The security arms race takes another leap this week with new, harder to detect rootkits appearing with malware.

Traditionally, rootkits were a Unix thing - and their purpose was to hide the fact that a system had been compromised from a vigilant administrator using regular tools, such as ps, or ls. Obviously the potential for monetary gain for the perpetrators is higher if rootkits are used to compromise Windows systems. With specific rootkit detection tools becoming a common place tool in the System Administrators armory, and all the major anti-spyware players checking for such activity, rootkits have evolved - to do more than

change a few binaries and cloak out of process lists.

The latest generation of rootkits are using, amongst other things, some very advanced filesystem tricks to prevent their detection. Most rootkits hook into system APIs etc. so that they can make themselves invisible to standard process viewers like Task Manager. However such API hooks can be detected by more sophisticated tools - so the new rootkits are further avoiding detection by leaving the APIs alone. This is backed up by using more traditional techniques to further cloak the already hidden rootkit - multiple levels of invisibility - cunning! Worryingly, it is still rare to find just the one rootkit, there's usually none or a whole nest of them.

This new rootkit technology hails from Russia and is apparently available to anybody with a few hundred Dollars to spare. It will result in more rootkits going undetected for longer, yet alone fixed. Leading to more zombie (botnet) PCs, this could be bad news for all of us.

See more on Techworld.