NEWS FROM THE LAB - Friday, February 24, 2006

Rootkit Pharming Posted by Mika @ 14:52 GMT

Image: Phish

Haxdoor is one of the most advanced rootkit malware out there. It is a kernel-mode rootkit, but most of its hooks are in user-mode. It actually injects its hooks to the user-mode from the kernel -- which is really unique and kind of bizarre.

So, why doesn't Haxdoor just hook system calls in the kernel? A recent Secure Science paper has a good explanation for this. Haxdoor is used for phishing and pharming attacks against online banks. Pharming, according to Anti-Phishing Working Group (APWG), is an attack that misdirects users to fraudulent sites or proxy servers, typically through DNS hijacking or poisoning.

We took a careful look at Backdoor.Win32.Haxdoor.gh (detection added 31 Jan, 2006). It hooks HTTP functionality, redirects traffic, steals private information, and transmits the stolen data to a web-server controlled by the attacker. Most (all?) online banks use SSL encrypted connections to protect transmissions. If Haxdoor would hook networking functionality in the kernel, it would have hard time phishing since the data would be encrypted. By hooking on a high-enough API level it is able to grab the data before it gets encrypted. Apparently Haxdoor is designed to steal data especially from IE users, and not all tricks it plays work against, for example, Firefox.

If you want to know more about the phishing threat, Anti-Phishing Working Group's latest trend report and this article by Brian Krebs should make an interesting read.