During the last 7 months we've been able to gather some really interesting statistics thanks to Panda Anti-Rootkit on which rootkits are most actively infecting users as well as new emerging rootkit techniques being used in the wild.
Out of the tens of thousands of machines cleaned so far, the most prevalent rootkits in-the-wild are by far Beagle.FU and Adware/NaviPromo. Together they account for almost 64% of all rootkit detections. The different variants of Rustock come in third place with 16% of the infections, followed by Flush.K, Zlob.A and Peacomm.B.
The simplest technique used by rootkits to hide files, processes and registry entries are based on hooking the IAT/EAT functions of the processes. Rootkits can then intercept and hide the information sent from the system to the querying process. These hooks are done in user-mode and only affect the processes whose IAT/EAT has been hooked.
Kernel-mode rootkits on the other hand use a driver that normally modifies the Service Description Table (SDT) or the Interrupt Description Table (IDT) as well as more advanced techniques which modify the kernel data structure (DKOM), the registry MSR_SYSENTER and the IRP, effectively filtering calls to the drivers. In the following table we can see which technique each of the Top5 rootkits use.
Advanced rootkit techniques
Lately rootkits are using news techniques to evade detection by anti-rootkit utilities. To achieve this they install themselves into an NTFS ADS, which makes detection, and specially disinfection, much more difficult. Some good examples of these are Oddysee.B which installs itself in an ADS of NTOSKRNL.EXE, Rustock.A which installs in an ADS of the C:\Windows\System32 directory and the atypical Unreal which installs in an ADS of the system drive.
One of the most common strategies for detecting objects hidden by rootkits are based on cross-view comparison algorithms. To detect that a file is hidden the anti-rootkit first parses the files using system API functions that have been hooked by the rootkit. The hidden file will not show on the results of this search. The anti-rootkit then performs a second search using more advanced low level access which is not intercepted by the rootkit and then compares both results. Thanks to this cross-view anti-rootkits can enumerate files which are hidden. However many of these cross-view techniques do not enumerate in low level the different system ADS and therefore these advanced rootkits go undetected.
Rustock is worth mentioning again when we're talking about ADS rootkits. It is probably the most dangerous rootkit in the wild, not only because it's the third most prevalent rootkit but also because of the advanced techniques it uses and malicious actions it performs:
- Hides in an ADS of the C:\Windows\System32 directory.
- Hides its execution by injecting itself in kernel threads and avoids being detected as a hidden process.
- Gets rid of its own kernel structure entries typically searched for by anti-rootkits to detect hidden drivers.
- Searches for certain security products to further evade detection.
- Installs a hidden proxy to send spam.
Because of this Rustock is definately the most difficult rootkit to detect and specially to disinfect. Therefore it receives our "Most Interesting Rootkit" award.