Today, at McAfee Avert Labs we came across an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.
Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.
Patching SFC.dll and SFC_OS.dll rendered many some of the system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself.
Those interested explored it, and voila! Didn’t they hit a Jackpot! The important functions that are worth mentioning here are:
1. Ordinal 2: SfcTerminateWatcherThread
2. Ordinal 5: SetSfcFileException
The Ordinal 2 function terminates the System File watcher thread, as the name implies, and the system is open to any directory/file modifications by malware until the next reboot. This method requires the malware to inject code into winlogon.exe in order to call this function, since sfc_os.dll is used by winlogon process to achieve this protection.
Ordinal 5 function disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully!!! Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll.
One might start thinking, why in the world should Microsoft provide such APIs in Windows that makes the operating system vulnerable to many malware. One of the reasons could be to update system files and install the patches. But it does provide a way for the malware to infect the system easily.
Fate it seems, Microsoft is providing a way to disable their own protection using their own APIs. So, is this API a feature? Or it’s a flaw?
July 5th, 2007 at 7:19 pm
WFP was always an idiot idea. It goes back to the days when viruses would overwrite system files in Windows 95, so years later Microsoft finally developed a scheme to combat this, just as it was becoming a moot point, by basically storing a backup copy of every .dll and watching for changes. Duh. It would have been more secure to have a hard-coded list of filenames in the NTFS driver which simply refused any write requests to those files. (This would have broken some legacy installers, but - you know what? Bad luck!)
It makes me shiver every time Microsoft attempts a “defence in depth” mechanism or when they try to make things “more secure” because (a) they always arrive years too late and require purchasing the next bloatware O/S and (b) they’re always incredibly hacky and inefficient. No wonder Vista needs dual-core CPUs and 2Gb RAM.
The secret to security is to have less code, not more and more and more layers of rubbish. (Yes I’m looking at you Symantec)
July 6th, 2007 at 6:45 am
“The secret to security is to have less code,not more and more and more layers of rubbish.”
I also agree with the above statement…allow me to add,
that code should also be re-checked/validated for possible flaws,
again and again,at regular time intervals…
Re-using in XP systems crappy .wmf code dated since…1991,
was certainly not the smartest idea…
But then again,regarding Windows,oh well…
we’re talking about the only OS out there,that even in 2007,
it still uses NetBIOS as it’s main networking protocol…
which was actually developed back in the…1983(!),or so…
Makes me wonder,hasn’t Microsoft ever heard at least of ssh…
but then again,maybe it’s better this way…
if a Microsoft ssh implementation ever existed,
it would require the whole .NET Framework 3 to run,he-he…
Keep up the good work,McAfee guys…
July 6th, 2007 at 11:06 am
With a single command, the whole linux’s kernel is replaced with another one contained malware.