• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Suspicious Rootkit Lurks in EIS Software

Suspicious Rootkit Lurks in EIS Software

  • Posted on:November 27, 2008 at 8:21 am
  • Posted in:Bad Sites
  • Author:
    JM Hipolito (Technical Communications)
3

Trend Micro researchers received a sample of an Enterprise Information Security (EIS) program component file that exhibits easily abused rootkit capabilities.

Enterprise Information Security (EIS) systems are used by companies to monitor activities within a network. This is done to make sure that security processes are followed, and that all activities done within the network are in line with the company’s policies.

Upon executing the software, the component file SCS11HLP.SYS registers itself as a device driver and a service on the affected system. After which it hooks certain APIs by patching system code. It then searches for the existing processes winpop.exe, xhound.exe and xtsr.exe, which are all related to the EIS software itself. The mentioned processes are hidden, disabling the user from viewing them even through Process Explorer. Information gathered as the software monitors the system are logged in the directory C:XLog, which is also hidden by the software.

What raised the red flag for Trend Micro researchers is that the hidden directory C:XLog, which is originally used for storing the gathered information, could be exploited by malware authors. Hiding folders is not malicious per se. However malware writers could target systems with the said EIS software installed and place their malicious files inside the directories hidden by the EIS software itself.

Coincidentally, the software publisher of the said EIS program is the same publisher of the Sony MicroVault USM-F fingerprint reader rootkit found in 2007. Originally designed as a security feature to prevent unauthorized access, the rootkit was seen as a possible channel for malware authors to run malware stealthily. That USB rootkit was already the second incident where Sony merchandise were found containing an undeclared rootkit, the first one featured in the Sony DRM issue in 2005.

Trend Micro already contacted the original publisher of the EIS software. Meanwhile, the component file is currently detected as HKTL_ BRUDEVIC.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: corporate networksEISrootkitsSonyUSB

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.