Skip navigation.
Home

Device Driver Malware

In the past I've taken some deep looks at device driver malware. Rustock is a good example of this (with some generous work from Frank Boldewin and others as well :).

However I am vaguely aware of some malware which mucks with the microsoft signing certificate stores and things like this. I've seen this behavior during analysis but never really thought about it. What are the reasons for this? Instdrv type methods seem to do a good job at installing malware drivers. A quick deobfuscation and disassembly reveals

push 0 ; lpServiceArgVectors
code:00401A37 push 0 ; dwNumServiceArgs
code:00401A39 push [ebp+hService] ; hService
code:00401A3C call StartServiceA

as well as

push 0F003Fh ; dwDesiredAccess
code:004015EE push 0 ; lpDatabaseName
code:004015F0 push 0 ; lpMachineName
code:004015F2 call OpenSCManagerA

and

push edi ; lpBinaryPathName
code:00401611 push 0 ; dwErrorControl
code:00401613 push 1 ; dwStartType
code:00401615 push 1 ; dwServiceType
code:00401617 push 0F01FFh ; dwDesiredAccess

push offset aInstallService ; "Install Service %c%s%c Succesully\n"

Etc. The SCM methods seem to work well.

My question is, what is the reason for messing with certificate catalogs and the like? Does anyone have any good, definitive examples of malware that does this kind of thing? I'm especially interested in snippets of source code to get a better understanding of whats going on.

Thanks!

V.