Tuesday, February 19, 2008

Malware Employs a Memory Injection Technique Patented by Microsoft

Digging inside the internals of one little piece of malware introduced one interesting discovery.

It’s been a few months since the first Pushdo threat analysis reports appeared in the blogs of other researchers.

It started from a Sophos blog entry, followed by an excellent research by Joe Stewart from SecureWorks and some other interesting papers.

At first sight, the Pushdo intrigues with its HIPS-killer capability, mentioned in the earlier ThreatExpert blog post.

Next, Cutwail/Pandex component that Pushdo downloads and installs, grasps attention with quite unusual encryption key used to encrypt its communication with the server:

It’s a greeting message in Russian to malware analysts to “get lost” by using an offensive slang. Please note the decryption string below is a reverse of the same greeting message.

But let’s go a bit deeper and try to figure out how it starts and infects the legitimate Internet Explorer process.

As seen from the code, the mailbot constructs the full path filename of Internet Explorer, and then uses that name as a command line to start up a new process with the CreateProcess() API.

Have a look at its parameter #6 – it’s a creation flag. This value uses a value of 4, which is a constant CREATE_SUSPENDED.

MSDN documents this flag constant as:

“The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called”.

Soon after that, the trojan allocates memory inside Internet Explorer with VirtualAllocEx(), injects malicious code at its image base with WriteProcessMemory(), and finally, it launches a remote thread in the injected code with CreateRemoteThread() API:

Immediately after infecting Internet Explorer process, the trojan submits a control code to its kernel mode driver runtime.sys that instructs it to hide the newly created and infected Internet Explorer process.

This infection method is different from the one that is used by Pushdo’s competing botnet Storm.

Storm relies on a memory injection method that was firstly suggested by Mailbot/Rustock, that is, allocating space on a heap memory of a legitimate process services.exe, infecting and then starting remote thread in it.

Rustock’s method is different as it infects a process that is already running, taking advantage of the fact that the infected process is critical for the system – it cannot be terminated, and there is no reason to hide it as it’s a legitimate process. Also, a hidden process could be detected by an anti-rootkit, and thus, draw an unnecessary attention to the compromised system.

This makes Pushdo/Cutwail/Pandex memory injection method something new.

Did they invent it to beat the competing Storm gangsters?

The answer to this question is No. They did not invent it. Microsoft did.

United States Patent 6698016


Title: Method for injecting code into another process

Let’s read its description.

“The invention allows the module to be injected into the target process as soon as the target process starts. The module is injected before any target process instructions are executed.

The target process is then started, resulting in the execution of the inserted instructions.

One of the flags that can be set in this command is CREATE_SUSPENDED. When this flag is set, the process is created in a suspended state. This means that the process is loaded into memory, but does not run until the ResumeThread command is called.

Overwriting a target process starting instructions with replacement code is done by preparing a structure in memory which contains the code and its associated parameters. This structure is then copied into the target process memory at the starting address by running the WriteProcessMemory command. The target process is then allowed to resume execution with a call to ResumeThread.”

Pushdo’s deviation from the Microsoft patent is that it does not inject instructions that load an addition module – it rather directly injects the malicious instructions as it does not need to restore the original process execution.

We’ve seen before how Microsoft’s “hot-patching” techniques are similar to the inline hooks installed by the rootkits.

However, replicating a technique documented in a software patent must be something new for malware.

The danger of this situation is that while a software patent cannot be adopted by a legitimate business without proper licensing agreements in place, a malware must have no problem with that.

Thus, the basic questions are:

- what purpose does this software patent serve?

- whatever the benefit of this software patent is, does it actually outweigh the danger of its "infringement" by malware?