This week the Microsoft Malware Protection Center (MMPC) published a new threat report focused on Rootkits. A rootkit is a suite of tools used by attackers to provide stealth capabilities to malware. The typical goal of a rootkit is to enable malware to remain undetected on a system for as long as possible, in order to facilitate the theft of sensitive data, change computer settings, or compromise system resources.

I remember back in 2003 when I was the Technical Lead on the Product Support Services Security Incident Response team here at Microsoft, rootkits were considered by many as only theoretically possible.  During the course of an investigation on a system that would “blue screen” periodically, a strange process was discovered running on the system during a live debug session.  The process was hooking the list of running processes on the system and taking itself out of the list and then returning the new list to applications that were asking for it.  The blue screen was the result of a bug in the driver that started the process.  The bug only manifested once in a while at a random time, making it challenging to find and debug.  A few of us on the Incident Response team, including Rob Hensing and Lee Yan, shared the results of the investigation with many people inside Microsoft in an effort to show people that rootkits were not only theoretically possible, but actively being used in the wild.  Lee Yan worked tirelessly on tools that detected rootkits, with great success.  In a short period, we began to see a variety of rootkits being used in the wild.      

Fast forward a decade.  Today several prevalent malware families employ rootkits – some examples include Win32/Alureon, Win32/Rustock, Win32/Sinowal, and Win32/Cutwail.

The Microsoft Malware Protection Center (MMPC) has published a new threat report on Rootkits and how they work.  This threat report is recommended reading for those people looking to better understand how malware families use rootkits to avoid detection and how to protect themselves from this type of threat.

You can download the paper from here:

Tim Rains
Trustworthy Computing