New Chinese bootkit opens the door to multiple infections
Posted on 06.04.2011
A new bootkit - kernel-mode rootkit variant - has been recently spotted by a Kaspersky Lab researchers, and it looks like is currently targeting only Chinese users.


It is being distributed by a downloader Trojan, which is picked up by users when they try to download a video from a bogus Chinese adult site.

The bootkit saves the old master boot record (MBR) to the third sector and replaces it with its own. It also installs an encrypted driver and the rest of the code from the fourth sector onwards.

Once the computer boots, the malicious code executes itself and restores the original MBR in order for Windows to be loaded without revealing the existence of the bootkit.

"Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format," explains Kaspersky Lab expert Vyacheslav Zakorzhevsky. "It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system wonít crash when it is replaced."

This driver detects a number of AV solutions and prevents them from working as they should. Among them are solutions from Trend Micro, BitDefender, AVG, Symantec, Kaspersky Lab, ESET and half a dozen Chinese ones.

Having done that, the driver compromises the explorer.exe process and injects into the machine a variant of the bootkit that is also a downloader. "The malicious program sends a request to the server in which it communicates information about the victim computerís operating system, IP address, MAC address, etc," says Zakorzhevsky.

Among other things, this variant of the rootkit proceeds to download a keylogger and a Trojan that steals account data for the online game LineAge2.






Spotlight

Fake "Online Ebola Alert Tool" delivers Trojan

Posted on 29 October 2014.  |  Cyber scammers continue to take advantage of the fear and apprehension surrounding the proliferation of the Ebola virus.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //