The Win32/Alureon family of malware is a complex set of components which perform various functions. These include the modification of DNS settings, search hijacking, and click fraud. Alureon has existed for several years and has undergone a number of evolutionary changes. The ability to “infect” the miniport driver associated with the hard disk of the operating system is a recent notable change. This functionality first appeared around August 2009. For the most common system configuration (for machines using ATA hard disk drives) , the ATA miniport driver ‘atapi.sys’ is the file which is targeted.
While the concept of modifying Windows system files as part of an installation method is not new, it is not a common approach. The file modification performed by Alureon overwrites the data in the target driver’s resource section with its own code. The entry point of the driver is modified to point to this code. By doing so, the malicious code is executed when the driver is loaded by the operating system. (Note that this infection method is mitigated on the 64-bit versions of Windows from XP SP1 onwards because of a technology called Kernel Patch Protection (“PatchGuard”)).
In order to invoke a given Windows API, the virtual address (VA) must first be determined. This determination is generally taken care of by the operating system when an executable is loaded. The information required to perform this operation is stored within the PE file itself.
However, malware (and other software) often employ other methods to achieve this. In this case, rather than manipulate the structures required by the operating system, Alureon resolves the addresses it requires “manually”. These are then stored as relative virtual addresses (RVA) within the body of the modified driver.
The figure below illustrates the code responsible for saving the RVA of the API “ExAllocatePool” at an offset relative +0x14 to the start of the resource section:
The figure below is the start of the resource section of an infected driver. The stored RVA is 0x38d66:
Inspecting the VA, which is calculated by adding the RVA to the image base of the kernel, we observe the start of the API, “ExAllocatePool”:
As part of the February security updates, an update (MS10-015) resolving a vulnerability in Windows Kernel was released. This update included a new operating system kernel. Inspecting the updated kernel at the same VA, we observe that this address no longer corresponds to the start of the “ExAllocatePool” API.
In the updated kernel, the VA of “ExAllocatePool” has changed. Therefore, after applying MS10-015, Alureon will now be attempting to make an invalid call. The result of this attempted call is a blue screen or potential startup hang on 32-bit Windows systems but reports have predominately been on Windows XP.
The author(s) of Alureon have since updated the driver infection routine. The latest version of Alureon (detected as Trojan:WinNT/Alureon.G) no longer relies on the use of hard-coded RVAs.
Restart issues can be resolved by replacing an infected driver with the original. This can be performed from the recovery console.
The top ten filenames reported in the wild:
For example: ‘atapi.sys’ resides at the following location: