When we recently got hold of a new “trick” to load a driver bypassing HIPS and security programs that block SYS drivers when they are loaded, we thought we give it a go…
While there is a bit of discussion whether this is actually a new mutation or the famous rustock.b rootkit, it looks more like a zlob variant.
Whatever the nomenclature, this piece of malware is very sophisticated in the way it infects your system and also in the way it works.
First of all, it bypasses HIPS and other security programs by using a little known trick that exploits loose security settings with a system wide cache of internal windows objects (KnownDlls). This enables the driver to be installed silently.
Secondly, this rootkit resides solely in kernel space and has no user mode component at all. It hooks into your google search and while you think you get to the search result, this rootkit controls the session and gives you content that you definitely don’t want to see… Pretty scary stuff, as nobody would realize that the google search page is infected!!!
But see yourself… Simply click on the screenshot below or click here to start the video.
P.S. you’ll also see how TrustDefender’s Kernel Forensics Engine will pick this up and how financial institutions can protect their customers _before_ anything bad happens…
Good post.