Give Them an Inch and They’ll Try to Rule!

A classic case of impudent opportunism, more and more malware are now using standard Microsoft Windows Operating System files to do their bidding.

Last year there were examples of malware modifying WINLOGON.EXE, a critical system file, to load a malicious DLL. The entrypoint code is modified to call LoadLibraryA on the Trojan DLL and then execution is returned to the real WINLOGON.EXE entrypoint. These hijacked versions of WINLOGON.EXE are detected as variants of Troj/WLHack.

So far this year there has been one example of the Windows networking DLL WS2_32.DLL having a tailor-made import descriptor added to its import table. The effect of this brand new import descriptor is to load a specific export of a malicious DLL when WS2_32.DLL is loaded by the Windows loader. This sample is detected as Troj/WSPatch-A.

Patching system files can make detection slightly less straightforward. However the real complications arise when cleaning up the malware and restoring the system files to a clean, but functioning, state. Whilst the files are loaded and running in memory their corresponding disk avatars are immutable. Attempting to release the locks on the files whilst they are running, in order to disinfect them, can cause OS instability to such an extent that Windows will force an immediate reboot. One then has to resort to complicated and delicate custom-written cleanup, perhaps based on a system reboot, to retrieve the situation.

Malware authors are constantly attempting to make it difficult for Anti-Virus software to both detect and remove their malevolent creations. Of course prevention is better than cure, hence we at SophosLabs are constantly striving towards building on our proactive detection capabilities to keep you protected. Rest assured that even if there were malware running on your computer, we at SophosLabs would endeavour to arrest and remove them, thus returning your computer to you safe and sound.