A banking Trojan named KINS recently made headlines due to its similarities to past Trojans such as Zeus. However, RSA noted that it's the first commercially available bootkit, as opposed to the typical rootkit. What's the difference, and will that change have an effect on the evolution of malware and malware defense?
Ask the Expert
Have questions about enterprise threats for expert Nick Lewis? Send them via email today! (All questions are anonymous)
The KINS malware is a professional-grade banking Trojan that is quite similar to rootkits such as Zeus, SpyEye and Citadel. It has functionality for a modular architecture, requires minimal technical skill, spreads with exploit packs and infects the most current versions of Windows.
KINS has adopted many of the valuable traits of other malware to make itself more effective and capable of filling the spot of other popular malware that is not currently under active development or support. However, as RSA noted, KINS differs from these other malware attacks because it is a bootkit, not a rootkit. This means that the malware infects a system's volume boot record, which allows it to burrow further into a system than the standard malware that infects the master boot record.
In comparing the two, a rootkit is a collection of tools or programs that grant administrator-level access to a computer or computer network. A bootkit extends the functionality of a rootkit to infect the master boot record so that it can survive reboots and therefore become more difficult to remove. Many times antimalware tools just delete or quarantine a malicious file, but a malicious master boot record cannot just be deleted or moved without damaging the computer.
While KINS is significantly more sophisticated than other types of malware in that it includes almost all of the functionality needed for criminal attacks, it doesn't change the malware defenses needed to protect an organization from it. The mitigation tools for Zeus, SpyEye and Citadel -- such as desktop antimalware, network based antimalware and whitelisting -- should already be in place to defend against such malware, and they will also be effective against KINS.
This was first published in January 2014