From Gromozon to Mebroot - A Reflection on Rootkits Today

We've been quite busy over the last few days after we've isolated a new variant of MBR rootkit which is able to bypass virtually every security solution. While analyzing it, I've time to reminisce about how rootkit infections have become more and more widespread.

The Gromozon rootkit immediately came to mind, most likely because I've been deeply involved on that case thanks to a personal attack to Prevx and myself from the author of the rootkit. After three years, the Gromozon infection has gone from "cutting edge" to rudimentary and is now very easy to detect, if you compare it to current rootkit infections. A "simple", armored user mode rootkit which was able to hide itself exploiting some Windows features and using inline hooks. Indeed it was very smart for its time.

Every basic rootkit scanner should be now able to detect a rootkit like Gromozon. However, it took some months before most antivirus companies started to detect the infection, leaving the malware doing its dirty job for a long time, infecting over 250,000 users at its peak.

This gap could have been understandable three years ago, because rootkit threats were not really widespread and the trend of hidden malware was just start to rise. Has the situation now changed? Not at all.

Phide_ex is a classic example of an advanced proof of concept rootkit which is able to hide its process from security software. It has been published for a while, its technology is well known, and malicious software like phide_ex could be easily written. Still, many commercial antirootkit solutions aren't able to detect phide_ex active in memory. Yes, they could detect it by signature when the dropper is executed, but this is not the solution.

The next paradigm shift came from the Rustock family of rootkits, showing that malware authors can be economical with their use of rootkits and repackage variants quickly to evade detection. Today, some antirootkit engines are not able to detect the .B variant of this rootkit - and almost all security software is blind to the .C variant. However, Rustock has been used to build up a huge botnet.

And now we've encountered the newest variation in the threat landscape - a new MBR rootkit. First discovered in January 2008 (some samples have been caught during late 2007) this fancy rootkit has infected thousands of PCs around the world. We have been among the first to release a detection and cleanup routine able to handle with this rootkit - with the engines behind Prevx CSI and Edge, we have been able to remove this nasty infection for more than a year without ever updating the code. Other companies have had to frequently update their removal tools to detect all of the variants of this rootkit.

This was the situation until this month, when MBR rootkit authors retooled and have now begun to use more advanced means to infect. The Master Boot Record is still the main target, but this time the infection is using much more interesting rootkit techniques to evade from security products. IRP hooks are still used, but not as visible as the old ones. Moreover, Direct Kernel Object Hooking technique has been implemented in the rootkit, causing it to be smarter and still more hidden. Every security solution has been bypassed.

Here at Prevx we are very aware of the importance of 0-day threat prevention, but we also know that detection and cleanup are as important as prevention. Users looking for help after having their current security fail are quickly running out of options as threats embed themselves deeper into the operating system.

On a side note, it's time to spend some words about us and our work here at Prevx. It is always nice to know something about the person behind the keyboard.

I've been working for Prevx since 2006. My main role is analyzing malwares and developing prototype technologies. I could say I'm acting as a bridge between Prevx Research Labs and Prevx developers, analyzing complex threats and developing new technologies to cure and heuristically prevent them. My main research focuses around rootkits and heuristic engine development.

As I've written in a previous blog post, we can learn a lot by every old infection. It's up to every security vendor to learn about and develop new, effective technologies to counteract past threats generically to prevent new threats in the future. Here at Prevx we think we're on the right path. The battle will never be over, but we are very encouraged when receive personal threats from malware authors like the ones behind Gromozon because it lets us know we're doing something right!

If you would like to discuss any of the above points further please see me at RSA (San Francisco) booth number 2732.