Friday, August 24, 2007

Windows system file patching by ecard rootkit

As we know, the (in)famous ecard worm drops a rootkit which hides the presence of its files. This rootkit comprises of two files spooldr.exe and spooldr.sys. The dropper - ecard.exe - patches genuine system files to load its driver.

One of the variant of ecard worm patches tcpip.sys file and adds code to load spooldr.sys, when tcpip.sys is loaded. Here's a screenshot, which shows ecard.exe patching tcpip.sys:

Here's a screenshot showing hexview of patched tcpip.sys. It can be observed that there is a reference to rootkit driver spooldr.sys:

Instead of using traditional approach to load driver (i.e. registering spooldr.sys as a driver and have Windows to load it during startup), this rootkit makes use of Windows system files to load itself! However, this patched driver can be detected by sigverif tool, and moreover most of the AVs detect patched drivers as a malicious file.


Post a Comment

<< Home