With current tools such as AutoRuns letting users and sysadmins see at a glance which files are set to run when a computer starts up, and Sophos’s endpoint product automatically cleaning up registry entries associated with detected malware, it’s becoming increasingly hard for malware authors to hide the fact that their programs are being loaded on startup.
Some recent pieces of malware have returned to techniques more usually associated with traditional viruses in order to solve this problem. Instead of leaving traces of their automatic startup in the registry, they’ve infected certain Windows files that are loaded on startup in order to hitch a ride along with them.
Troj/WLHack-A (shortly followed by Troj/WLHack-C) is the name we use for copies of winlogon.exe that have been patched by the Troj/WLDrop-A dropper. Because winlogon.exe is loaded every time Windows starts up, this Trojan was able to load itself on startup too, even before any users had logged on to the computer. The infection code is stored in slack space (unused areas inside executabile files that exist to meet alignment requirements imposed by the OS) and the Trojan code gains control via a six-byte patch inside the winlogon.exe entry point. Here are both the clean and infected winlogon.exe entry points — can you spot which is which?
The slack space in winlogon.exe isn’t big enough to contain any really complicated malware, so Troj/WLHack-A just loads an extra DLL inside the winlogon process. If the filesystem is NTFS, this DLL will be in an Alternate Data Stream of another valid system file called ws2_32.dll.
Sophos provides disinfection for the patched winlogon.exe — something that was quite tricky for us to achieve as it’s impossible to write to the file while winlogon is running, and terminating the process causes problems for the user (either the computer reboots as soon as winlogon is terminated, or it remains in an state in which the user can’t logoff or reboot at all)
In the next part, I’ll go into detail on a very recent piece of malware that uses this technique: the Dorf family of Trojans that are being spammed out via email as ecard.exe.