IPL is now in news for different reasons. On the other side we see Initial Program Loader (IPL) – which is responsible for loading of Operating system is targeted by Trojan.Cidox.
Although bootkit technology isn’t new, it plays an important role nowadays in attack scenarios against the Microsoft Windows platform. More number of threats are relying on bootkit components to bypass OS Security mechanisms and load kernel-mode driver into the system by stealth.
Few years back infection of Master Boot Record (MBR) or Volume Boot Record (VBR) was in fashion. Malwares are modifying not only the MBR or VBR however they are also infecting the code of NTFS loader. We have recently received reports from customers about new malware, Trojan.Cidox. It infects the Initial Program Loader(IPL) code of the boot partition on the hard drive.
Trojan.Cidox has two driver rootkits – one targeting 32-bit platform, the other for 64-bit platform. Both the drivers are compressed using Aplib compression.
It makes the following modifications to the beginning of the hard drive:
- It saves the relevant driver to the unpartitioned space of the hard drive so as it is not part of Windows file system and hence not detected by Security products.
- It chooses the section marked as the active boot partition in the MBR partition table for infection. It is important to note that it only infects partitions with the NTFS file system.
- Then it writes malicious code over IPL and keeps the clean code after malicious code in compressed format using Aplib compression.
When the Trojan is executed, it creates the following files:
- %CurrentFolder%[RANDOM NUMERIC CHARACTERS].bat
- %Temp%[RANDOM ALPHANUMERIC CHARACTERS].tmp
So when next time the system is booted the malicious code in the loader area gets the control before the Operating System. It hooks BIOS interrupts responsible for disk I/O. Trojan.Cidox uses these hooks to bypass Windows Kernel Security features to load the malicious driver into the operating system. The loaded driver uses PsSetCreateProcessNotifyRoutine to control the launch of the following processes:
- svchost.exe
- iexplore.exe
- firefox.exe
- opera.exe
- chrome.exe
When any of the above processes is launched, Trojan.Cidox injects its component into address space of this process. This helps to run its code running in context of clean process. At times user could see that browser window is redirected to malicious web-sites.
Quickheal detects this variant as Trojan.Cidox and its bootkit component as Bootkit.Cidox.B.
Research and writeup is done by Preksha Saxena.