Stuxnet

Toggle sidebar Toggle sidebar
G

ghoghnoos

Junior Member
Dec 4, 2011
2
0
0
As far as I know, driver is used to be an interface between OS and hardware.

Both Duqu and Stuxnet use a kernel driver to decrypt and load certain encrypted files on the infected computer. The kernel driver serves as an "injection engine" for loading the files into a specific process, according to SecureWorks. "The kernel drivers for both Stuxnet and Duqu use many similar techniques for encryption and stealth, such as a rootkit for hiding files," the security vendor said in its report.
Click to expand...
from:
http://news.idg.no/cw/art.cfm?id=A0D14138-1A64-67EA-E4F48A30CE1D5495

1-What is the kernel driver?
 
V

Virucyde

Junior Member
Sep 19, 2011
18
0
0
A kernel driver differs from a user driver in that it is given significantly more access to the system's memory than a typical user-mode driver. Typically drivers are put in user-mode and given less direct access to memory(they must go through several layers of the OS to access memory), however, because of the added overhead of accessing memory through the OS, this is inefficient for the most used drivers.

However, from an end-user standpoint, this doesn't really change the virus removal, whether it loads itself through a kernel-mode driver or a user-mode driver, it simply allows the virus to claim extra access to the system that it needs to protect itself. Programs like TDSS Killer should still be able to remove the virus simply by scanning the system's drivers for injected executable content.
 
G

ghoghnoos

Junior Member
Dec 4, 2011
2
0
0
Thank you for answer,

Say I have sound card, I put CD drive in CD-ROM and then I install a driver, It is suer mode driver, Right?

May you give me examples for kernel mode driver in real?

Thank you very much.
 
V

Virucyde

Junior Member
Sep 19, 2011
18
0
0
Kernel Mode drivers would likely be your chipset-related drivers, video drivers(they need good performance), while user mode are more simplistic ones, like sound drivers, NIC drivers, USB devices, etc.

One thing to note is that typically BSODs are caused by kernal-mode drivers, because they have direct memory access, while user-mode drivers can be caught by the OS before they access memory they shouldn't.

Found a nice article on the subject if you're interested:
http://www.codinghorror.com/blog/2008/01/understanding-user-and-kernel-mode.html
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom