked a 'dropper', the file designed to install the rootkit on the system.
"The sample of the rootkit's body distributed by Dr. Web was a 244,448-byte Windows driver," Gostev writes in his blog "Rustock and All That".
If the dropper had been provided, "this file could have significantly simplified the work carried out by other antivirus laboratories to analyze the rootkit and develop procedures to detect and treat Rustock.C. It might also have helped to clarify how the rootkit had originally spread."
The rootkit, the third variant in the Rustock series, hadn't been known to exist "in the wild," according to Kaspersky, so antivirus experts pondered the possibility that Rustock.C was nothing more than a "collector's item" and not widespread, which would have explained the time taken to find it.
Kaspersky Lab started in-depth analysis of the rootkit's encrypted code on May 12. After cracking the key, Kaspersky could view portions of the real code of Rostock.C on May 14.
By May 20, Kaspersky Lab had come up with its own methods for detection and treatment of the third Rustock. As part of the analysis, Kaspersky discovered it had 600 files that had been caught in its honeypots at different times after September 2007, and now believes that the rumors of Rustock.C as far back as 2006 "was created after a promotion of sorts in rootkit researcher circles -- possibly in response to the hysteria that accompanied the search for it," Gostev writes.
Kaspersky has identified four modifications of Rustock.C. The rootkit code works as a spambot, extracting the DLL from its body and executing it in the system memory of the target computer (it exists only in RAM and is never present on the hard drive in the form of a file), according to Kaspersky's analysis.
Rss FeedRss Feed
Gartner summarizes its view on Application Delivery Controllers, evaluates strengths and weaknesses...
Vulnerability Management For DummiesDownload this concise book "Vulnerability Management for Dummies," to learn about the simple steps...
The ROI and TCO Benefits of Data Deduplication for Data Protection in the EnterpriseThis paper examines and quantifies the costs and benefits of backup with deduplication storage as...
Life on the edge of your WAN has changed dramatically. With the need to deliver advanced services,...
PoE Plus: Impact on the PoE MarketThe standard for Power over Ethernet (PoE), IEEE Std. 802.3af(tm)-2003, advanced networking,...
Harnessing the power of communications to increase workplace performanceDue to the convergence of IT and telecommunications technologies, the business workplace has been...
We have so many holes punched in our firewalls today that many industry insiders question the value...
The self-managed networkWe aren't there yet, but advances in network and systems management tools are making it possible to...
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment