Malware practices with their inspiration taken from rootkits are being deployed in a next generation of spyware programs, it has been revealed. Increasingly sophisticated spyware is able to employ rootkit-like features that allow the spyware authors to hide their program files on Windows systems. Recent versions of spyware such as Cool Web Search is a clear example; using stealth tactics, the software is able to hide configuration settings in the Windows registry and disguise its presence by hiding rootkit files in alternate data streams.
CA has retrieved samples of Cool Web Search from the Internet with the rootkit features built in, but says the features are not as sophisticated as those found in so-called kernel rootkits, which replace parts of Windows' core processor with their own code, allowing the rootkit to be almost completely invisible to users and to many detection tools, Thompson said.
"The stuff I've seen is probably homegrown, but most of this [rootkit] stuff is open source, so it's easy to borrow a bit from here and a bit from there," he said. Cool Web Search is a ubiquitous piece of malicious code that is the most prevalent breed of spyware on the Internet, according to Webroot.