Neprodoor flies beyond the radar
Posted by: Marco Giuliani
It's somewhat ironic to write this post right after we've talked in the last blog post about the real danger of current threats as compared with theorical proof of concepts like SMM rootkits.
Today I've spent some time reversing a malware that has been reported to our research lab by many users and that it was heuristically intercepted by Prevx Edge.
The infection is already known on the web as Trojan.Neprodoor, but looking on internet I haven't been able to find useful technical descriptions about this trojan, so I decided to have an in depth look at it.
After I've started the analysis, it has been immediately obvious that this infection is not trivial and it is able to evade from most of current security products.
The infection starts with a dropper, called reader_s.exe. However, this file is only the first of a long chain of installers.
This dropper is crypted with its own packer so, after startup, it unpacks itself and it's ready to start with its payload.
It'll create a copy of itself under %windir%\system32 and under user's profile folder, adding then the relative autostart keys under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry value and under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, both with value [reader_s] and path to the executable.
This can be defined as the pre-loader. After it finished the installation process, the dropper spawns a new svchost.exe process and injects there a dll. Then, it starts a new thread inside the svchost process.
The control is now passed to the real loader, which is who handle the real payload and can install all remaining components of the infection. It pings back to one of its control servers and it communicates with them using a private encrypted protocol. All the traffic is passed through TCP port 80 but it can't be checked by web filters because of the encryption.
The loader is able to steal informations from the PC, acts as proxy server, download and install other components of the infection.
Now starts the most interesting part. The loader can download another infection, which will result to be a rootkit installer. Moreover, we have monitored it downloaded a spambot component.
After the loader has downloaded in memory the other two components, it injects them inside other two svchost.exe processes. Everything is run in memory, nothing is really written on the disk.
While the spambot is a classic spambot component, what is more interesting is the rootkit installer. It infects ndis.sys driver by reading the original code, crypting it and embedding the code inside its own body. Then, the new ndis.sys overwrites the original old one and a copy of the new ndis.sys is placed into the dllcache system folder. Now, the ndis.sys driver is crypted and embedded inside the rootkit code.
By doing so, the rootkit doesn't need to add any Windows registry key to start the service and it can survive hidden in memory.
After the ndis service is reloaded, the rootkit code is able to allocate a chunk of kernel memory where it copies its malicious code, then the old ndis.sys is loaded.
The rootkit code, which is now just an untraceable piece of executable code inside Windows kernel memory, sets up a process notify routine, to intercept the loading of services.exe process.
If intercepted, the rootkit injects there the same loader I've talked before. The whole cycle can now start again, with the spambot that will be downloaded and injected inside a svchost.exe process.
Moreover to stay invisible on the disk, the rootkit will hook IofCallDriver kernel function, by changing the pointer address of the function and redirecting it to its own hooking function.
This is another way to filter disk reading, by intercepting driver calls. If any software tries to read ndis.sys driver, the original clean copy is shown and any attempt to modify the file is denied.
This malware is clearly not developed by a bored teenager, the whole concept behind the infection let us think it's the work of someone skilled, the mechanism is not trivial.
In fact, the rootkit component is able to stay invisible to most of current antirootkit technologies and the modular structure of the infection could allow the malware writer(s) to update the malicious code in an easy way.
We have heuristically found many clients infected by this malware. Prevx Edge and Prevx CSI are able to clean the infection.
When you investigate your PC looking for infections caused by possible SMM rootkits, in the meanwhile please check if a banal, trivial, kernel mode rootkit like that is subverting your operating system.
6 comments so far
- jtx00 on Mar 31 2:23, 2009
- Naylor on May 27 1:28, 2009
- Attila on Jul 6 9:12, 2009
- Khortoom on Sep 23 20:45, 2009
Very good article. I'm surprised that both Trend and Symantec conclude that this is a low risk virus. It's a hell of an infection to us. By the way, I don't know why your article doesn't mention about userinit.exe being infected; or is it a different virus?
My computer was infected by this nasty virus. Spyware and virus checkers did not detect ndis.sys being infected. userinit.exe was detected but could not be removed, for the obvious reason that both files are part of the XP kernel. After cleaning, one persistent symptom of ndis.sys infection is it creates an entry of agprotect in Registry.
I haven't tried PrevxCSI yet but I've done the following to fix userinit.exe and ndis.sys (in case it's of any help to novices like me).
- I copied a clean copy of userinit.exe over the infected file in \windows\system32
- I copied a clean copy of ndis.sys over the infected file in \windows\system32\dllcache
- I booted from USB Linux and copied a clean copy of ndis.sys over the infected file in \windows\system32 (I don't know whether this works with a DOS boot diskette)
The interesting thing is by renaming the infected ndis.sys file to a different name e.g. blah, the virus checker can detect it right away.
I'm keeping my fingers crossed at the moment. I curse myself for stupidly opening an dodgy exe file with an attractive title downloaded from the net. A lesson forever learnt.
Hi.
This is the most consistent analisys that I found on the onternet about this ndis.sys problem. My doubt is how could you copy the clean version of this file from other computer. My other and uninfected computer didn´t allow me to do that, because it´s a file system.
Thanks!
I have the same virus.
2 more things:
- it infects other executable files, it can be measured by comparing it's size to a clean one, infected files are 22-21Kbyte bigger. For example explorer was 242Kb, infected became 266Kb
- i tried avast and superantispyware, none of them could detect these infected exe files
the investigation above was very good, and indeed useful. However, it was focusing on the mechanism of infecting from pc to pc, and then what it does really. There is also html infection by adding an invisible iframe that points to [URL Removed] or similar, hidden with escape sequences
it also changes the hosts file, the very first line would point to 127.0.0.1 - i suppose it would be changed to an outside location with an extrnal command
I would focus on removal of all the infected exe files, and finally get a clean pc. Otherwise i will have to format and reinstall everything...
Attila
Hello Marco, very nice article there:)
Is this the same as the viri called "win32/virut.NBP" by ESET or "virut.CF" by symantec? the description totally fits that, reader_s, infection of ndis.sys, the mechanism of infection, the PE component and the IRC bot, etc... with totall cleaning and disinfection, I managed to limit it to 1 infection source, the modified nsid.sys, which could not be cleaned or deleted due to being an OS file, and the spread of infection started again :(
I was wondering if you could provide any of the IP addresses that "neprodoor" calls out to on port 80? I would like to check my network logs for any external connections to those IPs if possible.