Wow, two of my favorite subjects, in one bit of malware...neat! Rustock (a la Symantec's nomenclature) was discovered on 1 June (the Symantec page was updated on 9 June), and reportedly uses rootkit techniques to hide the files and Registry keys it creates.
Section 2 of the technical report says that this malware uses "hidden data streams". Interesting use of terminology, as by default, NTFS alternate data streams are hidden. Take a look at chapter 3 of my book, specifically page 83, for more info on ADSs...but the short version is that since MS does not provide any native tools for Windows for viewing or locating arbitrary ADSs, they are essentially "hidden".
I've located other references to this malware, but they all point back to the Symantec page...
4 comments:
Try to google "System32:18467"
This new RK is really advanced...not only for the NTFS streams
EF
EF,
I took a look at some of the stuff posted...not sure I see how this one is "really advanced"...but I could be missing something.
Care to elaborate?
Thanks.
See also ...
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907
Axel
Take a look to:
• pe386
• msguard
• lzx32
John
Post a Comment