Malware Trivia: Episode 2
1. "Rootkit infection" is a term that is often thrown around, but it seems like a catch-all term for many different serious threats. What exactly constitutes a rootkit infection? Are there specific attributes and files that malware has to affect in order to be a rootkit? Many rootkit infections seem to come back, even when removed with AV software, so why are they so difficult to get rid of? – Question asked by Aegaeon
Rootkit infections are caused by malware that come bundled with a rootkit, which usually is a system driver that subverts the operating system. Once installed, it can alter critical features of the operating system, or even to impair some antivirus solutions. Generally, malware that can install a user-mode or kernel-mode driver, are labeled as rootkits. There are also hypervisor-mode rootkits and bootkits, but they are pretty rare. Rootkit infections pose a particular danger because they are usually capable to fool the very systems that should detect it. However, antimalware solutions with anti-rootkit defense can successfully detect and eliminate these threats.
2. Can you give an overview on any specific botnet's command and control structure (eg – conficker, waladec, zeus)? Why is it so hard for authorities to take these down? What type of cryptographic mechanisms do they have to protect themselves? – Question asked by Aegaeon
These botnets are extremely complex and we’ll discuss them in detail in upcoming articles. Most of the times, authorities are unable to track and terminate them because of the lack of resources, lack of cooperation between organizations (such as between the law enforcement agencies and ISPs) or simply because of the fact that monitoring the C&Cs require them to breach into the servers hosting them, which is illegal in most of the countries. More than that, today’s botnets are comprised of computers infected with sophisticated malware that use multiple layers of protection to run undetected and download updated versions of highly obfuscated bots.
3. Obfuscation is used frequently in today's malware. How do the bad guys obfuscate their code so that it still works and is not detected by AV engines? What do the Engineers at BitDefender have to do so that their security software detects the malicious code within the obfuscated mess?
The most frequently encountered method of obfuscation is packing. Malware authors use a wide range of custom, non-commercial and very complex packers (also known as FUD – fully undetectable) to hide their malicious payloads. We have seen instances of malware that would change their packer 5 or 6 times per day in order to avoid detection. In order to fight obfuscation, BitDefender has complemented traditional string scanners with additional protection technologies, such as sandboxing, heuristics and behavioral analysis, which allow the antivirus to detect malicious code that has been highly obfuscated.
4. Why do mobile phones need to be protected? – question asked by Waran
A large part of the mobile phone market is currently made of smartphones – high-end phones running a fully-fledged operating system and supporting the installation of third-party applications. Just like desktop PCs, laptops or netbooks, these smartphones can be successfully exploited by malware either via vulnerabilities in the operating system, or through the installation of an infected application such as a game or a rogue media player.
If some of these malicious applications can harvest contact details and login credentials used in mobile browsing sessions, others can actually leave you in debt. One of the most important e-threats on the mobile market is the dialer Trojan, a piece of malware that lived its heyday in the dialup internet era and makes now a comeback on mobile handsets. These dialers can stealthily call premium-rate numbers and add these expenses to your bill. Leaving your smartphone unprotected can actually be similar to writing a blank check to cyber-criminals.