Hackers Inject Rootkits into Latest Bagle Mutants

**radio667** · 03-30-2006, 06:05 PM

from .......... Malicious hackers have fitted rootkit features into the newest mutants of the Bagle worm, adding a stealthy new danger to an already virulent threat.

According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners.

The use of offensive rootkits in existing virus threats signals an aggressive push by attackers to get around existing anti-virus software and maintain a persistent and undetectable presence on infected machines.

Rootkits are typically used by attackers to open a backdoor into Windows systems, collect information on other systems on the network and mask the fact that the system is compromised.

In the case of the Bagle.GE rootkit, F-Secure researcher Jarkko Turkulainen said the rootkit successfully hides processes, files and directories, registry keys and values and contains code that will prevent certain security related processes and kernel-mode modules from running.

It also contains commands to disable security software and delete security-related files whenever they are opened. The Bagle threat started as a simple e-mail executable in 2004 but has grown and evolved over the years to become one of the most active threats against PC users Security researchers estimate that the numerous Bagle variants have infected more computers than any other virus group.

The Bagle authors have used the worm to seed and control botnets for use in spam runs and distributed denial-of-service attacks.

The different variants maintain a complex network of infected machines and are typically used to help newer versions spread and avoid detection.

Panda Software, an Internet security company with headquarters in Spain, said it has discovered at least three new Bagle worm variants with rootkit functions and warned that it is "highly probably" that new specimens will emerge in the near future.

Luis Corrons, director of the company's PandaLabs research unit, said rootkit features are easy to fit into existing worm and virus code.

"Generating and selling rootkits have become a real business model. Due to their capacity to slip past traditional security solutions and their versatility to hide on the system and carry out all types of malicious actions, rootkits have become an opportune tool for cyber-criminals looking to earn them high profits," Corrons said.

F-Secure also found evidence of a rootkit in Gurong.A, a new worm that is based on the Mydoom code.

Both Mydoom and Bagle are considered "heavy hitters" in the world of malware research. Like the Bagle rootkit, Gurong.A hides processes, files and launch points whenever the worm is active. It is also able to modify kernel-mode process structures to hide any process it specifies.

Gurong.A uses a range of social engineering tricks to propagate via e-mail and also spreads through shared folders in the Kazaa peer-to-peer application.

According to statistics from Microsoft's anti-malware engineering team, more than 20 percent of all malicious code removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits.

The rootkits found by Microsoft's malicious software removal tool include FU, an open-source rootkit popular among spyware writers.

In addition to FU, WinNT/Ispro family of kernel mode rootkits have been found and removed from Windows machines.

**Spiffness** · 03-30-2006, 06:15 PM

lol..

I read 'Hackers inject rootkits into latest bagel mutants'

Holy crap! Bagel mutants! NO WAY!

*sigh*

archibald649 · 03-30-2006, 06:21 PM

XP Service pack 2 fries your computer anyway. Adding more malware to it just adds more spices.

n3m35i5 · 03-30-2006, 06:41 PM

Quote:

Originally Posted by Spiffness

lol..

I read 'Hackers inject rootkits into latest bagel mutants'

Holy crap! Bagel mutants! NO WAY!

*sigh*

I thought it was "beagle mutants," like some kind of hacking Underdog. "hey, there's a way to beat that electric collar!"

Lunarbunny · 03-30-2006, 10:03 PM

Quote:

Originally Posted by Spiffness

lol..

I read 'Hackers inject rootkits into latest bagel mutants'

Holy crap! Bagel mutants! NO WAY!

*sigh*

I'm sure you'll have a lot of fun removing this stuff.

03-30-2006, 06:05 PM	#1
radio667 I R Happy Goat Join Date: May 2002 Posts: 10,760 Downloads: 2	Hackers Inject Rootkits into Latest Bagle Mutants from .......... Malicious hackers have fitted rootkit features into the newest mutants of the Bagle worm, adding a stealthy new danger to an already virulent threat. According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. The use of offensive rootkits in existing virus threats signals an aggressive push by attackers to get around existing anti-virus software and maintain a persistent and undetectable presence on infected machines. Rootkits are typically used by attackers to open a backdoor into Windows systems, collect information on other systems on the network and mask the fact that the system is compromised. In the case of the Bagle.GE rootkit, F-Secure researcher Jarkko Turkulainen said the rootkit successfully hides processes, files and directories, registry keys and values and contains code that will prevent certain security related processes and kernel-mode modules from running. It also contains commands to disable security software and delete security-related files whenever they are opened. The Bagle threat started as a simple e-mail executable in 2004 but has grown and evolved over the years to become one of the most active threats against PC users Security researchers estimate that the numerous Bagle variants have infected more computers than any other virus group. The Bagle authors have used the worm to seed and control botnets for use in spam runs and distributed denial-of-service attacks. The different variants maintain a complex network of infected machines and are typically used to help newer versions spread and avoid detection. Panda Software, an Internet security company with headquarters in Spain, said it has discovered at least three new Bagle worm variants with rootkit functions and warned that it is "highly probably" that new specimens will emerge in the near future. Luis Corrons, director of the company's PandaLabs research unit, said rootkit features are easy to fit into existing worm and virus code. "Generating and selling rootkits have become a real business model. Due to their capacity to slip past traditional security solutions and their versatility to hide on the system and carry out all types of malicious actions, rootkits have become an opportune tool for cyber-criminals looking to earn them high profits," Corrons said. F-Secure also found evidence of a rootkit in Gurong.A, a new worm that is based on the Mydoom code. Both Mydoom and Bagle are considered "heavy hitters" in the world of malware research. Like the Bagle rootkit, Gurong.A hides processes, files and launch points whenever the worm is active. It is also able to modify kernel-mode process structures to hide any process it specifies. Gurong.A uses a range of social engineering tricks to propagate via e-mail and also spreads through shared folders in the Kazaa peer-to-peer application. According to statistics from Microsoft's anti-malware engineering team, more than 20 percent of all malicious code removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits. The rootkits found by Microsoft's malicious software removal tool include FU, an open-source rootkit popular among spyware writers. In addition to FU, WinNT/Ispro family of kernel mode rootkits have been found and removed from Windows machines. __________________ , "There is also a river called Helikon [in Pieria]. (...) But, they go on to say, the women who killed Orpheus wished to wash off in it the blood-stains, and thereat the River sank underground, so as not to lend its waters to cleanse manslaughter." —Pausanias, Description of Greece 9. 30. 8

03-30-2006, 06:15 PM	#2
Spiffness This world is a possibiliy Join Date: Jan 2003 Location: Seattle, WA Posts: 1,973 My Files: 2	lol.. I read 'Hackers inject rootkits into latest bagel mutants' Holy crap! Bagel mutants! NO WAY! sigh __________________ Politics is the art of looking for trouble, finding it whether it exists or not, diagnosing it incorrectly, and applying the wrong remedy. - Ernest Benn ---- "And each and everyday will lead into tomorrow And tomorrow brings one less day without you But don't wait up just leave the light on 'Cause all the roads that I might take will all one day lead back to you" - Rise Against

03-30-2006, 06:21 PM	#3
archibald649 Friendly member Join Date: Feb 2005 Location: On the edge Posts: 552 Downloads: 2	XP Service pack 2 fries your computer anyway. Adding more malware to it just adds more spices. __________________ That is all.

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: