Rootkit Infects NTFS Loader

Friday, July 8, 2011 @ 02:07 PM gHale

A new piece of malware that loads malicious code to the NTFS boot loader is out there, said security researchers from Kaspersky Lab.

The threat which Kaspersky detects as Cidox, features two rootkit drivers, one for 32-bit versions of Windows and one for 64-bit ones.

One More Botnet Crashes and Burns
Botnet Fall Leaves Malware-Free Zone
Microsoft Updates Rootkit Removal Plan
‘Indestructible’ Botnet Making Rounds

As part of its infection routine Cidox determines the version of the operating system and copies the relevant driver to the empty sectors at the beginning of the drive.

It only infects NTFS partitions and determines the active one by looking at the MBR code. It then proceeds to replace the Extended NTFS IPL (Initial Program Loader) code. It encrypts the original one and saves it at the end.

This is part of a technique that leverages Windows kernel features to load the malicious driver into the system.

The driver has the purpose of hooking into several processes including svchost.exe, iexplore.exe, firefox.exe, opera.exe and chrome.exe via a special DLL.

“This library modifies any browser output, substituting it with its own. As a result, the user sees a browser window displaying an offer to renew the browser due to some malicious programs allegedly detected on the system,” Kaspersky’s Vyacheslav Zakorzhevsky said.

This threat is effectively a form of scareware, as it asks the user to pay for the browser renewal by sending an SMS message to a premium rate number.

In order to appear more convincing, there are custom pages for each browser borrowing design elements from other official ones displayed by their developers.

This is one of the most sophisticated scareware threats currently in the wild, the researcher said. At the moment it only appears to target Russian-speaking users, but that could change.

Leave a Reply

You must be logged in to post a comment.