SecurityHome.eu Rootkit.Indag.A

Home / malware PDF

Rootkit.Indag.A

First posted on 21 November 2011.
Source: BitDefender
Aliases :
There are no other names known for Rootkit.Indag.A.
Explanation :
This small rootkit driver may came bundled inside any malware. Its main purpose is to kill any AV that can't be normally terminated from user mode (especially AV's that have a self-protection driver).

When loaded, the driver will register as a device under the name \Device\GanDiao. A user mode application will then be able to use this driver to kill any process.

First, it will issue a DeviceIOControl request, passing among others, 0x88888888 as a I/O control code and the PID of the targeted process. The rootkit will lookup the process' EPROCESS structure, and, using an undocumented kernel function (MmUnmapViewOfSection), it will unmap a special portion of the ntdll.dll inside the attacked process, causing it to quit without warnings or errors.
Last update 21 November 2011

TOP

Malware :

RATDispenser
whispergate
Borat RAT
Trojanized X_Trader
BlackLotus

Last 20