New malware uses Windows EFS to stymie security researchers

Tools

Researchers from security vendor Symantec have discovered a new malware that makes use of the Encrypting File System feature in Windows in order to stymie forensic analysis. As its name suggests, EFS offers transparent file system level encryption to help businesses guard against data leakage to users without the correct system password.

The EFS protected malware continue to function normally when logged in, though attempting to access the same files from another system or operating system will reveal the encrypted gibberish. This can make things harder for security researchers attempting to study a badly compromised PC from another system.

"In some cases, security researchers may use another operating system, such as a version of Linux bootable from a removable drive, in order to retrieve malicious files from a compromised computer," explained security researcher Kazumasa Itabashi in a blog entry. "This method is useful when retrieving files from a computer compromised by a rootkit. However, it's impossible to get the file [malicious file] by this method because the DLL file is encrypted on the EFS."

Of course, it is hardly uncommon for malware writers to implement ways of avoiding detection and analysis. Indeed, botnets that use peer-to-peer networks to avoid detection have been around for some years now. Taken together though, the additional tricks can only make tracking down such malware harder for security researchers. Itabashi summed it up this way: "Not only is it trivial for program code to use EFS, it's also very effective at preventing forensic analysis from accessing the contents of the file."

For more:
- check out this blog at Symantec Connect

Related Articles:
Users of laptop fingerprint readers at risk of password hacks
TDL-4 botnet is 'practically indestructible,' 'the most sophisticated threat today'