The TDSS malware family in itself is already a big threat to users. Known for its rootkit capabilities, TDSS constantly evolves to include more sophisticated means in order to hide its presence in an affected system. The Mebroot malware family, on the other hand, is noted for inflicting master boot record (MBR) infections.
TrendLabsSM engineers recently came across a Mebroot sample detected as TROJ_MEBROOT.SMC that installs itself in the following new but familiar way:
The main executable drops a file in the %User Temp% directory. It executes regsvr32 /s using the timeSetEvent function. It copies the said file into the Print Processor directory as %System%\spool\PRTPROCS\W32X86\{random number}.tmp. It then loads the file using API AddPrintProcessorA with the help of the SPOOLSV.EXE service. It unloads the file using API DeletePrintProcessorA then deletes it.The routine is indeed familiar since this is how a TDSS malware installs other components onto users’ systems, the final payload of which is modifying the MBR by writing thousand of bytes of code and the malware’s image file. It then restarts the affected system by executing the command shutdown -r -f -t 0.
By modifying the MBR, the malware automatically executes once the affected system is restarted. Its image file then sets off its other routines such as connecting and sending information to a randomly generated URL even if the user is not logged in to Windows.
Upon restart, the malware will first connect to microsoft.com, time.windows.com, and yahoo.com. Once successful, it then attempts to .....................
0 comments:
Post a Comment