A new bootkit – kernel-mode rootkit variant – has been recently spotted by a Kaspersky Lab researchers, and it looks like is currently targeting only Chinese users.
It is being distributed by a downloader Trojan, which is picked up by users when they try to download a video from a bogus Chinese adult site.
The bootkit saves the old master boot record (MBR) to the third sector and replaces it with its own. It also installs an encrypted driver and the rest of the code from the fourth sector onwards.
Once the computer boots, the malicious code executes itself and restores the original MBR in order for Windows to be loaded without revealing the existence of the bootkit.
“Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format,” explains Kaspersky Lab expert Vyacheslav Zakorzhevsky. “It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won’t crash when it is replaced.”
This driver detects a number of AV solutions and prevents them from working as they should. Among them are solutions from Trend Micro, BitDefender, AVG, Symantec, Kaspersky Lab, ESET and half a dozen Chinese ones.
Having done that, the driver compromises the explorer.exe process and injects into the machine a variant of the bootkit that is also a downloader. “The malicious program sends a request to the server in which it communicates information about the victim computer’s operating system, IP address, MAC address, etc,” says Zakorzhevsky.
Among other things, this variant of the rootkit proceeds to download a keylogger and a Trojan that steals account data for the online game LineAge2.