Necurs rootkit – not new but spreading fast warns Microsoft

But its not new. Russian company Dr Web has been reporting Necurs as one of the most widely detected malware strains every month over the last few months; and in October it was the most frequent email-delivered trojan. It is, warns Microsoft, “mostly distributed by drive-by download. This means that you might be silently infected by Necurs when you visit websites that have been compromised by exploit kits such as Blackhole.” 

Back in October, Dr Web discussed an example attack – a scam email purporting to be from Amazon. “These messages,” explained, “prompt the recipient to download a license for Microsoft Windows; however, by clicking on the link, the user infects the system with two malicious programs simultaneously (Trojan.Necurs.97 and BackDoor.Andromeda.22).”

Once infected, the trojan spreads across the network by infecting removable drives and shared network resources. At a high level, warns Microsoft, “it enables further compromise by providing the functionality to download additional malware, hide its components, and stop security applications from functioning. In addition,” it adds, “Necurs contains backdoor functionality, allowing remote access and control of the infected computer. Necurs also monitors and filters network activity and has been observed to send spam and install rogue security software.”

Necurs includes a number of advanced features. For example, it contains its own troubleshooting/bug reporting module which reports back to the Necurs control server. “These records are used by the attacker to locate the buggy module efficiently and improve the malware code to make it more stable.” It also includes strong anti-security features. For example, “In order to bypass PatchGuard on 64-bit operating systems, a test-signing method is enabled for this purpose.” Furthermore, it is able to block a long list of AV products by a simple but efficient method: “modify the entry point of the executable image in memory and return an unsuccessful status.”

“To help mitigate such [rootkit] attacks, security professionals need to be turning their focus beyond traditional AV scanning – looking under the hood at the BIOS,” suggests Robert Thibadeau, chief scientist at Wave Systems. “NIST (National Institute of Standards and Technology) agrees, long espousing the need for measuring BIOS integrity for the early detection of such threats, pointing to the integral role that industry standard hardware plays.” Security, believes Wave, needs to be at the hardware level beneath the malware rather than just at the software level competing with the malware.

What’s Hot on Infosecurity Magazine?