Scary stuff, so rootkits can still be a problem! The problem is that this rootkit is using a legitimate driver from VirtualBox to load an unsigned malicious driver on the system. I wonder which security tools would be able to spot such a thing. Actually, most EDR systems should be able to spot this, at least you would hope so. But that's why a hypervisor based HIPS would be very cool, something like this should be integrated into Windows.
Good article. In times past on Windows XP when rootkits were so notorious I was more than happy and greeted that challenge by capturing the more clever ones suspending those bugs/drivers especially, and reseated and fitted them for security purposes against their own designs by hiding them in the Alternate Data Streams OF MY CHOICE. Sort of like thanks for the new technique file/driver. If possible (meaning pulling their strike code out and using the safe/code to monitor my own windows against them Oddysee was another of the best one. It could literally HIDE any file/process from detection except a rootkit revealer tool OR defragmenter! Little known detector- common defragger!
Detection rate of files/processes used on VT are quite low. On the other hand, there has been only 10 known instances of it being detected. In other words, a very targeted APT attack. BTW - you detect this crap as other like crap is detected, by signature.
AV is so bad in static detection, u cannot possibly know it's a virus before it gets discovered as such, unless it's a bad one. So just because VT says 0/60 detected, it just means it's not KNOWN for being a virus. But it could be, just hasn't popped out yet.
If it creates a service "ZzNetSvc" and if i'm using a "HIPS" that monitors/or deny any new services(and registry entries), does it actually fail, because it needs that service to be enabled to go to second stage of infection?
Well, I was talking about behavior blocking, I don't expect AV's to detect this advanced stuff via signatures and heuristics. But cloud scanning should help, at least in theory. Remember Hypersight Rootkit Detector? It would be cool if Win 10 could improve PatchGuard to monitor suspicious behavior performed by drivers. https://www.softpedia.com/get/Security/Security-Related/Hypersight-Rootkit-Detector.shtml This is the same as saying "let's stop putting airbags in cars, because we can simply try to avoid car accidents". The point is that you never know when disaster strikes! Good point, I suppose that even when this service/driver is unsigned, it should still be spotted by HIPS like the one from SpyShelter and Comodo. I'm not sure which other AV's monitor driver loading.
Don't hold your breath on this one. The VBox driver attack is well known. Another example: https://unit42.paloaltonetworks.com/acidbox-rare-malware/ . If this was stopped, the rest of the attack is a moot point. Yet, it seems security solutions are ineffective against it. I did see something stating that if Win 10 virtual based memory integrity was enabled, the OS might detect it. Monitoring of registry service creation would also catch crap like this, but its not a standard HIPS mitigation since it will also be triggered for legit service creation. Likewise, monitoring for file creation in C:\Windows\System32\Drivers would have caught the unsigned driver .sys file creation. Again, a lot of FPs with this type of monitoring. Note that technically you're not supposed to be able to drop an unsigned .sys file in this directory. But as the malware analysis shows, it happened.