Rootkit discovered in Enterprise Information Security software
A blast from the past: a rootkit for hiding authentication software, first discovered on Sony USB sticks in 2007, has reappeared – this time in Enterprise Information Security Software. According to Trend Micro's malware specialists, the rootkit appears to be part of an Enterprise Information Security (EIS) system. Companies use EIS software to monitor whether their policies and processes are being followed.
According to the description, the rootkit,
SCS11HLP.SYS, anchors itself in the system as a driver and hooks certain APIs by manipulating their code during runtime. It then hides processes pertaining to the EIS software and conceals a log directory (C:\XLog) which as a result, can no longer be viewed even through Process Explorer. Trend Micro reports that hiding a folder is not malicious in itself, but offers potential attackers the possibility to hide malware from virus scanners. Three years ago there was public outcry when the Sony rootkit, designed to hide copy protection software, was discovered on music CDs.
Trend Micro has so far not disclosed the name of the Chinese vendor of the EIS software. The vendor is not only said to have used the rootkit in its own products, but allegedly also developed it and apparently offered it as an OEM solution. Trend Micro has included the rootkit in its signature database (HKTL-BRUDEVIC).
- Suspicious Rootkit Lurks in EIS Software, advisory by Trend