X-Force (Jon Larimer) did some analysis on Ali and IERK8243.SYS on a
sample provided to us by AVERT. It give a remote attacker a shell on
the infected machine. Here is some information from Jon about how the
driver works:

IERK8243.SYS:
-------------

This is a driver that enables stealth functionality on the system. When
this driver is installed and running, any application that knows how to
interface with it can hide files,
registry keys, and processes from any user application.

Creates a device called "\DosDevices\mp437bba8e". That device name is
used to access the
driver. Applications will access the driver to hide themselves.

The driver hooks into the service descriptor table to replace the
following functions:
NtOpenKey()
NtCreateKey()
NtEnumerateKey()
NtCreateFile()
NtOpenFile()
NtDeviceIoControlFile()
NtQueryDirectoryFile()
NtOpenProcess()
NtQuerySystemInformation()

The driver checks those requests and makes sure nobody is looking for
something in the
"stealth list". For certain functions it also checks the data returned
from those
functions to clean out any references to keys/files/processes in the
stealth list.

An application makes an IOCTL call to this driver and the driver will
add it's information to the stealth list, so it won't show up in the
registry, HD, or in memory.

It also uses PsSetCreateProcessNotifyRoutine() so the driver will be
alerted any time a
process is created.

"slanretnisys" - This string shows up in the driver binary but is not
used... it's
SysInternals backwards. The code was probably taken from SysInternals
code.
RegMon/FileMon/etc use the same method of hooking system calls.

--------------------------------------------------------------
Chris Rouland
Director / X-Force
Internet Security Systems, Inc.
http://xforce.iss.net
croulandiss.net
 

-----Original Message-----
From: Barron Mertens [mailto:bmertensUWO.CA]
Sent: Sunday, January 26, 2003 5:30 PM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: Rogue Kernel Driver ierk8243.sys may be novel Trojan

Approximately around Jan 10 2003 our main database cluster began
experiencing random unexplained "blue screen of death" crashes. The blue
screen claimed that the component that had failed was called
ierk8243.sys and this was the cause on both machines (Win2Ksp3 and
SQL2000sp2). Inspection of those machines and even google returned no
matches for that file or anything close (other than someone's email
address in Iceland I think). I bit the bullet (credit card?) and called
in Microsoft Premium Support Services after I ran out of ideas and had
suffered through too many crashes. After a week of analyzing dump files
we had a breakthrough when someone else showed up with the same problem,
that person discovered that if you reboot into safe mode and search the
registry that there is a kernel level (like a hardware device driver)
driver called ierk8243.sys installed and you can also then find the file
on the hard drive in the %systemroot%\system32\drivers folder. While the
driver is running you cannot find it in the registry or on the file
system or on a list of running processes, booting into safe mode
prevents the driver from loading. The file's properties read as a
standard MS file belonging to the original OS install, including the
timestamp info. To kill the driver just change the startup value to 4
(disabled) in the registry and rename the file. MS and NAI and
TrendMicro are analyzing the file to see what it was doing and hopefully
they can figure out how it got in. The only info to come out of the
analysis so far is it might have been using port 961 and this MAY be a
Trojan horse related to "Backdoor/Alley" which is quite obscure. We have
found this code on four machines altogether, all administered by myself
and all running SQL Server (not sure who is guilty), two machines were
Win2k Advanced Server and two were XP Pro.

Barron Mertens
Senior System Engineer/Developer
Faculty of Education
The University of Western Ontario
London, Ontario, Canada
N6G 1G7
Room 1095
519-661-2111 x88662
bmertensuwo.ca

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before
3/31/03 with PROMO "TS0103" at www.2test.com. NO membership fees,
certification good for 2 years. Price for international delivery just
$296.25 US, with this offer. Offer cannot be combined with any other
special and expires 3/31/03. Visit www.trusecure.com/ticsa for full
details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
oooo

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Delivery co-sponsored by TruSecure Corporation
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
TICSA - Anniversary Special - Limited Time

Become TICSA certified for just $221.25 US when you register before 3/31/03
with PROMO "TS0103" at www.2test.com. NO membership fees, certification
good for 2 years. Price for international delivery just $296.25 US, with
this offer. Offer cannot be combined with any other special and expires
3/31/03. Visit www.trusecure.com/ticsa for full details.

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]