A new sophisticated version of a malicious bootkit, Backdoor.Win32.Sinowal, poses a serious threat to computer users as it employs the most advanced virus technologies to date.
According to Kaspersky Lab analysts, the bootkit was detected at the end of March 2009 and hides itself from security solutions, and the vast majority of today's anti-virus programs are unable to detect it. Currently, the bootkit spreads via compromised sites, porn resources and pirate software sites.
Nearly all the servers, which are part of the infection process, have a marked Russian stamp. They are part of so-called partner programmes, where site owners work with the authors of malicious programs. Such 'partner programmes' are extremely popular in the Russian and Ukrainian cyber-criminal worlds.
The mechanism used to create domain names for the site, which hosts exploits, can also be classed as a relatively new technology. When the user visits an infected site, a specially crafted script will start to run on the compromised computer. This script uses the current date on the computer to generate the name of a site, which the user will be redirected to in order to get the customised exploit.
This technology makes it almost impossible to use classic blacklisting methods to block access to sites hosting exploits. However, having analysed the algorithm used to generate domain names, researchers are able to find out which of the domain names will be used and block them.
In addition to creating domain names by using the current date, the script placed on infected Web pages also creates cookies with a validity of seven days. This is done in order to prevent the page with Neosploit (http://www.viruslist.com/en/analysis?pubid=204792044) being opened again in the browser if the user repeatedly visits an infected Web page. The script checks for cookies and if they are present and if the cookie is still valid, it will not create a domain name, and the user will not be redirected to Neosploit.
Rootkit technologies
The bootkit still uses a method based on infecting the master boot record (MBR) in order to load its driver before the operating system starts. The driver is used in order to prevent detection and disinfection of the infected boot record.
The first versions intercepted the IRP procedure Driver/Disk, however, technologies for combating malicious programs are evolving and virus writers have had to substantially modify this technique. In comparison with previous variants, this version of the rootkit uses a more advanced technology in order to hide its presence in the system. None of the other rootkits currently known use the methods described below.
When starting, the malicious driver checks for the presence of an active debugger. If this is present, the rootkit will not hide the infected MBR and will not reveal its presence in the system in any way. In order to become essentially invisible, the rootkit replaces a device pointer for one of its own; in this case, a specific structure in which the malicious driver replaces the pointer to a function (ParseProcedure).
If the physical disk is opened for low-level access by an anti-virus program, the hooked function will be called. The driver IRP procedure will then be hooked at a lower level than driver\disk and functions that are called when a previously open disk is closed. As soon as the disk is closed, all the hooks return to their original state.
The driver code has also undergone significant modifications and deserves separate attention. The majority of key functions, which install hooks for operating system functions or which are hooks themselves, have been morphed, which significantly complicate analysis of the malicious code.
Protection
In spite of the fact that a number of anti-virus companies also identified this variant of the bootkit and implemented some detection methods for it, Kaspersky Lab is, to date, the only company that provides users with effective protection from the bootkit at every stage.
When an infected site is visited, Kaspersky Internet Security blocks access to the site hosting exploits and scripts which create and download exploits. Most importantly, Kaspersky Internet Security is able to detect the active bootkit and disinfect the infected computer.
The first version of Sinowal appeared at the beginning of 2008, but even by October that year, detection and disinfection had been implemented in only four of the 15 most popular anti-virus solutions.
Unfortunately, the 2009 variant of the bootkit is a serious a threat as its predecessors. Protection has been implemented in Kaspersky Internet Security. Once the threat has been identified, the anti-virus is able to circumvent all hooks installed by the rootkit and disinfect the infected MBR.
It's extremely important that an anti-virus solution is able to provide protection at every stage - from the user visiting an infected site to disinfecting an active infection. If the threat is not identified at any stage in the infection process, protection mechanisms can be evaded to infect the computer, and as a result the malicious program will remain invisible for a long time.
Detection data from the products of other companies shows that each time the authors of the bootkit modify the algorithm used to create domain names (that has been done four times so far this year), none of the popular anti-virus programs, apart from Kaspersky, can prevent the bootkit from penetrating the computer and then disinfect the infected system.
Conclusion
The bootkit still poses a serious threat and is still the most rapidly evolving malicious program. The most interesting virus writing technologies and propagation routines stem from the bootkit.
Anti-virus companies must track all modifications of the bootkit and the implementation of new technologies, as these will be widely used by many other virus writers within a short space of time.
Even more essential is improving current anti-virus products and technologies which are able to effectively combat not only attempts to infect computers, but to detect complex threats which operate at an unprecedented low level within the operating system.
Share