Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Wednesday, December 13, 2006

Rustock Trojan A Model For Future Threats

Among Rustock’s distinguishing characteristics are its heavy reliance on advanced rootkit technologies to hide from security software and its changeling-like ability to morph itself each time it infects a file.  That threat, dubbed “Rustock” by Symantec, is a family of backdoor Trojan horses that first appeared nearly a year ago, says Patrick Martin, a senior product manager with the Cupertino, Calif., company’s security response team.  The tactics used by a sophisticated threat of 2006 will become staples in exploits during the year to come, a security researcher.  “The techniques that [Rustock] is using will be the baseline for threats in the future,” Martin says.  “It’s using techniques that most rootkit detectors aren’t looking at or for yet,” says Martin.  The longer a Trojan can remain undetected the longer it can stay on a PC, and the more income it can generate for its owner.

Rustock, like other recent in-the-news exploits such as “Stration,” is designed to send spam from hijacked computers.

Rustock hooks into the Windows 32-bit kernel, and patches several APIs (Applications Programming Interfaces) to hide the new registry keys and files it installs.

Polymorphic exploits, which first appeared in 1990, are rarely seen today, Martin says, but Rustock has revived the practice as another defensive strategy against security software, which uses pattern detection and threat-specific signatures to sniff out malware.;jsessionid=3SBBS032AKJBOQSNDLRSKH0CJUNN2JVN?articleID=196603916

Posted on 12/13