Friday, December 12, 2008

Beware of sysaudio.sys!

There's a new Google hijacker running around that can install even on fully updated copies of Firefox 2. The hijacker in question drops a file named sysaudio.sys in the %SystemRoot%\system32 directory (not to be confused with the one in %SystemRoot%\system32\drivers). When this file is loaded, it silently hooks the ws2_32.dll calls made by web browsers and watches for requests to search engines. When it sees them, it pulls fake search results through script injection from, which is a trampoline to another site. The version that infected my SO's computer happened to go to ( -- * being a known purveyor of malware and spam). The file doesn't appear to do anything else, short of being a little interesting if you open it in notepad (some of its imports are repeated backwards).

The big threat here isn't the search results, which are basically useless and an annoyance, but rather the fact that the owner of that site could easily alter it to deliver much more devastating software. There's also the little problem that there's not a lot of information on this running around and that major AV packages (F-Secure and NOD32) don't see anything wrong with the file. Malwarebyte's Anti-Malware detects it as "Rootkit.Agent," though it doesn't seem to have any rootkit properties (no kernel hooks, for instance, at least not detectable by Rootkit Unhooker).

So, watch out for this file, and consider blocking the above address at your router. As I noted, it can drive-by install on a fully patched Firefox 2. Whether DEP can stop it, I don't know; the machine I found it on only supports software DEP, and it was in opt-in mode.

UPDATE: Firefox 3 is vulnerable to this as well. I don't believe Chrome is, however.


Anonymous said...

Thanks for the heads-up on this. I just noticed my WinXP machine returning screwy results under both Firefox and Internet Explorer.

I just used procmon to see the request to which led me to your blog.

One thing I should note is that I haven't run FF2 on this machine in ages which makes me wonder if FF3 is vulnerble as well.

Andrew said...

I have FF3 and got it through god knows what. A day or two ago I noticed the requests hanging in firefox, the hook wasn't active for some reason.

Kaspersky didn't detect say anything about it, but deleting sysaudio.sys got rid of it.