Security researchers at Sana Security Inc. are warning of a new type of malicious software designed to steal usernames and passwords from Web surfers. The malware, dubbed "rootkit.hearse," uses rootkit cloaking techniques, making it extremely difficult to detect. In order to steal information, however, the software must first be downloaded onto a user's system. This can be done by tricking the user into downloading the malicious code, or by infecting a computer with some other form of malware. Once installed, it sends the sensitive information to a server in Russia that appears to have been in operation since March 16, Sana said.

The software has two components: a Trojan horse application that communicates with the Russian server, and rootkit software that cloaks the malicious software from system tools and antivirus programs. Sana has observed the software being downloaded in conjunction with the Win32.Alcra worm. Rootkit.hearse uses the same kind of cloaking techniques made infamous by Sony BMG Music Entertainment's XCP (Extended Copy Protection) rootkit software, according to Sana Chief Technology Officer Vlad Gorelik.

This Trojan and rootkit was found during the investigation of an in-the-wild worm, named Win32.Alcra. This worm, if not stopped, attempted to contact various websites and download additional payloads. On one of these websites was the installer for this rootkit and Trojan. Once these components were silently installed on a machine, the Trojan invisibly starts communicating to yet another web server located in Russia. This web server acts as the repository for the stolen usernames and passwords.

One of the sites is still actively infecting machines. It attempts to download several pieces of Spyware, Adware, and Trojans, in addition to the rootkit. The rootkit has two pieces: the first piece is a device driver named 'zopenssld.sys', and a DLL named 'zopenssl.dll'. The device driver appears to cloak any file named 'zopenssld.sys' or 'zopenssl.dll' regardless of where they reside, though the malicious versions are located in the System32 folder.

While the DLL was invisible on the file system, it is visible as an injected DLL in many running processes. Since zopenssl.dll registers itself as a Winlogon.exe extension and does not run as a process, most users would never see it, and it can survive even in safe mode.

The Trojan appears not to be active at all times, but it does wake up and start communicating when it sees a user browsing to a website that requires authentication. To view it in action, a virtual machine was infected with the rootkit and Trojan, and then the user browsed to http://bankofamerica.com, and entered a fake username and password. All of the network traffic was recorded, and after ending the web browser session, the Trojan communication became apparent.