IPL is now in news for different reasons. On the other side we see Initial Program Loader (IPL) – which is responsible for loading of Operating system is targeted by Trojan.Cidox.
Although bootkit technology isn’t new, it plays an important role nowadays in attack scenarios against the Microsoft Windows platform. More number of threats are relying on bootkit components to bypass OS Security mechanisms and load kernel-mode driver into the system by stealth.
Few years back infection of Master Boot Record (MBR) or Volume Boot Record (VBR) was in fashion. Malwares are modifying not only the MBR or VBR however they are also infecting the code of NTFS loader. We have recently received reports from customers about new malware, Trojan.Cidox. It infects the Initial Program Loader(IPL) code of the boot partition on the hard drive.
Trojan.Cidox has two driver rootkits – one targeting 32-bit platform, the other for 64-bit platform. Both the drivers are compressed using Aplib compression.
It makes the following modifications to the beginning of the hard drive:
When the Trojan is executed, it creates the following files:
So when next time the system is booted the malicious code in the loader area gets the control before the Operating System. It hooks BIOS interrupts responsible for disk I/O. Trojan.Cidox uses these hooks to bypass Windows Kernel Security features to load the malicious driver into the operating system. The loaded driver uses PsSetCreateProcessNotifyRoutine to control the launch of the following processes:
When any of the above processes is launched, Trojan.Cidox injects its component into address space of this process. This helps to run its code running in context of clean process. At times user could see that browser window is redirected to malicious web-sites.
Quickheal detects this variant as Trojan.Cidox and its bootkit component as Bootkit.Cidox.B.
Research and writeup is done by Preksha Saxena.
i think your advice is very insightful, and gives a lot of readers exactly what there looking for in a blog. your advice will help people not only in providing the useful information but also learn how to write and make a blog easier and better, while still being up to par and keeping it short and held together really well. thanks for helping others..Thanks Preksha for posting this useful information..I have really got the useful information from your blog and will wait for good one like this is future.
Thanks for Nice Information…
So, what should i do for protection against this Trojan.Cidox.B ??
Does quick heal protects my laptop from this Trojan even during the time of booting my system??
What are the steps for removing the Trojan in case if quick heal detects it ??
What are the signs of this Trojan in case if it infects my system??