Friday, June 29, 2007 11:04 AM
cmosby
Symantec Security Response Weblog: Spam from the Kernel: Full-Kernel Malware Installed by MPack
Spam from the Kernel: Full-Kernel Malware Installed by MPack
In the past few weeks, we have observed many Web sites that have been compromised to distribute browser exploits with the MPack kit. We’ve tracked many different MPack sources created with the intent of distributing different types of malicious codes. So far we’ve seen the following malware samples installed while surfing sites compromised by Mpack:
Trojan.Anserin - a Trojan that steals banking-related information
Trojan.Linkoptimizer.B - a dialer Trojan
Backdoor.IRC.Bot - an IRC bot
Infostealer.Ldpinch – a Trojan that steals account and password information
Trojan.Srizbi – a spam Trojan
These Trojans are already in our malware database but a malware that we discovered recently, Trojan.Srizbi is really interesting for some unique features. Trojan.Srizbi driver (windbg48.sys) has two main functions: hides itself using a Rootkit and sends spam, but the thing that makes it really unique is the fact that its probably the first full-kernel malware spotted in the wild.
Once the Trojan is installed, it works without any user mode payload and does everything from kernel-mode, including sending spam. The Rootkit code is not new: the malicious driver attaches itself to \FileSystem\Ntfs to hide files on the local disk and also patches an SDT table to hide registry keys in the same manner other older rootkits did before. Also, the Trojan attempts to delete %System%\Minidump log files and seems to include a special routine to uninstall competitor rootkits, such as “wincom32.sys” and “ntio256.sys”.
The most interesting code is contained in the spam routine. We know that using network functionalities directly from kernel-mode is much more complicated and we have seen many rootkit threats in the past - for example, Haxdoor, Rustock, and Peacomm - always carrying over a user-mode payload that gets injected into some Windows processes. Trojan.Srizbi seems to move a step forward by working totally in kernel-mode without the need to inject anything into user-mode. To manipulate the network connection directly in Kernel mode, it attaches NDIS and TCP/IP drivers and gets all the Ndis* and Zw* functions that it needs, which is unique to this threat. This technique also allows the Trojan to bypass firewall and sniffer tools, and to hide all its network activities.
We’ve seen the Trojan downloading a zip file from the srihopa.biz domain, which contains the following configuration files for spam:
000_data2 (mail server domains)
001_ncommall (list of names)
002_senderna (list of possible sender names)
003_sendersu (list of possible sender surnames)
config (main spam configuration file)
message (HTML message to spam)
mlist (recipients mail addresses)
mxdata (MX record data)
We think this sample is still in a “beta” stage and it’s not finished yet but users can still find some evidence of the infection by searching for the following registry entry (not hidden):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RcpApi\"MachineNum" = "[SIX RANDOM DIGITS-SIX RANDOM DIGITS-TWO RANDOM DIGITS]"
We guess that the author of Trojan.Srizbi could be the same as Rustock's because the polymorphic code used in Trojan.Srizbi is very similar to the Backdoor.Rustock.B packer, but more advanced.
As my colleague Elia mentioned previously, we'll undoubtedly see new versions of this malware again.
Posted by Kaoru Hayashi on July 7, 2007 07:11 PM