64-Bit System Driver Infected and Signed After UAC Bypassed
Back in December we analyzed tdpipe.sys, an infected 64-bit Windows 7 system driver. The infection consisted of an extra import added to the driver’s import table:
The import named DiscPart from pipe.sys ensures that the malicious file pipe.sys is loaded at the same time as the system driver tdpipe.sys, although it simply returns without doing anything.
This is a common method employed by malware authors to ensure the malware they create runs when the compromised computer starts. The advantages to this technique are that the malware does not create any detectable load points—either through registry or links—and it is difficult to spot due to minimal changes made to the file.
What is unusual though is that the driver was signed after the infection:
Driver signing is enforced by default on any 64-bit Windows Vista or Windows 7 operating system, requiring malware authors to either bypass the signing process (mostly done through bootkits) or forcing them to have the infected system drivers re-signed after infection, as in this case.
The latter case is unusual as it requires a valid certificate—most likely stolen from its rightful owner—and results in certificate revocation when surreptitious use is discovered, limiting the time window these signed threats could remain undetected. Moreover, if the same certificate is used for several threats that are not yet being detected, all of them will be rendered useless when the certificate is revoked.
In this threat’s case, the certificate was revoked by the owner about nine days after it was used:
With that in mind, the time window available for the attackers to remain undetected would be a little greater, due to the fact that operating systems rarely check, or don’t check at all, the certificate revocation list (CRL).
While Symantec detects the infected driver as Backdoor.Hackersdr!inf and the malicious payload pipe.sys as Backdoor.Hackersdoor, we have not been able to find a dropper or file infector that produces the infected driver yet so we cannot say with certainty whether the threat signed the infected driver itself or it was simply dropped on to the computer.
Recently we discovered a newer variant of the threat, Backdoor.Conpee, which infects both 32-bit and 64-bit Windows operating systems. It does not infect drivers, only system DLLs, using the same added import technique. What is also interesting about this threat is that it does not require any privileges to run under Windows 7, as it uses a proof-of-concept exploit—publicly available and known since 2009—that can elevate the privileges of any restricted process to Administrator level without the user’s permission or interaction. The latest fully patched and updated version of Windows 7 is still vulnerable to this exploit. The authors did not even bother to remove the comments from the exploit .dll file:
It's worth noting the copyright notice amusingly reads,"… all rights reserved. You are expressly forbidden from using this for malicious purposes."
Given the small number of infections observed by Symantec in-the-wild, we might assume that digital signing of infected tdpipe.sys was only a test case for the malware authors trying different approaches to compromise the more secure 64-bit Windows operating systems. Regardless, it proves, once again, the length malware creators will go to achieve their goals.