Threat Descriptions

Fu

Classification

Category :

Rootkit

Type :

-

Platform :

W32

Aliases :

Virus:W32/Alman.B, Rootkit.Win32.Fu, Rootkit.Win32.Agent.l

Summary

Fu is one of the most widely utilized rootkits in the wild. Other malware, such as rbot and sdbot variants, have used its features to hide themselves. Fu is a kernel-mode rootkit that modifies kernel data structures, which allows it to hide e.g. processes.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Fu rootkit does not try to hide itself on the compromised machine. Since it is not able to hide files, the hidden malware can still be detected and removed with signature-based AV scanners.

Fu rootkit is publicly available in binary and source code format. The technical information below is based on the public version.

Installation

The public version of Fu rootkit consists of two files: one executable file (.exe) and one kernel-mode driver file (.sys). The driver does the actual hiding where as the executable file is used to configure and command the driver.

Fu requires administrative privileges to install successfully. The executable file installs and loads the driver. This results in one registry key:

  • HKLM\SYSTEM\CurrentControlSet\Services\[driver_name]

where [driver_name] represents the name of the driver file without the .sys extension.

Hiding Technique

Fu allows the intruder to hide information from user-mode applications and even from kernel-mode modules. Following items can be hidden:

  • Processes
  • Kernel-mode modules

Fu hides information by directly modifying certain kernel data structures used by the operating system. Specifically, it removes to-be-hidden entries from two linked lists with symbolic names: PsActiveProcessHead and PsLoadedModuleList.

In addition, Fu is able to modify a process' token to change its security context. This has two impacts on the compromised system. First, it can modify privileges and access rights of any running process. Second, it can fool security auditing by replacing the owner SID of any running process.