Trojan Uses Commercial Firewall to Block AV Updates
By Andrew Brandt
Purveyors of rogue security products continue to bulk up their arsenal of stupid tricks, all of which are designed to induce either fear or frustration in victims. Increasingly, certain distributions of rogue antivirus include a payload that blocks the infected computer from receiving antivirus updates. That part isn’t new; Many Trojan installers drop a Hosts file onto the infected machine which effectively prevents the computer from reaching any Web site listed in the file. But malicious Hosts files are easy to identify and remove, because they’re always in the same location (C:\Windows\system32\drivers\etc), and the minute you delete a malicious Hosts file, the computer can connect to the previously-blocked Website.
This new dirty trick employs components of a commercial software firewall development kit, called WinpkFilter, the Windows Packet Filter Kit, from NT Kernel Resources. WinpkFilter isn’t inherently evil or even necessarily undesirable. It’s a set of tools that other developers can license to create small network filtering applications. But in this case, the malware author uses these tools to block access to the Web sites used by at least half a dozen antivirus vendors. We’re calling this malware Trojan-Netfilter; Some of the affected vendors call it either Liften or Interrupdate.
The installer of this low-key firewall, typically under 175KB, drops and installs the WinpkFilter files — ndisrd_xp.sys, ndisrd.sys, and ndisapi.dll — in the C:\Windows\system32\drivers\ folder (for the .sys files) and C:\Windows\system32\ (the DLL). All three files are clearly identified as version 126.96.36.199 of the NT Kernel Resources software. It also drops snetcfg.exe, a Microsoft-authored command-line network configuration tool that’s distributed in the Windows Server 2003 resource kit, and uses it to install the WinpkFilter components.
Webroot Threat Blog