Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes

Posted by bink on December 7 2005, 10:53 PM. Posted in Windows Defender.

More than 20 percent of all malware removed from Windows XP SP2 (Service Pack 2) systems are stealth rootkits, according to senior official in Microsoft Corp.'s security unit.

Jason Garms, architect and group program manager in Microsoft's Anti-Malware Technology Team, said the open-source FU rootkit ranks high on the list of malicious software programs deleted by the free Windows worm zapping utility.

"I can tell you that FU is the fifth most removed piece of malware. We're finding the FU rootkit in many different versions of Rbot," Garms said, referring to the IRC controlled backdoor used to illegally infect Windows PCs with spyware.

In addition to the FU rootkit, Garms said the WinNT/Ispro family of kernel mode rootkits features in the top-five list every month.

WinNT/Ispro, like FU, is often bundled with illegally installed spyware to allow an attacker to modify certain files and registry keys to avoid detection on an infected machine.

"Hacker Defender," another rootkit program that is available for sale on the Internet, has also been detected and deleted regularly.

Garms shared statistics culled from the worm cleansing tool in an interview with Ziff Davis Internet News and warned that the high rate of rootkit infections confirm fears that virus writers are using the most sophisticated techniques to hide malicious programs.

Continue At Source