- 2003 – Haxdoor (aka A-311 Death and Nuclear Grabber, a modified variant of the same program). This is already more than a tool – it is a backdoor that uses rootkit techniques to conceal its presence in the system. It works primarily in user mode.
- 2004 – FU – a tool to conceal processes. This tool introduces a new technique based on modifying the system structure itself, rather than modifying access to the system. It works in kernel mode.
Rootkits – mass production
As rootkits evolved, they were also being embedded in malicious programs. In those days it was difficult to create stealth technologies independently, because little was written about this field: as a result, the small number of malicious rootkits could be divided into three categories:
- Trojans which used ready-made tools and libraries to hide themselves. The overwhelming majority of these Trojans used Hacker Defender and FU.
- Ready-made malicious rootkits which could be downloaded or purchased and which could be modified by the user. Haxdoor is one example. Like HacDef, Haxdoor was very popular in the fall of 2005; Kaspersky Lab was adding around ten new signatures daily to protect against new variants of Haxdoor.
- Custom rootkits developed for targeted attacks. AV vendors usually learned about these rootkits directly form customers, mostly large enterprises. Typically, virus analysts conducted on-site manual forensic investigations after network administrators couldn't identify the cause of the problem. This group of rootkits was extremely small, but the samples showed a high level of technical sophistication.
By 2006 we saw rootkit technologies being built into common email worms such as Bagle; Trojan-Spy programs such as Goldun; and Mailbot programs, such as Rustock. This development proved to be a serious challenge for AV vendors. However, by the time using rootkit technologies in Trojans became standard there were a number of anti-rootkit tools, both standalone and in products. The balance of power was restored.
Rootkits and scandal
By 2005 the use of rootkit technologies in malware was so widespread that it fell under the gaze of the mass media and, naturally, security vendors. Microsoft representatives brought up the topic at RSA. The numerous scandals related to rootkit-like technologies found in various software and hardware products in 2006 clearly demonstrates how rootkits have become a public issue.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.