Forging memory, a new development in Malware Rootkits

Apart from Rootkits modifying and hiding; files, registries, processes.. from detection software, some often typically modify memory. Anti-rootkit tools inspect memory areas in attempts to identify modifications and flag.

A particular rootkit also modifies a memory location to prevent actual disk access by detection software. This technique is not new, however it is the first found in the Wild and being adopted by Malware authors.

“.. a new rootkit appeared that at first glance seemed more similar to initial variants of TDL3 than to the updated TDL4 variants we have seen this year. Like TDL3, it also parasitically infected a driver by inserting code in the resource directory of the PE file. In this case the name of the file it infected was hard-coded to volsnap.sys. Also similar to the early variants of TDL3, this rootkit also hooked some pointers in the dispatch table (IRP hook) of the driver below disk on the device stack of the hard disk.

But it was very interesting to see some of the anti-rootkit tools not showing the dispatch table hooks that are usually pretty straightforward to identify. Also this malware would not allow an external debugger (WinDbg) to break.

The reason for hooks not being reported was that the memory being read by the tools was not the actual memory ..”

“Memory Forging Attempt by a Rootkit”
Rachit Mathur, McAfee Blog Center, 21 April 2011
http://blogs.mcafee.com/mcafee-labs/memory-forging-attempt-by-a-rootkit – last access 8 June 2011 – ( Full Article )

/cobramark3

June 8, 2011 | Categories: Analysis, Malware, Rootkits | Tags: Computer Forensics, Digital Forensics, Dispatch Table Hook, DKOM, DRX Register Settings, Google Redirect Virus, Hardware Breakpoints, IRP hook, Malware, Rachit Mathur, Rootkit, TDL3, TDL4 | Comments Off on Forging memory, a new development in Malware Rootkits