Scan & Clean Your PC

Spyware Nuker banner

Is your computer infected? Spyware Nuker will protect you from unwanted adware, malware, spyware and more!

Useful Links

Article

Spyware and rootkits: concealed threat

The notion of rootkit came from the world of UNIX operating systems. Rootkit — is a toolkit, which is used by hackers to conceal their activity in a hacked net, to maintain further access, to realize espionage opportunities like tracking keyboard input. Thus spyware activity was found in some rookits for UNIX/Linux/Solaris in the last century.

Today spyware producers begin using rootkits for concealment from both a user and means of detection and removal of harmful programs. They can reject access to files, folders, processes, register keys for appearance that there are no harmful programs present.

Rootkits can modify Windows system files in such a way that when an anti-spyware scanner or antivirus is searching for suspicious components, the changed system functions conceal presence of rootkit. Nevertheless there are means to find and remove rootkits. Anti-spyware producers are working out plans to integrate these means into their products.

In most cases a combination of rootkits and spyware only carries functions for concealment of presence of espionage programs from a user and protective means. But because rootkits are able to modify basic functions of Windows’ core they alone represent threat for stable system functioning. In case of scarce competent programming rootkits often cause bugs and may lead to «blue death screen», may be the reason for loss of important data.

While attempting to withstand this threat some anti-spyware producers include in their products means against rootkits’ activity. «Operations» are now moved to the zone of operating system’s core — the area, which is practically inaccessible to absolute majority of desktop applications, and accordingly for users, who don’t have specific knowledge in this field. Undoubtedly, modern anti-spyware tools should protect a user from this threat, but their producers must be absolutely sure that their code is safe and that it won’t bring errors while operating at core level. For example Aluria company announced the successful results of its anti-spyware/anti-rootkit products and accentuated that they had now complaints from users.

In most cases stealthy companies like ContextPlus, which are making business on the verge of illegality, are involved into combining of spyware and rootkits. One of the most known cases was the scandal concerning use of syware rootkit in copy protection mechanism, which was used by SONY — one of the biggest corporations in the world.

In 2004 SONY BMG commenced distribution of audio disks equipped with XCP copy protection, which was designed by First 4 Internet company. This protection became also known as SONY DRM. A disk that was protected by this pattern, could be listened only by Music Player (MediaJam) that was on CD.

Presence of rootkit and methods of information gathering about users were detected this autumn by an engineer of Sysinternals company and the creator of RootkitRevealer program Mark Russinovich.

His gathered data show that a rootkit is installed into system, which conceals its activity and intercepts access to CD drive. This rootkit creates noise when audio tracks from the disk are played by a different player. The rootkit wasn’t in the list of «Add/Remove Programs» and didn’t have its uninstaller. Moreover, information about the discs played was secretly reported to SONY server. But as a matter of fact all those suspicious actions weren’t specified in the SONY DRM license agreement.

Moreover, an acknowledged expert Mark Russinovich leveled criticism against the creators of the rootkit, which had a serious vulnerability. He also created a demo program, which caused failure with installed rootkit from SONY. Creators of harmful programs didn’t miss that fact and soon there appeared a dangerous program called Backdoor.IRC.Snyd.A (Backdoor.Ryknos), which attacked vulnerability in the rootkit. Another unexpected consequence was that presence of rootkit allowed players of a famous online game World of Warcraft to conceal «cheats» from the game-built Warden spyware, which helped to gain advantage over other players.

Due to intensive coverage of the problem with SONY spyware rookit in mass media, the company refused to use the rootkit. Now SONY and Amazon.com offer users a refund for disks with DRM (it is also known as XCP.Sony.Rootkit) or to exchange disks for analogous but without dangerous components. According to estimations about 500 000 disks of popular performers were sold.

Secret activity intrinsic to rootkits is also found in CoolWebSearch — one of the most wide spread and harmful spyware representatives.

The already mentioned ContextPlus company uses in its spyware programs -Apropos and EliteBar — techniques, which are peculiar to rootkits when they intercept low-level system accesses and typical methods of automatic modification of harmful code, thus making it difficult to detect and remove spyware from ContextPlus.

FaceTime Security Lab company has recently discovered a worm, that spreads through AOL Instant Messaging service. This peculiar worm combines methods of infection typical for worms and harmful features and espionage means of rootkits, which conceal its activity. Specialists determined that the group of violators, members of which are controlling the worm (and also thousands of already infected computers) is situated somewhere in Middle East.

Ten years ago rootkits were considered to be an exotic instrument of elite hackers, but now, according to some experts, they are more often used in Internet marketing. Developers of protective programs are not willing to fall back because of this threat and are constantly improving methods to detect and remove rootkits safely.

Article Source: http://www.iKnowProcess.com/

Back to the Articles

Feature Articles

Protect Your PC