64-Bit System Driver Infected and Signed After UAC Bypassed
- Wednesday, March 14, 2012, 15:00
- Threat Research
What was just a theory not so long ago is now being used in-the-wild by threats such as Backdoor.Hackersdoor and its newer variant Backdoor.Conpee.
Back in December we analyzed tdpipe.sys, an infected 64-bit Windows 7 system driver. The infection consisted of an extra import added to the driver’s import table:
The import named DiscPart from pipe.sys ensures that the malicious file pipe.sys is loaded at the same time as the system driver tdpipe.sys, although it simply returns without doing anything.
This is a common method employed by malware authors to ensure the malware they create runs when the compromised computer starts. The advantages to this technique are that the malware does not create any detectable load points—either through registry or links—and it is difficult to spot due to minimal changes made to the file.
What is unusual though is that the driver was signed after the infection:
Driver signing is enforced by default on any 64-bit Windows Vista or Windows 7 operating system, requiring malware authors to either bypass the signing process (mostly done through bootkits) or forcing them to have the infected system drivers re-signed after infection, as in this case.
The latter case is unusual as it requires a valid certificate—most likely stolen from its rightful