December 7, 2005
By Ryan Naraine
The sharp rise in rootkit detections on Windows machines is a direct result of adware/spyware vendors using sophisticated techniques to hide processes and prevent uninstallation, according to anti-virus vendor F-Secure Corp.
The Finnish company, which ships an anti-rootkit scanner in its security suite, has identified ContextPlus, Inc., makers of the Apropos and PeopleOnPage adware programs, as the company responsible for a large number of stealth rootkit infections.
F-Secure chief incident officer Mikko Hypponen said the company's BlackLight technology has discovered the use of "very advanced rootkit technologies" in Apropos, a spyware program that collects users' browsing habits and system information and reports back to the ContextPlus servers.
Like the typical spyware application, Apropos uses the data to serve targeted pop-up advertisements while the user is surfing the Web.
Unlike the average worm or bot that use rootkit technologies to avoid detection, Hypponen said the rootkit features built into Apropos aren't being used to hide the existence of the program on the machine.
"They're using a very sophisticated kernel-mode rootkit that allows the program to hide files, directories, registry keys and processes," Hypponen explained in an interview.
Rootkit detection coming to Windows AntiSpyware. Click here to read more.
The rootkit fitted into Apropos is implemented by a kernel-mode driver that starts automatically early in the boot process. When the files and registry keys have been hidden, no user-mode process is allowed to access them.
Hypponen said the rootkit removal statistics released by Microsoft Corp. were consistent with the response received from F-Secure customers using the anti-rootkit scanner.
"In the nine months since we released BlackLight, we're seeing the same things that Microsoft is reporting. We have definitely seen the FU rootkit being extremely widespread this year," he said. Hypponen noted that the open-source nature of FU and other rootkits has allowed spyware purveyors to add drivers from an existing rootkit and cut-and-paste the user-mode code for controlling the driver.
On the F-Secure Weblog, Hypponen described FU as "a very simple rootkit to cut-and-paste into worms and bots."
He said FU only hides processes, not files or registry keys.
"Currently worm and bot authors are mainly interested in hiding their processes from Task Manager. They are not that keen on hiding files since most Windows users do not know which files should be in their "System32" folder, anyways," Hypponen said.
Microsoft lists FU among the top-five pieces of malware deleted by its free Windows malicious software removal tool. Two other stealth rootkits—WinNT/Ispro and Win32/HackDef—are also high on the list of removed malware.
According to F-Secure's Hypponen, the appearance of Win32/HackDef, otherwise known as "Hacker Defender," is a dangerous sign.
Although it's not as prevalent as FU on infected machines, he said malware writers regularly use "Hacker Defender" in bots and backdoors to mask the presence of the malware.
In addition, he said "Hacker Defender" is regularly used by malicious hackers on compromised corporate servers. "Therefore, despite the infection numbers of HacDef are most likely much below those of FU, these infections are usually far more serious."
Security vendors clueless over rootkit invasion. Click here to read more.
"The FU rootkit is widespread and dangerous, but if I find HackDef or one of the other advanced rootkits like the one used in Apropos, I'd be much more concerned," Hypponen said.
He said the Apropos rootkit uses kernel-mode drivers that patch the Windows kernel "at a very deep level." It also modifies several important data structures and native API functions implemented by the kernel.
Hypponen said F-Secure researchers have also discovered a new tactic used by ContextPlus to wend its way around anti-spyware and other desktop security applications.
"The rootkit is not the only advanced trick they're using. We've seen ContextPlus using a polymorphic wrapper that constantly changes the appearance of the spyware file," he said.
"Every time you download the Apropos program from ContextPlus servers, it looks totally different. The download server is regenerating the program for every single download. That makes it a huge problem for traditional anti-spyware scanners," he said.
ContextPlus did not respond to numerous e-mail queries for comment.
Eric L. Howes, an anti-spyware researcher and consultant, said ContextPlus has been notoriously difficult to track down. Several domains associated with the company are registered anonymously or by registrants in France and Poland.
Click here to read about the chaotic world of defining spyware.
"I wouldn't be surprised to learn they were somewhere in the U.S.," Howes said in an e-mail exchange with Ziff Davis Internet News. "All in all, it's rather bizarre."
Howes said F-Secure's identification of ContextPlus and Apropos was rather significant. "Rootkits are commonly associated with out-and-out-malware created by black hats hacking servers and planting backdoors. Yet F-Secure is now saying the most common deployer of rootkits is a commercial adware firm."
On the ContextPlus Web site, the company is described as a "one-to-one desktop marketing" concern.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.