Didier Stevens

Aditya Kapoor blogged on the McAfee Avert Labs Blog about a trojan using EFS to protect itself.

To understand more of this, I did some tests during the weekend.

I developed a service that runs under a dedicated account and writes the EICAR test virus file every 5 seconds to an encrypted file.

You can find the this service here (source code & EXE), you can compile it with Borland’s free C++ 5.5 compiler. Be warned, this service will write the EICAR test virus file to your c:\ folder and your anti-virus will detect this. EICAR is not a virus, it’s an anti-virus test file.

Procedure:

• logon as administrator to a test machine (preferably a virtual machine)
• create a user efsuser with password 123456 and make this user member of the administrator group
• give the efsuser user the right to logon as a service (local security policies)
• logoff & logon as efsuser
• copy MyEFSService.exe to a folder on the test machine
• install the service: MyEFSService.exe -i
• encrypt MyEFSService.exe (properties / advanced / encrypt contents to secure data)
• logoff & logon as administrator
• start the service

This service writes debug information, you can view this with Sysinternals‘s DebugView.

Your anti-virus should detect the encrypted c:\eicar.exe file that is written to the disk every 5 seconds.

This is normal, even for encrypted files, because a modern anti-virus installs a file system filter driver that analyzes all data read from & written to disk before encryption (screenshot of DeviceTree):

McAfee VirusScan 8.0i detected & deleted this EFS encrypted “virus” without problems.

But I also wanted to know if the service itself, if it was a virus, could avoid detection.

The problem was that I could not modify my service to get it detected as a virus by McAfee. Including the EICAR string is not a solution, because the EICAR anti-virus test file specifications states that the EICAR string must be detected only if it’s in a file that contains nothing more than the EICAR string. I ended-up replacing the DOS header in the PE-structure (the stuff that says “This program cannot be run in DOS mode.”) by a byte sequence of an old DOS virus. McAfee would not detect this “fake” virus, but AVG does (I tested this with VirusTotal, without distributing the file).

I replaced McAfee with AVG Anti-Virus Free on my test machine. At first AVG didn’t even detect the EICAR virus, I found this very strange, because AVG also uses a file system filter driver:

But then I activated the “on-close scanning” option:

and the EICAR anti-virus test file was detected:

But AVG failed to detect the “infected” service, even when I instructed AVG to scan the file. Only when I stopped the service (making the file accessible) did AVG detect the “virus”.

However, AVG will detect the “virus” when booting, preventing the service from starting.

So it seems that this EFS trick can fool some anti-virus products some of the time. I will continue trying to make McAfee detect my service as a virus, to see how it behaves.

Malicious Cryptography, the inspiration for the title of my post, is a very interesting read for anti-virus specialists.