Chris Mosby at myITforum.com

Sound Fake? Finding a Malicious Driver

Thursday March 26, 2009 at 9:52 am CST
Posted by Di Tian

Trackback

You already know that malware changes registry keys to take advantage of the autorun capability when systems and applications start. The registry keys we often see for this purpose include:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[Legit_program]\Debugger
HKEY_CLASSES_ROOT\CLSID\[CLSID]\InprocServer32

Recently, we noticed that the Lando Trojan uses a different registry to load its malicious code into Internet Explorer. By dropping a fake sound driver (wdmaud.sys) into the %system32% folder and by adding the registry key HKEY_LOCAL_MACHINE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2: “%system32%\wdmaud.sys,” the malware author injects malicious code into the iexplore.exe process. When the user launches Internet Explorer, the attacker hijacks Google search.

How can you distinguish the real sound driver from the fake? The legitimate wdmaud.sys is a component of Microsoft’s WDM driver or WINMM WDM Audio Compatibility driver. You’ll find it in the %system32%\drivers\ folder. It is about 84KB and includes complete version information.

Meanwhile the malicious wdmaud.sys is located in the %system32%\system32 folder. It is only about 22KB and has no version information.

By comparing their file properties, you can easily tell the difference. But, as always, be careful when deleting the malicious wdmaud.sys or other suspicious files. You don’t want to trash the legitimate driver.