Trojan Uses Commercial Firewall to Block AV Updates

The latest malware threats from across the security forums

Moderators: Admin Team, Moderators

User avatar
Posts: 1856
Joined: Mon Jul 20, 2009 4:35 am
Area Of Expertise: General guidance and advice
experience: Not only can I turn PC on, I know most of its functions too
PC time: Alot more than I should
Location: Kent, UK

Trojan Uses Commercial Firewall to Block AV Updates

Postby Spudz » Fri Oct 16, 2009 11:36 am

Trojan Uses Commercial Firewall to Block AV Updates
By Andrew Brandt

Purveyors of rogue security products continue to bulk up their arsenal of stupid tricks, all of which are designed to induce either fear or frustration in victims. Increasingly, certain distributions of rogue antivirus include a payload that blocks the infected computer from receiving antivirus updates. That part isn’t new; Many Trojan installers drop a Hosts file onto the infected machine which effectively prevents the computer from reaching any Web site listed in the file. But malicious Hosts files are easy to identify and remove, because they’re always in the same location (C:\Windows\system32\drivers\etc), and the minute you delete a malicious Hosts file, the computer can connect to the previously-blocked Website.

This new dirty trick employs components of a commercial software firewall development kit, called WinpkFilter, the Windows Packet Filter Kit, from NT Kernel Resources. WinpkFilter isn’t inherently evil or even necessarily undesirable. It’s a set of tools that other developers can license to create small network filtering applications. But in this case, the malware author uses these tools to block access to the Web sites used by at least half a dozen antivirus vendors. We’re calling this malware Trojan-Netfilter; Some of the affected vendors call it either Liften or Interrupdate.

The installer of this low-key firewall, typically under 175KB, drops and installs the WinpkFilter files — ndisrd_xp.sys, ndisrd.sys, and ndisapi.dll — in the C:\Windows\system32\drivers\ folder (for the .sys files) and C:\Windows\system32\ (the DLL). All three files are clearly identified as version of the NT Kernel Resources software. It also drops snetcfg.exe, a Microsoft-authored command-line network configuration tool that’s distributed in the Windows Server 2003 resource kit, and uses it to install the WinpkFilter components.

Webroot Threat Blog
Spam - Uninteresting garbage quickly deleted.
Spammer - A parasitic worm intent on creating internet misery.


Return to “Latest Malware Threats”

Who is online

Users browsing this forum: No registered users and 1 guest