The latest variants of Peacomm, detected as Trojan.Peacomm.C (or proactively, as the usual Trojan.Packed.13), have introduced some interesting changes in the way they infect a machine.
As was written in a previous blog entry ,Peacomm spam entices users to visit a Web page containing a link to afile applet.exe. This Web page also embeds an obfuscated JavaScriptroutine that tries to exploit a Windows Media Player vulnerability, incase the user decided – very wisely – not to download and run the socalled “Secure Login Applet”. If the vulnerability is exploitedsuccessfully, a small file will be downloaded on the compromisedmachine, which will in turn download applet.exe. Both files aredetected as Trojan.Packed.13.
When applet.exe runs, it first makes a copy of itself as spooldr.exein the Windows folder, and drops an embedded kernel driver in theSystem folder, as spooldr.sys. It also tries to infect a Windows devicedriver named kbdclass.sys. This is the loadpoint used by Peacomm.During the next reboot, the infected driver is loaded by Windows, as itshould be—its role is to load spooldr.sys.
Spooldr.sys has several functionalities, and uses smart tricks toachieve its goals. First, it acts as a loader for the real Trojan,spooldr.exe, located in the Windows folder. To do that, it injects ashellcode-like routine in explorer.exe, responsible for creating aspooldr.exe process. The loading scheme is very clever: first, thedriver locates kernel32 in memory by resolving the address ofCloseHandle, and checking for the MZ magic around this value. It thenresolves two APIs, VirtualProtect and WinExec. It builds and injects asmall payload in explorer.exe, and hooks the import entry forPeekMessageW, an API frequently used by windowed applications (likeExplorer). The hook points to the payload, so that when explorer callsPeekMessageW, it will be executed. The first thing the payload does isto unhook this import entry; it then creates the spooldr.exe process.The routine then jumps to the real PeekMessageW code to ensure normalapplication behavior – and to avoid crashing Explorer! This way, thethreat does not have to create a remote thread in Explorer, a techniquecommonly used by middle-class malware and monitored by some securitysoftware.
It’s also responsible for hiding the newly created spooldr process,as well as any file beginning with spooldr (this is done by hooking theZwQueryDirectoryFile system call). This way, the three files used bythe Trojan – spooldr.exe, spooldr.sys and spooldr.ini, the peers list –will be hidden from the user’s eye.
The rootkit also protects the Trojan from third-party securitysoftware, such as firewalls or anti-virus. A kernel callback is setup,via PsSetLoadImageNotifyRoutine, to track process creation andeventually kill malware-unfriendly ones. It also locks two files,ntoskrnl.exe (the Windows kernel) and kbdclass.sys (the infectedWindows driver). It seems the purpose of these locks is to preventrootkit detectors to work, by forbidding them to open critical systemfiles – and check differences with the ones loaded in memory, tamperedwith by the rootkit.
Though Peacomm functionalities haven’t changed, the mode ofinfection has been improved. The registry is now not used as a loadingpoint, as Peacomm uses virus-like techniques to get its payload loadedby the system at startup.
Thankfully, all new Peacomm variants, as well as Peacomm-relatedmalware (such as Trojan.Mespam) are generically caught by our heuristicdetection Trojan.Packed.13