Trojan.Cidox targets IPL( i mean Initial Program Loader )

IPL is now in news for different reasons. On the other side we see Initial Program Loader (IPL) – which is responsible for loading of Operating system is targeted by Trojan.Cidox.

Although bootkit technology isn’t new, it plays an important role nowadays in attack scenarios against the Microsoft Windows platform. More number of threats are relying on bootkit components to bypass OS Security mechanisms and load kernel-mode driver into the system by stealth.

Few years back infection of Master Boot Record (MBR) or Volume Boot Record (VBR) was in fashion. Malwares are modifying not only the MBR or VBR however they are also infecting the code of NTFS loader. We have recently received reports from customers about new malware, Trojan.Cidox. It infects the Initial Program Loader(IPL) code of the boot partition on the hard drive.
Trojan.Cidox has two driver rootkits – one targeting 32-bit platform, the other for 64-bit platform. Both the drivers are compressed using Aplib compression.

It makes the following modifications to the beginning of the hard drive:

  •  It saves the relevant driver to the unpartitioned space of the hard drive so as it is not part of Windows file system and hence not detected by Security products.
  •  It chooses the section marked as the active boot partition in the MBR partition table for infection. It is important to note that it only infects partitions with the NTFS file system.
  •  Then it writes malicious code over IPL and keeps the clean code after malicious code in compressed format using Aplib compression.

When the Trojan is executed, it creates the following files:

  • %CurrentFolder%[RANDOM NUMERIC CHARACTERS].bat
  • %Temp%[RANDOM ALPHANUMERIC CHARACTERS].tmp

So when next time the system is booted the malicious code in the loader area gets the control before the Operating System. It hooks BIOS interrupts responsible for disk I/O. Trojan.Cidox uses these hooks to bypass Windows Kernel Security features to load the malicious driver into the operating system. The loaded driver uses PsSetCreateProcessNotifyRoutine to control the launch of the following processes:

  • svchost.exe
  • iexplore.exe
  • firefox.exe
  • opera.exe
  • chrome.exe

When any of the above processes is launched, Trojan.Cidox injects its component into address space of this process. This helps to run its code running in context of clean process. At times user could see that browser window is redirected to malicious web-sites.

Quickheal detects this variant as Trojan.Cidox and its bootkit component as Bootkit.Cidox.B.

Research and writeup is done by Preksha Saxena.

Rajesh Nikam

Rajesh Nikam


3 Comments

Your email address will not be published.

CAPTCHA Image

  1. Avatar Chandra Mohan Singhal(A)May 25, 2013 at 2:57 AM

    i think your advice is very insightful, and gives a lot of readers exactly what there looking for in a blog. your advice will help people not only in providing the useful information but also learn how to write and make a blog easier and better, while still being up to par and keeping it short and held together really well. thanks for helping others..Thanks Preksha for posting this useful information..I have really got the useful information from your blog and will wait for good one like this is future.

    Reply
  2. Thanks for Nice Information…

    Reply
  3. Avatar Aditya KrishnakumarJune 1, 2013 at 11:41 AM

    So, what should i do for protection against this Trojan.Cidox.B ??

    Does quick heal protects my laptop from this Trojan even during the time of booting my system??

    What are the steps for removing the Trojan in case if quick heal detects it ??

    What are the signs of this Trojan in case if it infects my system??

    Reply