Greeting's

Well here you go :

Rootkit detectors can detect hidden processes, but Rustock.A has no process. The malicious code runs inside the driver and in kernel threads.
Everyone interested in Rootkits must read this :

- Rootkit detectors find hidden files, so Rustock.A uses NTFS Alternate Data Stream
to hide its driver into the "\System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.
- Some detectors check for the presence of system hooks by analyzing native API
and scanning for hooked functions, however Rustock.A does not hook directly any native API.
- Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]
- Rootkit detectors try to detect hidden drivers, but Rustock.A removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list so that this enumeration fails.
- Last, but perhaps not least, the SYS driver is polymorphic and changes its code from sample to sample.
Moreover, the malware contains aggressive rootkit technologies because it scans for the following strings in loaded programs, and then changes its behavior to avoid any detection:
- BlackLight
- Rootkitrevealer
- Rkdetector
And best of all its Its Windows Vista compitable
All of the features that I have mentioned here make Backdoor.Rustock.A totally invisible on a compromised computer when installed. It even seems able to achieve all of its stealth functionality without any problems on a beta version of Microsoft Windows Vista (6.0.5270). We believe that Rustock.A is probably a Russian creature, and it contains the string "G:\bot-mailer\007spambot-01\driver\objfre", which leads us to believe that we'll undoubtedly see new versions of this malware. So, the bar is raised again.

Here you go :

http://www.symantec.com/enterprise/s...cka_advan.html