Trend Micro researchers received a sample of an Enterprise Information Security (EIS) program component file that exhibits easily abused rootkit capabilities.
Enterprise Information Security (EIS) systems are used by companies to monitor activities within a network. This is done to make sure that security processes are followed, and that all activities done within the network are in line with the company’s policies.
Upon executing the software, the component file SCS11HLP.SYS registers itself as a device driver and a service on the affected system. After which it hooks certain APIs by patching system code. It then searches for the existing processes winpop.exe, xhound.exe and xtsr.exe, which are all related to the EIS software itself. The mentioned processes are hidden, disabling the user from viewing them even through Process Explorer. Information gathered as the software monitors the system are logged in the directory C:XLog, which is also hidden by the software.
What raised the red flag for Trend Micro researchers is that the hidden directory C:XLog, which is originally used for storing the gathered information, could be exploited by malware authors. Hiding folders is not malicious per se. However malware writers could target systems with the said EIS software installed and place their malicious files inside the directories hidden by the EIS software itself.
Coincidentally, the software publisher of the said EIS program is the same publisher of the Sony MicroVault USM-F fingerprint reader rootkit found in 2007. Originally designed as a security feature to prevent unauthorized access, the rootkit was seen as a possible channel for malware authors to run malware stealthily. That USB rootkit was already the second incident where Sony merchandise were found containing an undeclared rootkit, the first one featured in the Sony DRM issue in 2005.
Trend Micro already contacted the original publisher of the EIS software. Meanwhile, the component file is currently detected as HKTL_ BRUDEVIC.