How common are these rootkits?


Since F-Secure is the first vendor to have a built-in rootkit scanner in its security suite, we are very often asked how many rootkit variants there exist. This question is not that easy to answer with precise numbers, as there are very few malware named "Rootkit.Win32.Something". Most malware that uses rootkit techniques is called "Backdoor.Win32.Something", "Worm.Win32.Something", "Virtool.Win32.Something", etc. However, since our BlackLight rootkit scanner (generic rootkit detection) has now been available for 9 months we have a pretty good feel on what the rootkit menace currently is all about. In a recent eWeek article Microsoft says that more than 20 percent of all malware it has removed from its Windows XP sp2 customers are rootkits. "The open-source FU rootkit ranks high on the list of malicious software", the article states.

We definitely can agree that FU has been extremely widespread during 2005. There is a simple explanation to this. FU is a very simple rootkit to cut-and-paste into worms and bots. It should be noted that FU only hides processes -- not files or registry keys. Currently worm and bot authors are mainly interested in hiding their processes from Task Manager. They are not that keen on hiding files since most Windows users do not know which files should be in their "System32" folder, anyways.

Linked by shanmuga Wednesday, 7th December 2005 7:29AM