Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Malicious Device Drivers

  1. #11
    Greeting's

    Well here you go :

    Rootkit detectors can detect hidden processes, but Rustock.A has no process. The malicious code runs inside the driver and in kernel threads.
    Everyone interested in Rootkits must read this :

    - Rootkit detectors find hidden files, so Rustock.A uses NTFS Alternate Data Stream
    to hide its driver into the "\System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.
    - Some detectors check for the presence of system hooks by analyzing native API
    and scanning for hooked functions, however Rustock.A does not hook directly any native API.
    - Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]
    - Rootkit detectors try to detect hidden drivers, but Rustock.A removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list so that this enumeration fails.
    - Last, but perhaps not least, the SYS driver is polymorphic and changes its code from sample to sample.
    Moreover, the malware contains aggressive rootkit technologies because it scans for the following strings in loaded programs, and then changes its behavior to avoid any detection:
    - BlackLight
    - Rootkitrevealer
    - Rkdetector
    And best of all its Its Windows Vista compitable
    All of the features that I have mentioned here make Backdoor.Rustock.A totally invisible on a compromised computer when installed. It even seems able to achieve all of its stealth functionality without any problems on a beta version of Microsoft Windows Vista (6.0.5270). We believe that Rustock.A is probably a Russian creature, and it contains the string "G:\bot-mailer\007spambot-01\driver\objfre", which leads us to believe that we'll undoubtedly see new versions of this malware. So, the bar is raised again.

    Here you go :

    http://www.symantec.com/enterprise/s...cka_advan.html
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #12
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK,

    Interesting post there Byte~ . I remember playing with the ADS vulnerability (?) some five or six years ago when it came out as a POC. I was kinda waiting for something like this.

    I still think that the driver issue is getting people to d/l it in the first instance? like if I have modern kit and it runs on Windows, then the PC supplier or device supplier will have a driver, if it is not in Windows driver files already?

    AFAIK this is an NTFS thing so will not affect any OS apart from Windows?

    So, it looks to me as something that might be aimed at Vista itself. Like I have old kit and update the OS and there is no driver, so I get a dodgy third party one?

    I really don't see it as a major potential vector at this time but it is certainly worth watching IMO.



  3. #13
    Senior Member
    Join Date
    May 2004
    Posts
    206
    The main problem I saw was that if a driver on something like a USB device, which installs automatically, was malicious.
    It is better to die on your feet than to live on your knees.

  4. #14
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    OK Jareds411

    The main problem I saw was that if a driver on something like a USB device, which installs automatically, was malicious.
    I see what you are saying, but all the USB stuff I have installed recently works with the native Windows XP drivers and all the CD has is drivers for legacy environments.

    There is also the question of how you would get the malware to actually ship with the hardware............. after all, hardware manufacturers don't like going out of business and malware authors are too insignificant to be major hardware manufacturers?

    I know that malware has been shipped with hardware in the past (Dell for example) but this has never been in significant quantities.

    I guess it is sort of "security through obscurity" but I would think that the diversity of hardware is such that it is not a very attractive vector to the malware boys?


  5. #15
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    All of the features that I have mentioned here make Backdoor.Rustock.A totally invisible on a compromised computer when installed.
    If Symantec knows about it, it sure as hell isn't invisible and my fear level of the threat goes waaaaay down.



    BUt seriously, it leaves footprints which are a dead give away that you're infected. This alone should tip you off that something is wrong:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •