Friday, September 08, 2006

Trojan uses Microsoft EFS to hide itself

McAfee's Avert Labs has word of a new trojan-hiding technique that uses Microsoft's Encrypting File System (EFS). EFS, present in all versions of Windows since 2000, allows a user to protect a folder using strong encryption based upon the user's login-name and password.

Avert reports that the newly spotted trojan uses EFS to avoid detection while executing with administrative rights. It employs obfuscated DLL and PE files to drop a couple of components into EFS-protected folders: a dialer and a downloader/dropper. When it executes, the trojan begins by creating a randomly named administrator account. It then creates a randomly named Windows service that executes under the just-created admin's credentials.

Once the service runs, the downloader can check for updated versions of itself and bring them down as needed. According to Avert, some variants of the trojan use our old IE friend -- Browser Helper Objects (BHOs) -- and the classic NTFS file-hiding technique called Alternate Data Streams.

All in all, this sounds like a doozy of a trojan that leverages nearly every vulnerable aspect of Windows to propagate its bad self.

Avert Labs: Protecting against EFS based attacks

No comments: