Anti-virus company Trend Micro made a troubling discovery last week: an unnamed Enterprise Information Security (EIS) suite secretly installs a rootkit-like driver that hides itself from users and the rest of Windows:
“Upon executing the software, the component file SCS11HLP.SYS registers itself as a device driver and a service on the affected system. After which it hooks certain APIs by patching system code. It then searches for the existing processes winpop.exe, xhound.exe and xtsr.exe, which are all related to the EIS software itself. The mentioned processes are hidden, disabling the user from viewing them even through Process Explorer. Information gathered as the software monitors the system are logged in the directory C:\XLog, which is also hidden by the software.”
Does any of this sound familiar? It should.
Sony earned itself a serious black eye back in 2005, when Windows kernel hacker Mark Russinovich blogged his experience with a previously unknown Sony-distributed DRM suite – that was unwittingly installed on his computer after he played a CD by the Van Zant brothers. Sony’s DRM kit – whose discovery summoned forth a hailstorm of lawsuits – installed a hidden system driver that automatically buried anything beginning with “$sys$” from file and directory listings, anti-virus software, and even Windows API calls. A bad situation turned worse when the internet underground discovered the fact that the DRM hid anything beginning with $sys$ – even their own malware, or in at least one case, World of Warcraft bots.
According to Trend Micro, the unnamed EIS suite works in a similar fashion; the fact that C:\XLog is accessible and writable by the user – any malware written well enough simply laughs at file permissions – means that even the crappiest of malware writers and script kiddies have easy access to stealth mode.
But that’s not all! Who are the lucky customers who bought/will buy the software that harbors this stealthy little stowaway? Enterprises. Big companies, who spend big bucks to develop and protect big secrets. It doesn’t take a genius to see the obvious conclusion here: hacker X now has easy safe-haven to store a real rootkit – the kind that really grant root/admin-level access, not this mamby-pamby file-hiding stuff – on a compromised computer, and can do so armed only with the knowledge of the company’s security software. Computers at many large companies are centrally managed, and their security software is usually one of the first things to be rolled out centrally and across the organization – even on public terminals. Especially public terminals.
What if Best Buy deployed this EIS suite to their store computers? Or Target? Or any other big box retailer? Do you realize how easy it is to find one of their sales stations left unattended?
The best part is that Trend Micro traced the developer to an unnamed Chinese company, who may or may not be offering the driver for sale as an OEM solution. Moreso, this same company may also be the publisher of a similar “feature” found lurking in Sony’s MicroVaut USM-F fingerprint reader in 2007.
While Trend Micro will disclose neither the EIS suite’s nor the publisher’s names, it’s only a matter of time before someone uses the information that is available to fill in the blanks. When, and if, the software in question is unmasked – well, let’s just say that it will be an interesting day for the lucky network administrators whose companies bought this stuff.
In the meantime, Trend Micro’s antivirus software will detect the driver as HKTL_BRUDEVIC, under “hacking tools.”