Tuesday, July 10, 2007

An interesting MS Windows File Protection feature?

A small week out of the office put me by coincidence in front of an interesting malware, W32/Crimea that uses an undocumented feature of Windows File Protection.
Windows File Protection (WFP) is a feature of the Windows operating system, which prevents other programs from modifying/replacing/deleting critical system files. SFC.dll and SFC_OS.dll are the files that contain the functions used to monitor system files. Earlier malware used to patch these dlls or modify the registries to disable this feature. We had earlier blogged about some of the techniques used by malware targeting Windows Files.Patching SFC.dll and SFC_OS.dll rendered many some of the system defenses useless, but Anti-Virus companies found out a way to identify these patched dlls and provided remedies to clean the user’s computer from this malice. Again malware authors have found an alternate method with help of undocumented functions in SFC_OS.dll itself. One of the functions inside disables the WFP for a particular file for one minute normally. This is the time needed by the malware to do their work successfully. Now the system is back in form but is infected by the malware. Even though these techniques were out for more than a year, we are seeing these techniques used by malware these days. The second method is used by W32/Crimea to infect a system file imm32.dll. Microsoft provide such APIs possibly to update system files and install the patches but it also provide an easy way for the malware to infect the system. Nice feature isn't it?
Well .. like I've told you before in one of these blogs .. this is just the beginning of the new malware era. We'll definitely see more like these in the near future.