One interesting piece of code we found this week was actually "backdooring" an existing Windows kernel driver. In the past, we have seen malwares patching Windows drivers to increase their performance (by removing the connection limit), but this time, the driver is modified to execute code and appended to the driver, using parasitic techniques. The Windows file protection won't trigger when the driver is patched, but the protection isn’t disabled either, so if you try to modify the driver once it has been patched, Windows complains.
The backdoored driver is TCPIP.SYS.
No comments:
Post a Comment