F-Secure reported Mailbot family that use hidden streams to hide themselves. Let’s take Mailbot.AZ(aka Rustock.A) as an example. Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is