Patching system files: Part II

In the first part, I described how Troj/WLDrop-A and Troj/WLHack-A patched the winlogon.exe file to load malware on startup. This post is about a similar technique used by the more recent ecard.exe Trojans that are being spammed out at the moment.


When I got in on Tuesday morning, Peter from the Australian lab handed over a new Mal/Dorf-A sample that he’d done quite a bit of analysis on, but hadn’t finished writing an identity for. He’d found that, unlike the previous Dorfs (often called Storm, Tibs or Nuwar by other vendors), this one loaded its rootkit by patching tcpip.sys, the Windows driver associated with the TCP/IP protocol stack.

Most people know of Mal/Dorf-A as the ecard.exe executable spammed out in the “You’ve received an Ecard!” emails. Dorf drops a rootkit which it needs to load somehow, and although registering it as a driver and having Windows load it would be the easy option, it’s one that’s quite simple to spot with anti-rootkit tools or even a manual check of the registry. By patching tcpip.sys to load itself, it leaves less obvious clues as to what’s going on particularly as, once loaded, the rootkit then partially stealths tcpip.sys so that it shows up in directory listings but can’t be read from or written to. It also makes removing it quite a bit harder.

Here’s the code from the infected tcpip.sys that loads the rootkit driver:

spooldr.sys loader code

The Trojan code patched into tcpip.sys needs to import the ZwSetSystemInformation and KeServiceDescriptorTable addresses dynamically, because when tcpip.sys is loaded the only imports that are resolved by Windows are those of the normal tcpip.sys. It has some code to find the base address of ntoskrnl.exe and search its exports manually for the things it wants to import.

The function it uses to load spooldr.sys (the rootkit) isn’t one it can import so simply, however, and it has to search through the code of the service function used by ZwSetSystemInformation for its address. Once done, it can load the rootkit driver and simply call the entrypoint from the same context as tcpip.sys has loaded in.

Both the rootkit itself (dropped as spooldr.sys) and the infected tcpip.sys are detected by Sophos as Troj/Dorf-M. We also disinfect the patched tcpip.sys that Mal/Dorf-A creates and return it to as close to its original state as possible.

It will be interesting to see if more malware starts using this technique as tech-savvy users and admins continue checking their registry every now and then for unusual startup entries. While many users know when a run key in the registry looks suspicious, there aren’t many that can tell if their drivers have been tampered with.