Hi, after a while of advanced working on new things running on Vista and Longhorn , by reading diffrent articles, something get my attention , an blog post of Fernando Cima from Microsoft Brazil’s Security Center of Excellence about an Trojan that act in kernel mode (http://blogs.technet.com/fcima/archive/2007/07/07/trojan-srizbi-o-primeiro-trojan-totalmente-em-modo-kernel.aspx .it is in spanish 🙂 ).
After a bit of ivestigation on this area, and of course reading the news on http://www.rootkit.com , that are some Security reports about – Full-Kernel Malware Installed by MPack .
you would say : What Spam from the Kernel ?
Yeah the answer comes from many antivirus companies that play never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter.
Recently some security lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). A lot of security people consider it to be an advanced example of "stealth by design" malicious code Full-Kernel Malware Installed by MPack.
In the past few weeks, are many Web sites that have been compromised to distribute browser exploits with the MPack kit. We’ve tracked many different MPack sources created with the intent of distributing different types of malicious codes. So far we’ve seen the following malware samples installed while surfing sites compromised by Mpack:
Trojan.Anserin – a Trojan that steals banking-related information
Trojan.Linkoptimizer.B – a dialer Trojan
Backdoor.IRC.Bot – an IRC bot
Infostealer.Ldpinch – a Trojan that steals account and password information
Trojan.Srizbi – a spam Trojan
These Trojans are already in some malware database but a malware that was discovered recently, Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.
Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam. The Rootkit code is not new: the malicious driver attaches itself to \FileSystem\Ntfs to hide files on the local disk and also patches an SDT table to hide registry keys in the same manner other older rootkits did before. Also, the Trojan attempts to delete %System%\Minidump log files and seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.
The most interesting code is contained in the spam routine. Using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past – for example, Haxdoor, Rustock, and Peacomm – always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode. To manipulate the network connection directly in Kernel mode, it attaches NDIS and TCP/IP drivers and gets all the Ndis* and Zw* functions that it needs, which is unique to this threat. This technique also allows the Trojan to bypass firewall and sniffer tools, and to hide all its network activities.
Symantec team report that the Trojan is downloading a zip file from the srihopa.biz domain, which contains the following configuration files for spam:
000_data2 (mail server domains)
001_ncommall (list of names)
002_senderna (list of possible sender names)
003_sendersu (list of possible sender surnames)
config (main spam configuration file)
message (HTML message to spam)
mlist (recipients mail addresses)
mxdata (MX record data)
This sample is still in a “beta” stage and it’s not finished yet but users can still find some evidence of the infection by searching for the following registry entry (not hidden):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi\"MachineNum" = "[SIX RANDOM DIGITS-SIX RANDOM DIGITS-TWO RANDOM DIGITS]"
so, then be up2dae and stay safe