Friday, August 24, 2007 8:39 AM
cmosby
Symantec Security Response Weblog: The new Peacomm infection techniques
The new Peacomm infection techniques
The latest variants of Peacomm, detected as Trojan.Peacomm.C (or proactively, as the usual Trojan.Packed.13), have introduced some interesting changes in the way they infect a machine.
As was written in a previous blog entry , Peacomm spam entices users to visit a Web page containing a link to a file applet.exe. This Web page also embeds an obfuscated JavaScript routine that tries to exploit a Windows Media Player vulnerability, in case the user decided – very wisely – not to download and run the so called “Secure Login Applet”. If the vulnerability is exploited successfully, a small file will be downloaded on the compromised machine, which will in turn download applet.exe. Both files are detected as Trojan.Packed.13.
When applet.exe runs, it first makes a copy of itself as spooldr.exe in the Windows folder, and drops an embedded kernel driver in the System folder, as spooldr.sys. It also tries to infect a Windows device driver named kbdclass.sys. This is the loadpoint used by Peacomm. During the next reboot, the infected driver is loaded by Windows, as it should be—its role is to load spooldr.sys.
Spooldr.sys has several functionalities, and uses smart tricks to achieve its goals. First, it acts as a loader for the real Trojan, spooldr.exe, located in the Windows folder. To do that, it injects a shellcode-like routine in explorer.exe, responsible for creating a spooldr.exe process. The loading scheme is very clever: first, the driver locates kernel32 in memory by resolving the address of CloseHandle, and checking for the MZ magic around this value. It then resolves two APIs, VirtualProtect and WinExec. It builds and injects a small payload in explorer.exe, and hooks the import entry for PeekMessageW, an API frequently used by windowed applications (like Explorer). The hook points to the payload, so that when explorer calls PeekMessageW, it will be executed. The first thing the payload does is to unhook this import entry; it then creates the spooldr.exe process. The routine then jumps to the real PeekMessageW code to ensure normal application behavior – and to avoid crashing Explorer! This way, the threat does not have to create a remote thread in Explorer, a technique commonly used by middle-class malware and monitored by some security software.
It’s also responsible for hiding the newly created spooldr process, as well as any file beginning with spooldr (this is done by hooking the ZwQueryDirectoryFile system call). This way, the three files used by the Trojan – spooldr.exe, spooldr.sys and spooldr.ini, the peers list – will be hidden from the user’s eye.
The rootkit also protects the Trojan from third-party security software, such as firewalls or anti-virus. A kernel callback is setup, via PsSetLoadImageNotifyRoutine, to track process creation and eventually kill malware-unfriendly ones. It also locks two files, ntoskrnl.exe (the Windows kernel) and kbdclass.sys (the infected Windows driver). It seems the purpose of these locks is to prevent rootkit detectors to work, by forbidding them to open critical system files – and check differences with the ones loaded in memory, tampered with by the rootkit.
Though Peacomm functionalities haven’t changed, the mode of infection has been improved. The registry is now not used as a loading point, as Peacomm uses virus-like techniques to get its payload loaded by the system at startup.
Thankfully, all new Peacomm variants, as well as Peacomm-related malware (such as Trojan.Mespam) are generically caught by our heuristic detection Trojan.Packed.13
Posted by Nicolas Falliere on August 23, 2007 10:00 AM