Researchers from Vietnamese security firm Bkav have recently spotted and analyzed a new piece of malware that uses an unexpected self-protection mechanism: it “freezes” the hard disk of the infected machine.
The malware is pretty stealthy, and the only obvious thing that might make the affected user suspicious of his machine being infected is the fact that it changes the icon of the hard disK.
But in the background, it creates several executable modules that are tasked with carrying out its main functions.
Black takes care of spreading the malware further. PassThru is a module network driver that blocks or redirects websites (and this is likely the main goal of the malware). Wininite contacts and receives commands from two C&C servers (one located in China and the other in the US).
Finally, DiskFit is the module that restores the computer’s hard disk to the status it had when it was first infected, and it does this every time the computer is restarted for whatever reason.
“DiskFlt creates a device attached to Disk Device to control the reading and writing of data on the disk. DiskFlt also creates a cache data area. When user has data reading/writing operations on disk, DiskFlt will create a copy of that data area and put it on the cache area. After this point, every reading/writing operation will be redirected to the cache area, which makes the user unable to change the data of the original disk,” malware researcher Tran Trung Nghia explains.
So each time the computer is restarted, all the changes the user made – making or downloading of new documents, the installation of new software, etc. – are “wiped”, and the malware is “regenerated” (if it was removed in the first place).
Personally, I can’t help but think that while the malware’s authors have achieved persistency, they have also made it too obvious that something is wrong with the computer and likely that the users will notice and look into it.
Maybe they are banking on the fact that many users don’t know much about computers? Or maybe on the fact that many don’t shut down or restart it for weeks or even months?
Whatever their expectations are, users who notice this kind of behavior from their computer can download the company’s BkavRootFreezeRemover tool and remove the malware permanently.