And here it comes again. You though, that turning the “auto-run” feature for removable drives off is sufficient and no “Worm/Autorun” can harm you again. And I bet you are pretty sure about it. I’m sorry, you are wrong.
Few days ago, a very strange sample appeared here in our lab. In fact, it was so interesting, it deserved these lines. At the moment, both samples – two drivers which use the rootkit technology for hiding themselves – are detected by AVG. These are quite “standard” rootkits, except, one of them is signed with valid certificate of Realtek Semicondutor Corp. In fact, the certificate is not valid right now, but it _was_ and that’s a bit scary as this could confuse a lot of antivirus products. Valid certificate is still kind of “quality mark”.
But while this is very unusual, the biggest surprise is the method of distribution. This malware uses completely new technique and, unfortunately, still opened vulnerability in MS Windows where the main role plays the “.lnk” file – yes, the well known Windows Shortcut File. In this particular case, following files are placed on the infected USB Flash Drive:
Do you have Total Commander, or Windows Explorer? Or any other file
manager which supports icons? You’ve got a problem – of course, only in case
you plug in the infected flash drive and open it with one of those file
managers. The process of infection starts immediately, two files are dropped to
your computer:
%system%\Drivers\mrxcls.sys
%system%\Drivers\mrxnet.sys
Two services are created to start them:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxCls]
"Description"="MRXCLS"
"DisplayName"="MRXCLS"
"Group"="Network"
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\Drivers\\mrxcls.sys"
"Start"=dword:00000001
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRxNet]
"Description"="MRXNET"
"DisplayName"="MRXNET"
"Group"="Network"
"ImagePath"="\\??\\C:\\WINDOWS\\system32\\Drivers\\mrxnet.sys"
"Start"=dword:00000001
"Type"=dword:00000001
Finally, all the malware files (.lnk and .tmp) are hidden, so the victim
probably won’t even notice there are some other files on the flash drive.
After this, common rootkit behavior follows including “process injection”, “API hooking”, etc..
The driver injects the malware code into following processes:”
lsass.exe
svchost.exe
services.exe
Maybe, this is the only single threat that uses this vulnerability, but we
can probably expect many others – until the vulnerability is closed. Microsoft
knows about it and, hopefully, they’ll do something about it soon. Until that
time, you should, once again, care about your Flash Drives and the source they
came from (remember the good old times with all the infected floppy disc?).
And, of course, you should stay protected..
Thanks to Peter Gramantik and Arek Kupka
Comments