In 2008, we wrote about Backdoor.Win32.Sinowal, a malicious program we believed to pose a serious threat, as it employed the most advanced, at the time, virus technologies. These included:
- Customized infection of visitors to compromised sites, achieved by exploiting a large number of varied vulnerabilities, including some zero-day vulnerabilities.
- The use of cutting edge rootkit technologies and boot virus methods in order to infect the MBR. Infecting the boot sector of disks was very popular when malicious programs first started appearing; old technologies are now enjoying a renaissance but are being taken to new heights. The problem is exacerbated by the fact that many recent antivirus solutions are simply not able to scan the MBR as it was believed that this infection routine was no longer a threat.
- The use of constantly migrating C&C and infection servers (the IP addresses and domain names are constantly modified.) Infected computers used a dedicated algorithm to create domain names in order to search for their C&C centers. The same technology was subsequently implemented in malicious programs belonging to the Kido (Conficker) family.
In the course of a year, the approaches and technologies detailed above have become “classic” and they are now implemented in a wide range of malicious programs. However, the creators of the bootkit have not been resting on their laurels and have continued to develop and implement these technologies in more sophisticated form.
As a result, the bootkit is the most sophisticated contemporary malicious program. It hides itself from security solutions and the vast majority of today’s antivirus programs are unable to detect it.
At the end of March 2009, Kaspersky Lab analysts detected that a new modification of the bootkit was being spread on the Internet. This article presents an analysis of how the bootkit functions and spreads.
The most significant changes to the bootkit are detailed below:
At the moment, the bootkit spreads via compromised sites, porn resources and pirate software sites. Nearly all the servers which are part of the infection process have a marked Russian stamp: they are part of so-called partner programs, where site owners work with the authors of malicious programs. Such “partner programs” are extremely popular in the Russian and Ukrainian cybercriminal worlds.
The mechanism used to create domain names for the site which hosts exploits can also be classed as a relatively new technology.
When the user visits an infected site, a specially crafted script will start to run on his/ her computer. This script uses the current date on the computer to generate the name of a site which the user will be redirected to in order to get his/ her customized exploit.
Part of the script (decrypted) used to generate the domain name for the site hosting exploits
This technology makes it almost impossible to use classic black-listing methods to block access to sites hosting exploits. However, having analysed the algorithm used to generate domain names, researchers are able to find out which of the domain names will be used and block them.
In addition to creating domain names by using the current date, the script placed on infected web pages also creates cookies with a validity of 7 days. This is done in order to prevent the page with Neosploit being opened again in the browser if the user repeatedly visits an infected web page. The script checks for cookies and if they are present and if the cookie is still valid, it will not create a domain name, and the user will not be redirected to Neosploit.
- Rootkit technologies
The bootkit still uses a method based on infecting the MBR in order to load its driver before the operating system starts. The driver is used in order to prevent detection and disinfection of the infected boot record. The first versions intercepted the IRP procedure Driver/ Disk; however, technologies for combating malicious programs are evolving and virus writers have had to substantially modify this technique. In comparison with previous variants, this version of the rootkit uses a more advanced technology in order to hide its presence in the system. None of the other rootkits currently known use the methods described below.
When starting, the malicious driver checks for the presence of an active debugger. If this is present, the rootkit will not hide the infected MBR and will not reveal its presence in the system in any way.
In order to become essentially invisible, the rootkit replaces a device pointer for one of its own; in this case, a specific structure in which the malicious driver replaces the pointer to a function (ParseProcedure).
If the physical disk is opened for low-level access by an antivirus program, the hooked function will be called. The driver IRP procedure will then be hooked at a lower level than DriverDisk and functions which are called when a previously open disk is closed. As soon as the disk is closed, all the hooks return to their original state.
The driver code has also undergone significant modifications and deserves separate attention. The majority of key functions, which install hooks for operating system system functions or which are hooks themselves, have been morphed, which significantly complicate analysis of the malicious code.
Example of encrypted hook functions
In spite of the fact that a number of antivirus companies also identified this variant of the bootkit and implemented some detection methods for it, Kaspersky Lab is, to date, the only company which provides users with effective protection from the bootkit at every stage.
When an infected site is visited, Kaspersky Internet Security blocks:
- Access to the site hosting exploits:
- Scripts which create and download exploits:
- The most dangerous and recent exploits:
Most importantly, Kaspersky Internet Security is able to detect the active bootkit and disinfect the infected computer.
The first version of Sinowal appeared at the beginning of 2008, but even by October that year, detection and disinfection had been implemented in only 4 of the 15 most popular antivirus solutions.
Unfortunately, the 2009 variant of the bootkit is a serious a threat as its predecessors. Protection has been implemented in Kaspersky Internet Security:
Once the threat has been identified, the antivirus is able to circumvent all hooks installed by the rootkit and disinfect the infected MBR:
It’s extremely important that an antivirus solution is able to provide protection at every stage – from the user visiting an infected site to disinfecting an active infection. If the threat is not identified at any stage in the infection process, protection mechanisms can be evaded to infect the computer, and as a result the malicious program will remain invisible for a long time.
Detection data from the products of other companies shows that each time the authors of the bootkit modify the algorithm used to create domain names (that has been done four times so far this year), none of the popular antivirus programs apart from Kaspersky can prevent the bootkit from penetrating the computer and then disinfect the infected system.
|DrWeb SS 5.0||NIS 2009||McAfee TP 2009||KIS 2009|
(malicious domains with Neosploit)
|Exploits (Neospoit Toolkit)||–||+||–||+|
| Active infection
Table 1: Detecting and blocking the bootkit at different stages of the infection routine
(“+” – detected; “-” – not detected; compiled using Antimalware.ru test data
available at the time of writing)
The bootkit still poses a serious threat and is still the most rapidly evolving malicious program. The most interesting virus writing technologies and propagation routines stem from the bootkit.
Antivirus companies must track all modifications of the bootkit and the implementation of new technologies as these will be widely used by many other virus writers within a short space of time.
Even more essential is improving current antivirus products and technologies which are able to effectively combat not only attempts to infect computers, but to detect complex threats which operate at an unprecedentedly low level within the operating system.