IPL is now in news for different reasons. On the other side we see Initial Program Loader (IPL) – which is responsible for loading of Operating system is targeted by Trojan.Cidox.
Although bootkit technology isn’t new, it plays an important role nowadays in attack scenarios against the Microsoft Windows platform. More number of threats are relying on bootkit components to bypass OS Security mechanisms and load kernel-mode driver into the system by stealth.
Few years back infection of Master Boot Record (MBR) or Volume Boot Record (VBR) was in fashion. Malwares are modifying not only the MBR or VBR however they are also infecting the code of NTFS loader. We have recently received reports from customers about new malware, Trojan.Cidox. It infects the Initial Program Loader(IPL) code of the boot partition on the hard drive.
Trojan.Cidox has two driver rootkits – one targeting 32-bit platform, the other for 64-bit platform. Both the drivers are compressed using Aplib compression.
It makes the following modifications to the beginning of the hard drive:
When the Trojan is executed, it creates the following files:
So when next time the system is booted the malicious code in the loader area gets the control before the Operating System. It hooks BIOS interrupts responsible for disk I/O. Trojan.Cidox uses these hooks to bypass Windows Kernel Security features to load the malicious driver into the operating system. The loaded driver uses PsSetCreateProcessNotifyRoutine to control the launch of the following processes:
When any of the above processes is launched, Trojan.Cidox injects its component into address space of this process. This helps to run its code running in context of clean process. At times user could see that browser window is redirected to malicious web-sites.
Quickheal detects this variant as Trojan.Cidox and its bootkit component as Bootkit.Cidox.B.
Research and writeup is done by Preksha Saxena.