Symantec has announced a few days ago that there is a new Trojan horse. Its main purpose is to send spam. It uses Windows’ kernel libraries to accomplish its mission.
“It’s calling the kernel libraries it needs,” said Dave Cole of Symantec.
“Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode. To manipulate the network connection directly in kernel-mode, it attaches NDIS and TCP/IP drivers and gets all the Ndis* and Zw* functions that it needs. This technique also allows the Trojan to bypass firewall and sniffer tools, and to hide all its network activities,” wrote Kaoru Hayashi of Symantec in a blog entry. The article from Computerworld said that this means only advanced security tools will be able to detect this new Trojan horse.