Saturday, June 09, 2007

Keep those rootkits out

Hi folks,

The St Petersburg iframers have a new rootkit. None of the scanners that I have access to can put a name to it so far, and none of the generic cross-viewers that I have can see it, with the exception of GMER, and GMER isn't sure about it.

That these guys would have something new and difficult is not really surprising... they were using Rustock variants for a long time, which gave most anti virus/ anti spy products a hard time by storing themselves in an Alternate Data Stream and then hiding the ADS, but lots of av/as products can now see in the ADS. It's reasonable to assume they'd move to something newer.

Somewhat amusingly, they're still using the same exploits to plant it, so if you're patched and/or running LinkScanner, you have nothing to fear, but if you're not ... you don't want to get this one on your system.

Trust me ... it's better to keep them out than to try to remove them once they're in!





Post a Comment

<< Home