Malware targets Windows File Protection
Friday September 8, 2006 at 5:30 am CST
Posted by Vinoo Thomas
Malware authors are continuously innovating with new techniques to render a Windows box defenseless. Given the massive install base of Microsoft Windows users, exploiting any new vulnerability or built-in security feature of Windows is stunningly effective and proves very productive for cyber criminals.
Early trojans upon infecting the system modified the windows registry to restrict launching programs like the registry editor, task manager, command prompt etc. This prevented educated users from manually killing the trojan and/or removing its associated registry entries.
Windows Update was the next target and often the HOSTS file was modified so that an infected machine could not get the latest windows updates from the Microsoft site. Without the latest security updates the machine becomes a sitting duck on the internet for worms and other malware.
System Restore was introduced from Windows Millennium onwards as a feature to allow users to restore a computer to a previous state without losing data. It automatically creates easily identifiable restore points, that allows users to restore the system to a previous time in case of a system crash or virus infection. Most virus families today turn off System Restore and all restore points get deleted once the machine is restarted. So much for restoring a computer to a previous state!!
The built in firewall with WinXp onwards is a nice feature to shield the machine on the internet. Virus authors were quick to come up with a solution. Either disable the firewall service on infection or create an exception list in the firewall rules to allow the malware access. The more popular technique nowadays is for malware to inject itself into trusted processes like Internet Explorer thus bypassing desktop firewall restrictions.
And the latest target in defeating built-in Windows security features is malware targeting the Windows File Protection feature. Windows File Protection protects core system files from being overwritten by third party application installations. If a system file is overwritten, Windows File Protection will restore the correct version automatically. Malware are often now patching SFC.DLL and SFC_OS.DLL which are responsible for checking system integrity to disable the file protection feature of Windows. Once SFC.DLL and SFC_OS.DLL are patched, core system file can be replaced without any alerts thus creating a hospitable environment for worms and other malware.
In the past two weeks, McAfee Avert Labs has already seen PWS-Satiloler and W32/Sdbot.worm families that modify SFC.DLL and SFC_OS.DLL to disable Windows File Protection. This functionally will most likely be incorporated into more malware families in the coming weeks and we're bound to see a rise in such cases.