About Me

Prashanth PR

Prashanth PR

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

WFP hack redefined!!!

Thursday, July 5, 2007 at 2:40pm by Prashanth PR
Prashanth PR

Today, at McAfee Avert Labs we came across an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.

Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.

Patching SFC.dll and SFC_OS.dll rendered many some of the system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself.

Those interested explored it, and voila! Didn’t they hit a Jackpot! The important functions that are worth mentioning here are:
1. Ordinal 2: SfcTerminateWatcherThread
2. Ordinal 5: SetSfcFileException

The Ordinal 2 function terminates the System File watcher thread, as the name implies, and the system is open to any directory/file modifications by malware until the next reboot. This method requires the malware to inject code into winlogon.exe in order to call this function, since sfc_os.dll is used by winlogon process to achieve this protection.

Ordinal 5 function disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully!!! Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll.

One might start thinking, why in the world should Microsoft provide such APIs in Windows that makes the operating system vulnerable to many malware. One of the reasons could be to update system files and install the patches. But it does provide a way for the malware to infect the system easily.

Fate it seems, Microsoft is providing a way to disable their own protection using their own APIs. So, is this API a feature? Or it’s a flaw?

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (3)

  • cac July 6, 2007 11:06AM

    With a single command, the whole linux’s kernel is replaced with another one contained malware.

    Reply
  • xrt-27 July 6, 2007 6:45AM

    “The secret to security is to have less code,not more and more and more layers of rubbish.”
    I also agree with the above statement…allow me to add,
    that code should also be re-checked/validated for possible flaws,
    again and again,at regular time intervals…
    Re-using in XP systems crappy .wmf code dated since…1991,
    was certainly not the smartest idea… ;-)

    But then again,regarding Windows,oh well…
    we’re talking about the only OS out there,that even in 2007,
    it still uses NetBIOS as it’s main networking protocol…
    which was actually developed back in the…1983(!),or so…
    Makes me wonder,hasn’t Microsoft ever heard at least of ssh…
    but then again,maybe it’s better this way…
    if a Microsoft ssh implementation ever existed,
    it would require the whole .NET Framework 3 to run,he-he…

    Keep up the good work,McAfee guys…

    Reply
  • Darth Geoff July 5, 2007 7:19PM

    WFP was always an idiot idea. It goes back to the days when viruses would overwrite system files in Windows 95, so years later Microsoft finally developed a scheme to combat this, just as it was becoming a moot point, by basically storing a backup copy of every .dll and watching for changes. Duh. It would have been more secure to have a hard-coded list of filenames in the NTFS driver which simply refused any write requests to those files. (This would have broken some legacy installers, but – you know what? Bad luck!)
    It makes me shiver every time Microsoft attempts a “defence in depth” mechanism or when they try to make things “more secure” because (a) they always arrive years too late and require purchasing the next bloatware O/S and (b) they’re always incredibly hacky and inefficient. No wonder Vista needs dual-core CPUs and 2Gb RAM.
    The secret to security is to have less code, not more and more and more layers of rubbish. (Yes I’m looking at you Symantec)

    Reply