Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.
A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.
“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.
But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.
The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”
“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit – last access 8 June 2011 – ( Full Article )
Interesting publication of a paper at the IEEE Symposium on Security and Privacy 2011 (California). The research (involving 15 authors) investigated purchasing spam products and amongst other things, focused on tracing the payments.
” .. The paper performs holistic analysis that quantifies the full set of resources employed to monetize spam email—including naming, hosting, payment and fulfillment—using extensive measurements of three months of diverse spam data, broad crawling of naming and hosting infrastructures, and over 100 purchases from spam-advertised sites. We relate these resources to the organizations who administer them and then use this data to characterize the relative prospects for defensive interventions at each link in the spam value chain. In particular, we provide the first strong evidence of payment bottlenecks in the spam value chain; 95% of spam-advertised pharmaceutical, replica and software products are monetized using merchant services from just a handful of banks ..
the so-called “spam value chain” involves; botnets, domain registration, name server provisioning, hosting services, and proxy services ..
spammers must also process orders, which requires “payment processing, merchant bank accounts, customer service, and fulfillment.” ..
95% of spam-advertised pharmaceutical, replica, and software products are monetized using merchant services from just a handful of banks ..
13 banks handling 95% of the 76 orders for which they received transaction information .. just three banks handled the majority of transactions: Azerigazbank in Azerbaijan, DnB NOR in Latvia (although the bank is headquartered in Norway), and St. Kitts-Nevis-Anguilla National Bank in the Caribbean ..
all software orders and 85% of pharmaceutical orders used the correct Visa “Merchant Category Code,” which identifies what’s been sold. “A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods,” ..
orders were fulfilled from 13 suppliers in four countries: the United States–Massachusetts, Utah, and Washington, all for herbal purchases, as well as West Virginia for pharmaceuticals–plus India, China, and New Zealand. Most pharmaceuticals came from India, while most herbal products came from the United States, likely due to weak regulations ..”
“3 Banks Service Majority Of Spam-Driven Sales”
Mathew J. Schwartz, InformationWeek 25 May 2011
http://www.informationweek.com/news/security/client/229625599 – last access 8 June 2011 – ( Full Article )
“Click Trajectories: End-to-End Analysis of the Spam Value Chain”
Kirill Levchenko et al., IEEE Symposium on Security and Privacy 2011, Oakland, California, 24 May 2011
http://cseweb.ucsd.edu/~savage/papers/Oakland11.pdf – last access 8 June 2011 – ( Full Journal )