Malware Uses White List for Protection

Friday, October 7, 2011 @ 03:10 PM gHale

White listing is one of the stronger ways to improve any security profile, but more rootkit programs are mimicking anti virus programs and adopting self protection features and application whitelists to maintain control over the systems they control.

Self protection features have become common in leading families of rootkits, such as the TDSS and TDL4 rootkit, said Rachit Mathur, a research scientist at McAfee at the annual Virus Bulletin Conference.

Firefox, SeaMonkey Plug-in Woes
Malware Hits IE, then Attacks Firefox
New APT Attacks Hit Russia
Malware Changes, Systems Need to, Also

Application white lists allow only applications approved to run so it can disable hostile programs. However, these days built-in monitoring features to shut down anti malware programs and prevent critical malware components from being disabled are also in newer rootkits.

Mathur said McAfee researchers are increasingly finding evidence of attempts to kill anti virus and anti rootkit drivers using attacks at the kernel level of an infected system.

While malware attempts to shut down anti virus programs within the user mode environment have been around, kernel mode attacks to snuff out anti virus programs are a newer development, and much harder to thwart, Mathur said.

Self protection features are just a few of the techniques malware authors are using to make their software harder to detect and, once detected, impossible to remove. Techniques like file forging — in which rootkit authors hide malicious code within existing, legitimate system files — have become common in malware families like TDSS and BlackEnergy, Mathur said. File forging can make it difficult for rootkit detection programs to spot the malicious code. Malware authors are also experimenting with memory forging — directly altering the infected system’s kernel memory to throw off scanners.

Easy access to the Windows kernel is one reason for the continued effectiveness of evasion techniques, said Mathur, who co-authored a paper on the subject. “Once the rootkits enter the kernel they seem invincible and they can easily circumvent any and every protection that is in place,” the paper said.

In contrast, most malware detection is still reactive — relying on a known malware “signature” or behaviors to betray the malware after it has already infected a system. The paper calls for proactive detection tools that can catch the rootkit or provide a trusted view of the infected system that would reveal the presence of a rootkit, Trojan horse or other malicious program.

Rootkit programs are general purpose toolkits that give remote attackers total control over a host system. They have shown rapid evolution since they first appeared in the late 1990s and early Millenial period, Mathur said. In recent years, rootkits like TDSS have developed new features to help them spread between infected systems on a network and, then, evade detection.

Leave a Reply

You must be logged in to post a comment.