Recently, a piece of malware named MachineDog attracted attention within the China security community. The malware itself appears to be a well designed tiny rootkit, and is quite different from other malware. One special characteristic of this malware is that it’s designed to penetrate the hard disk as well as security software, which are installed in most internet bars and cafes. This means it can infect most machines in many internet bars and cafes, in some cases without too much resistance.

The malware is composed of a user-mode application part and a kernel driver part. The application part does limited work, which includes extracting the driver and installing it as service, then communicating with the driver by io control. The earlier version of the application part does the infection work by sending IRPs into lower disk driver device(\Device\Harddisk\DR0) to locate and write userinit.exe onto the hard disk directly. In later versions, the infection works are improved and moved into the driver itself, leaving the application part tiny and simple.

The driver does the most important work. It does the infection which was implemented earlier in the application part. Its infection method is quite special and interesting, which can bypass and penetrate many hard disk protection software, and some security software. First it reads the atapi.sys driver fileĀ  from the hard disk then searches dispatch routine addresses in that driver’s body, to bypass any existing dispatch routine that have inline hooks. Why choose atapi.sys? Because the device created in atapi.sys is the last device in all the device stacks that the IRP passes through, and it’s the end of this IRP. Sending IRPs to this device can avoid all filter devices and inline hooks in any upper device which are used by some security software or protection software. Then the malware sends IRPs to the partition device dispatch routines in atatpi driver to read and write data directly into hard disk. It first reads data to locate which sector userinit.exe is resident in so it knows where to infect. It then writes the inject codes into the hard disk by that way and will att that point modify userinit.exe. At last it will remove inline hook of atapi devices if they’ve been inline hooked until it receives the close command from application part.

Most internet bars and cafes rely on hard disk protection software excessively, and mistakenly believe these types of software can replace security software. Once their machines are infected, the administrator just restores from backups made by the protection software. This malware takes advantage of this contrived neglect. The attack is so dangerous that once it successfully loads its driver into the kernel, most hard disk protection software will be nothing but an empty shuck, with the administrator still having no idea!!!

McAfee customers are protected from the threat by DAT 5337.

Reference:

http://article.pchome.net/content-515951.html

http://tech.ccidnet.com/art/1099/20080709/1501723_1.html

http://www.xj.xinhuanet.com/2008-06/20/content_13599327.htm