Bkav says that New Virus Protects itself by Freezing Hard Disk
Security researchers of well-known Vietnamese security company, 'Bkav' have detected an interesting virus which shields its own self against AV (anti-viruses) by freezing the HD (hard disk).
Once it taints a device, it builds a kind of a restore point. All the changes made by the user on the machine like editing of documents, copying of files, and downloading of data from the Internet will be reset. All the recently copied files are expunged.
The hard drive's icon is also changed by the threat.
A variety of executable modules are dropped and each module serves dissimilar purpose.
For example, the 'Wininite' module is devised to communicate with two C&C (command and control) servers. One is based in China and the other one is located in the United States of America.
Another module 'DiskFlt' restores the original status of the hard disk of the computer and it does this every time the computer is restarted for whatever reason.
HELP NET SECURITY published a statement on 18th September, 2013 quoting Tran Trung Nghia, a malware Researcher as saying "DiskFlt generates a device attached to a Disk Device that controls the reading and writing of data on the disk and it also generates a 'cache' data area. When Internaut has data reading/writing operations available on disk, 'DiskFlt' will generate a copy of that data area and place it on the 'cache' area. Henceforth, each reading/writing operation will be forwarded to the 'cache' area that makes the Internaut incapable to alter the data of the original disk."
'PassThru', is the network driver module which redirects or blocks certain websites and Black.dll is the element which assists the virus stretch.
So each time the computer is restarted, all the changes made by users like making or downloading of new documents, the installation of new software, etc. are "wiped" and the malware is "regenerated" (if it was removed in the first place).
Apparently, this virus can be deemed a rootkit even though it has a unique self-defense mechanism. Instead of averting counteractions to modules of the virus like normal rootkit, this new kind prevents changes to the entire disk, concluded Bkav, reported security.bkav.com on September 17, 2013.
» SPAMfighter News - 27-09-2013