Commonly Infected System Drivers

[Vicenarian]

I have,

ACPI.SYS
ATAPI.SYS
DISK.SYS
IASTOR.SYS/IASTORV.SYS

Does anybody have any others to add, that they have seen infected by viruses?

[JCS_MN]

Ran into a rootkit the other day that infected keyboard driver: kbdclass.sys

[Vicenarian]

ouch...these stupid rootkits are infecting almost everything!

[othersteve]

A common MD5 checklist when a patched system file is suspected includes (not all drivers):

eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
beep.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
nvrd32.sys
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys

These can't always be inspected from within the infected host OS. Hope this helps!

[MobileTechie]

Some of then create/infect a different random driver each time they are installed.

[Vicenarian]

Quote:

Originally Posted by MobileTechie

Some of then create/infect a different random driver each time they are installed.

Ouch! thanks for letting me know, this will help me a lot when targeting such rootkits.

PS: @othersteve Thanks for the informative list! I will keep those entries in mind.

[MobileTechie]

Quote:

Originally Posted by Vicenarian

Ouch! thanks for letting me know, this will help me a lot when targeting such rootkits.

PS: @othersteve Thanks for the informative list! I will keep those entries in mind.

Yeah I had one from malwaredomainlist and I think Othersteve was messing with it too. Each time you infected the machine a different driver was infected. It showed up with sigverif as I remember it.

[Vicenarian]

Now what I'm wondering is this...some rootkit drivers infect disk level drivers (atapi, disk.sys, etc.), and use their low-level access to hide themselves. A rootkit that infects a keyboard driver however, wouldn't be able to perform the same function though...I think?

[othersteve]

Quote:

Originally Posted by Vicenarian

Now what I'm wondering is this...some rootkit drivers infect disk level drivers (atapi, disk.sys, etc.), and use their low-level access to hide themselves. A rootkit that infects a keyboard driver however, wouldn't be able to perform the same function though...I think?

Well, the whole idea is to nestle itself as early on in the boot process as possible, and as deeply within the OS as possible. Depending on how the driver is patched, it's actually entirely possible for it still to work properly after it's loaded (such as how TDL3 patches atapi.sys and many other drivers, for instance). Generally the rootkit just adds some code to redirect to the malware loader (encrypted or located in another file someplace else on the disk) and then terminate back in the regular driver again once it's done.

So any system-level driver will work really, it's just that some are loaded earlier and are more critical than others.

[MobileTechie]

Quote:

Originally Posted by Vicenarian

Now what I'm wondering is this...some rootkit drivers infect disk level drivers (atapi, disk.sys, etc.), and use their low-level access to hide themselves. A rootkit that infects a keyboard driver however, wouldn't be able to perform the same function though...I think?

I'm not sure at which level each Windows driver operates. I know you get kernel and user level drivers and in fact some span both camps. Both levels of access are enough to hide files and processes. Some rootkits have their own drivers that get installed.

I suspect that always attacking the same few drivers makes it harder to evade detection so in that respect it's better to vary the infection target.

This article is worth a read: http://www.securelist.com/en/analysis/204792131/TDSS#4