Ice-Crown.com

In an attack on a scale similar to Code Red and Nimda, hackers created a worm dubbed Lovsan, or Blaster, which took advantage of the recent Microsoft RPC/DCOM buffer overflow [SecurityFocus02]. Lovsan is reported to have infected more than 250,000 computers in a matter of days.

Vanquish and HE4Hook are older and more widely known precompiled kernel- mode rootkits. Newer development and open discussions have been taking place online to improve these and other kernel-mode rootkits. A basic kernel-mode rootkit is available in source code and has been steadily improved by a talented group of contributors.

Hacker Defender is one of the more successful and widely available second-generation rootkits. Kernel-mode rootkits are the third-generation rootkit, and as indicated by their name, they operate in kernel mode. These rootkits take the library rootkit approach one deadly step further.

The first generation of Windows rootkits are called file system rootkits. These original rootkits essentially replaced Trojan applications such as “netstat” and “dir.” By replacing “dir,” a hacker could control the “dir” application output (set to not display certain files).

Earlier, less-stealthy versions of rootkits have been used over the past several years to compromise systems. Worms such as the TK Worm have even been found to install rootkits as part of their infection. This type of worm allows the system to be used in DoS attacks and can host warez servers.

The war between computer users and hackers has been constant. As most computer forensics investigators know, even the most secure facility can be compromised. Firewalls, intrusion detection, and other perimeter security solutions rely on known signatures and clipping levels to detect malicious code, but it is easy for hackers to alter and recompile their exploits to get past these defenses.