One of the malware that ended up being processed here last week was a particular variant of WORM_SDBOT. Like its other siblings, this WORM_SDBOT variant propagated through network shares and exploited unpatched vulnerabilities. Throw in a number of backdoor capabilities and some information theft routine on the side and you would think that this was your average, run-of-the-mill WORM_SDBOT variant.
Not entirely.
You see, this particular variant, which Trend now detects as WORM_SDBOT.ADK, does something more interesting as compared to other SDBOT variants. In order to maximize its network connection, WORM_SDBOT.ADK attempts to overwrite several system files such as tcpip.sys, ftp.exe, etc. Being components of the operating system, these system files are protected by the Windows File Protection feature, a security mechanism that prevents other programs from altering such critical files. Ideally, when a program attempts to modify critical system files, the operating system would prevent it.
But WORM_SDBOT.ADK happens to have a way to work around this particular security measure. One of the files needed to implement Windows File Protection is SFC.DLL. Modifying or overwriting this file would render the WFP feature useless and that’s what WORM_SDBOT.ADK does. By altering SFC.DLL for its own purposes, this WORM_SDBOT variant achieves its objective of bypassing security. The modified SFC.DLL acts as an “accomplice” malware, enabling the worm accomplish its malicious activities on the affected system
The detection pattern for WORM_SDBOT.ADK is available since CPR 3.694.01 and CPR 3.731.00 respectively.