Privacy Digest

A new root’Kid’ on the block: "

In the pasttwo weeks McAfee Avert Labs is observing activity by a new parasitic worm named W32/Almanahe.a. Apart from its parasitic nature, this worm is particularly interesting because of the rootkit technique implemented by it to hide and protect itself.

Some background:

Rootkit techniques vary from simple ‘user mode’ to complex ‘kernel mode’. Most of the techniques create some kind of hook to the normal execution path of a call or an API. A more detailed explanation of various techniques can be read in the latest whitepaper by McAfee here.

As explained in the whitepaper, one widely adopted kernel mode hook technique is via SSDT patching as shown in Figure 1. In order to detect such rootkit activity many freely available tools exist along with traditional virus scanners. An easy way to detect such activity is to perform a quick range check on the addresses pointed to by functions listed in SSDT. If the address lies outside Ntoskrnl.exe address range, it implies that the SSDT may be hooked. For example in Figure 1, Rootkit.sys lies outside the address range of Ntoskrnl.exe. A query on address pointed to by hooked NtDeleteKey in SSDT will raise an alarm as it is within address range of Rootkit.sys.

(Read Original Article - Via McAfee Avert Labs.)