Security Researcher: Rootkits Common for Spyware

by Michael Hall

A security researcher says rootkits are finding the most use among spyware authors out to hide their programs from wary users.

The chief researcher at F-Secure says the most common rootkit his company's software is turning up serves to keep users from uninstalling obnoxious spyware.

In a weblog entry from yesterday, F-Secure's Chief Researcher, Mikko Hyppönen, said the most common rootkit his company's BlackLight technology has exposed is installed by Apropos spyware, which plagues users with popup windows.

"The reason for Apropos to use rootkit techniques is very different from your average worm or bot," Hyppönen noted. "Usually rootkit malware tries to avoid detection. Apropos, on the other hand, shows the user pop-ups 'ad nauseam'. Therefore, the motive of Apropos is not to use rootkits for hiding itself. The very advanced rootkit functionality in Apropos is designed to prevent uninstallation and removal."

Despite the relative subtlety of rootkits at their most stealthy, Hyppönen said most malware authors are content merely to use rootkit technology to hide running processes from users, relying on the natural clutter of the "System32" folder to hide files that don't belong on a Microsoft Windows system.

Hyppönen also noted that while Sony/BMG's recent snafu distributing DRM software on music CDs might have gained a lot of attention, it hasn't been very widely reported.

"One might say that the Sony BMG DRM has to be the most common rootkit, because it was shipped on a huge number of music CDs. This would be a logical assumption, but we have not received that many reports of BlackLight finding this particular rootkit," he wrote.

This article was originally published on Friday Dec 9th 2005