- Rootkit detectors find hidden files, so Rustock.A uses NTFS Alternate Data Stream
to hide its driver into the "\System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.
- Some detectors check for the presence of system hooks by analyzing native API
and scanning for hooked functions, however Rustock.A does not hook directly any native API.
- Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]
- Rootkit detectors try to detect hidden drivers, but Rustock.A removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list so that this enumeration fails.
- Last, but perhaps not least, the SYS driver is polymorphic and changes its code from sample to sample.
Moreover, the malware contains aggressive rootkit technologies because it scans for the following strings in loaded programs, and then changes its behavior to avoid any detection:
- BlackLight
- Rootkitrevealer
- Rkdetector