Sana Security Inc. is warning of a highly evasive kernel-level rootkit associated with a data-stealing Trojan that can survive a reboot and doesn't run as a separate process. The malware also can detect previously used passwords on a machine, not just those logged after a PC is infected.
The Trojan and rootkit, which remain hidden from the operating system task manager and avoids AV detection, were discovered by the San Mateo, Calif.-based enterprise security software provider's Sana Labs team during an investigation into the new Alcra worm. As of Tuesday afternoon, only a handful of security companies had created a way to detect the worm, the company reported.
"There are quite a few infection vectors for this rootkit," said Jeremy Pickett, security practices manager for Sana Security, in an e-mail exchange. "The rootkit currently can is only being installed by malicious Web sites, though. Most of the websites that are installing this rootkit are Cracks/Warez/stolen software Web sites. (Some people may say people are getting what they deserve.)"
Because of the low detection rate and rootkit-infected sites still online until shut down, almost 40,000 usernames and passwords have been stolen since last Thursday, when the worm is believed to have been released. Forty percent of infections resulted from social networking Web sites. Another 10% came from travel sites, 9% from auction Web sites and 8% from banking sites. The remainder involve sundry sites from a wide variety of categories.
"This kernel-level rootkit was designed to stealth a Trojan that has frightening capabilities," according to Sana Security's advisory issued Tuesday. It also issued a warning on its blog earlier in the day.
The Alcra worm contacts various Web sites that, when visited, download the rootkit and Trojan. That malware then communicates with an unprotected Russian server that acts as a repository for stolen usernames and passwords. Sana's Pickett said the company's still not sure how the poorly coded worm propagates, but it's most likely through e-mail or network shares.
Infected sites attempt to download spyware and adware in addition to the troublesome rootkit that contains two pieces: a device driver named zopenssld.sys and a 17KB-sized DLL named zopenssl.dll packed in a variant of UPX. The code appears to hide the files regardless of where they reside, which typically is in the System32 folder.
"Because zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process," the advisory states, "most users would never see it, and it can survive even in safe mode."
The rootkit and Trojan communicate with the Russian server whenever a user browses a Web site requiring authentication. The company noted that foreign-based server is not secured and thus anyone can view the stolen information. Log files include bank account numbers, e-mail logins, insurance information, airline logins and passwords stored in browsers.
"The best way to avoid this type of threat is layered security--virtually none of the major signature companies can respond fast enough to these types of threats," Pickett said. "It is these types of threats that really illustrate the need for non-signature based, behavior based security software (and don't surf illegal websites, of course)."
Other mitigation suggestions include users downloading a proactive desktop solution that has the ability to detect and remove malware in real-time. For those interested Sana has a 30-day trial download on its latest client solution that should remove this malware.
Sana Security said it's contacted authorities, companies whose users it knows have been victimized, and the unidentified company hosting the collection site with a request to shut the site down.