Rootkit named as "Necurs" infect 83,427 unique machines during the month of November 2012. It is a multi-purpose rootkits capable of posing a threat to both 32 and 64-bit Windows systems. Distributed via drive-by download on the websites that host the BlackHole exploit kit.
Like other rootkits it is able to hide itself from detection and also capable of downloading additional malware from outside. Attackers can maintain remote access to a machine this way in order to monitor activity, send spam or install scareware.

Rootkit also stop security applications from functioning and hence no detection. Microsoft list this as Trojan:Win32/Necurs.

Trojan:Win32/Necurs is a family of malware that work together to download additional malware and enable backdoor access and control of your computer. The malware can be installed on its own or alongside rogue security software, such as Rogue:Win32/Winwebsec.

The Hacker News
The malware downloads itself into the folder "%windir%\Installer\", where is a unique number that identifies your computer, for example "%windir%\Installer\{df3d9e18-342c-8c07-8dab-13e76d8b4322}".

Moreover, Some variants of Trojan:Win32/Necurs can inject code into all running processes. The injected code is known as a "dead byte"; certain system processes will cause your computer to restart if they are injected with this code.

Strong anti-security features are provided by the Necurs driver. The driver has a very clear goal: protecting every Necurs component from being removed.

This example shows that malicious software is growing more sophisticated and is starting to include various components that serve individual purposes. These threats may target various versions of operating systems or even different software platforms.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.