Hi malware fighters
Cybercriminals have detected a new trick to prevent av-scanners from updating on infected systems,
by using a commercial firewall. Most malware will make changes to the HOSTS file,
making that av-programs cannot be updated anymore. Altered HOST files are easily detected and removed, because they are always to be found in the same location. When the HOSTS folder has been deleted the computer can connect again with once blocked websites.
To prevent this from happening now attackers use parts of the Windows Packet Filter Kit,
a commercial product with which developers can create small networkfilter applications.
Here the malcreant uses this tool to block access to various av-vendors’ sites.
Therefore the malware puts files like ndisrd_xp.sys, ndisrd.sys and ndisapi.dll in Windows driver folde,
while the firewall runs via Netfilter.exe.
Individual users pay 95 dollar for a Windows Packet Filter Kit license,
while the full version , including source code will cost 3500 dollars.
Interesting software packet…
“WinpkFilter is an interesting packet for the malcreants *virus authors) to use.
It is not widely known, has lots of functionality for the users of it.
In this case the driver is looking for packet that have specific domain names and will block
connections”, according to Webroot’s Andrew Brandt.
Users only find that the av scanner can no longer install updates,
wile all other websites will be functioning as before.
This trick is mainly used with the fake av-scanner Antivirus 2010.
Users that have a hunch what’s going on, may look though the use of TaskManager for
a file ma,ed Netfilter.exe . If present they can stop the firewall,
then update their av solution.
Link:
http://blog.webroot.com/2009/10/16/trojan-uses-commercial-firewall-to-block-av-updates/
polonus