Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 03-15-2011, 12:17 AM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,946
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default Commonly Infected System Drivers

I have,

ACPI.SYS
ATAPI.SYS
DISK.SYS
IASTOR.SYS/IASTORV.SYS

Does anybody have any others to add, that they have seen infected by viruses?
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #2  
Old 03-16-2011, 02:21 AM
JCS_MN JCS_MN is offline
 
Join Date: Nov 2010
Posts: 35
JCS_MN is an unknown quantity at this point
Default

Ran into a rootkit the other day that infected keyboard driver: kbdclass.sys
Reply With Quote
  #3  
Old 03-16-2011, 02:54 AM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,946
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default

ouch...these stupid rootkits are infecting almost everything!
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #4  
Old 03-16-2011, 03:35 AM
othersteve othersteve is offline
 
Join Date: Feb 2010
Posts: 517
othersteve is on a distinguished road
Default

A common MD5 checklist when a patched system file is suspected includes (not all drivers):

eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
beep.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
nvrd32.sys
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys

These can't always be inspected from within the infected host OS. Hope this helps!
__________________
-Steve

Born a technician, though always willing to learn and improve. :)

Managing Editor, DigitalChumps.com
Senior Editor, Notebookcheck
Laptop Dude, PC Perspective
Owner/Sole Proprieter, Triple-S Computers
Reply With Quote
  #5  
Old 03-16-2011, 09:16 AM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,333
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Some of then create/infect a different random driver each time they are installed.
Reply With Quote
  #6  
Old 03-16-2011, 03:07 PM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,946
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default

Quote:
Originally Posted by MobileTechie View Post
Some of then create/infect a different random driver each time they are installed.
Ouch! thanks for letting me know, this will help me a lot when targeting such rootkits.

PS: @othersteve Thanks for the informative list! I will keep those entries in mind.
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #7  
Old 03-16-2011, 03:13 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,333
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by Vicenarian View Post
Ouch! thanks for letting me know, this will help me a lot when targeting such rootkits.

PS: @othersteve Thanks for the informative list! I will keep those entries in mind.
Yeah I had one from malwaredomainlist and I think Othersteve was messing with it too. Each time you infected the machine a different driver was infected. It showed up with sigverif as I remember it.
Reply With Quote
  #8  
Old 03-17-2011, 03:18 AM
Vicenarian's Avatar
Vicenarian Vicenarian is offline
 
Join Date: Jan 2010
Posts: 1,946
Vicenarian has a spectacular aura aboutVicenarian has a spectacular aura about
Default

Now what I'm wondering is this...some rootkit drivers infect disk level drivers (atapi, disk.sys, etc.), and use their low-level access to hide themselves. A rootkit that infects a keyboard driver however, wouldn't be able to perform the same function though...I think?
__________________
2 Corinthians 5:21 "For God made Christ, who never sinned, to be the offering for our sin (by dying in our place), so that we could be made right with God through Christ."
Reply With Quote
  #9  
Old 03-17-2011, 01:46 PM
othersteve othersteve is offline
 
Join Date: Feb 2010
Posts: 517
othersteve is on a distinguished road
Default

Quote:
Originally Posted by Vicenarian View Post
Now what I'm wondering is this...some rootkit drivers infect disk level drivers (atapi, disk.sys, etc.), and use their low-level access to hide themselves. A rootkit that infects a keyboard driver however, wouldn't be able to perform the same function though...I think?
Well, the whole idea is to nestle itself as early on in the boot process as possible, and as deeply within the OS as possible. Depending on how the driver is patched, it's actually entirely possible for it still to work properly after it's loaded (such as how TDL3 patches atapi.sys and many other drivers, for instance). Generally the rootkit just adds some code to redirect to the malware loader (encrypted or located in another file someplace else on the disk) and then terminate back in the regular driver again once it's done.

So any system-level driver will work really, it's just that some are loaded earlier and are more critical than others.
__________________
-Steve

Born a technician, though always willing to learn and improve. :)

Managing Editor, DigitalChumps.com
Senior Editor, Notebookcheck
Laptop Dude, PC Perspective
Owner/Sole Proprieter, Triple-S Computers
Reply With Quote
  #10  
Old 03-17-2011, 02:34 PM
MobileTechie's Avatar
MobileTechie MobileTechie is offline
 
Join Date: Oct 2009
Location: UK
Posts: 4,333
MobileTechie has a spectacular aura aboutMobileTechie has a spectacular aura about
Default

Quote:
Originally Posted by Vicenarian View Post
Now what I'm wondering is this...some rootkit drivers infect disk level drivers (atapi, disk.sys, etc.), and use their low-level access to hide themselves. A rootkit that infects a keyboard driver however, wouldn't be able to perform the same function though...I think?
I'm not sure at which level each Windows driver operates. I know you get kernel and user level drivers and in fact some span both camps. Both levels of access are enough to hide files and processes. Some rootkits have their own drivers that get installed.

I suspect that always attacking the same few drivers makes it harder to evade detection so in that respect it's better to vary the infection target.

This article is worth a read: http://www.securelist.com/en/analysis/204792131/TDSS#4
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:57 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.