An Analysis of Rootkit Technologies: Part 4

QVOD

The QVod malware is a worm which spreads through local, network and portable drives. It possesses worm-like and Trojan dropper properties. It infects executable PE-EXE files and counteracts antivirus protection tools. Figure 1 illustrates a list of processes the malicious program kills.

Figure 1. The fragment of the malware memory dump

To spread via LAN, the Trojan tries to find passwords to access shared folders. Figure 2 presents a list of logins and passwords the malware looks through when connecting to the network resources.

Figure 2. The fragment of the malware memory dump

The main malware module is a dynamic-link library (DLL) where the malware replaces system libraries, in this case an appmgmts.dll library. The module is loaded to the address space of the svchost.exe process.

From its body, the malware extracts a rootkit driver that hides registry keys responsible for starting  the main malware module each time Windows boots.

The rootkit opens a registry key using the ZwOpenKey function. It then gets a pointer to the key object and a KeyControlBlock field value. From the KeyControlBlock structure, it gets a KeyHive field value which points to the HHIVE structure where the rootkit replaces a pointer by the HHIVE::GetCellRoutine function (Figure 3, 4).

Figure 3. The replaced pointer to the HHIVE::GetCellRoutine function

Figure 4. The original pointer to the HHIVE::GetCellRoutine function

The GMER anti-rootkit can detect if a system is infected by the QVOD rootkit (Figure 5, 6).

Figure 5. Diagnosing the QVOD rootkit infection by the GMER anti-rootkit

Figure 6. The hidden malware service

The QVOD worm is a multifunctional malware where the rootkit plays a major role in allowing it to remain hidden thus avoiding detection which has been a major contributing factor in the worm’s proliferation.

Conclusion

Modern rootkits use various methods to hide malware activity and deploy sophisticated technologies to achieve it. The article provided an overview of rootkit techniques which are almost impossible to detect using standard detection methods.

A rootkit’s presence within a system risks serious problems such as personal or bank data leakage, spam relay and the ability for an intruder to remotely control a computer system without the user’s knowledge. Rootkits affect both end-users and large companies. Advanced technology industrial espionage always happens using the elements of rootkit technologies, Stuxnet being a good example of malware that is capable of collecting information within industrial systems.

Despite the difficulty facing antivirus companies in detecting and removing rootkits, the article shows that any user can detect a rootkit using effective and proven methods using publicly available tools such as GMER anti-rootkit.

  • Back to articles


  • Share this post:    Twitter Facebook