Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Backdoor.Tranwos Abuses EFS to Prevent Forensic Analysis

Created: 07 Jun 2013 17:45:03 GMT • Updated: 23 Jan 2014 18:06:47 GMT • Translations available: 日本語
Kazumasa Itabashi's picture
+1 1 Vote
Login to vote

Recently, we discovered a threat that abuses the Encrypting File System (EFS), which Symantec detects as Backdoor.Tranwos. Not only is it trivial for program code to use EFS, it’s also very effective at preventing forensic analysis from accessing the contents of the file.

The threat creates the folder %Temp%\s[RANDOM ASCII CHARACTERS] and then calls the EncryptFileW API in order to encrypt the folder and all files and folders subsequently created in the encrypted folder will be encrypted automatically by Windows. The threat also copies itself as the file name wow.dll in the folder and then modifies the Characteristic attribute of the PE header in order to change to a DLL file.
 

backdoor tranwos 1 edit.png

Figure 1. Creates folder and encrypts it
 

In some cases, security researchers may use another operating system, such as a version of Linux bootable from a removable drive, in order to retrieve malicious files from a compromised computer. This method is useful when retrieving files from a computer compromised by a rootkit. However, it’s impossible to get the file wow.dll by this method because the DLL file is encrypted on the EFS.

A user account that executes this threat can see the contents of the file and change the status of the encryption. As this threat makes it impossible for researchers to use forensic tools, as we normally would, we have to manually execute the threat on a test computer to gather the contents of the file. The purpose of this threat using EFS is only to prevent forensic analysis from retrieving the contents of itself.
 

backdoor tranwos 2.png

Figure 2. wow.dll file path
 

After executing this threat, Explorer shows the folder and the file in green as it has been encrypted.

This threat has the functionality to vary command-and-control servers according to a command it may receive from the remote attacker through the back door it opens. It also has the functionality to download more malware onto the compromised computer. Symantec will continue to monitor this threat and report if anything new is discovered.

The best way to stay safe from this threat and others is to keep your antivirus definitions, IPS signatures, and firewall rules up to date.