Today, complex rootkits are being utilized by malware authors. This is will make their malware harder to detect by AV scanners. A programmer, called tibbar, claims that he has developed a kernel mode IRC bot using kernel mode socket library recently released by Valerino.
I have used this library to create what I believe is the world’s first kernel mode ircbot. It’s extremely basic in its’ current form and will just join a channel plus responding to its’ name. But it is a framework that can be built upon and you could in theory write an extremely complex ircbot in this fashion.
This is a heads up and we may see this kind of malware in the near future. Recently, we have the authors of the Bagle incorporating rootkit in their malware and now we may see IRC Bots going kernel mode. The team will be on the lookout for possible malwares using the above mentioned technology. For now, just keep your pattern files up to date. =)