The trojan Backdoor.Prioxer, says Andrea Lelli, was received from a source that was also infected by the Koredos trojan, suggesting that there may be a link between the two pieces of malware.
"Why is Prioxer interesting? Well, at first glance it looks like a normal back door trojan, which, in fact, it is", he said, adding that the installer drops a bot and operates via internet relay chat to communicate with a command-and-control server, and infects a Windows DLL in order to `survive' a system reboot.
What is curious, says Lelli, is that the infected files are completely invisible, despite the fact that Prioxer does not use a rootkit, nor does it use and executable code in kernel mode.
The invisibility `trick' is achieved, says the researcher, because the main dropper has its own built-in parser for the FAT32 and NTFS file systems.
"The code opens the C volume in raw mode, performs a manual read of disk sectors, and then manually parses the disk data in order to understand the file system structure and find where in the disk the infection target .dll file is located (and perform a raw write operation to infect it)", he says in his security blog.
"This whole functionality normally resides in the file system layer in the kernel. An application specifies a file path and the file system driver (NTFS on most Windows computers) locates the file data on the disk", he adds.
Prioxer, however, he goes on to say, is able to do all of this by itself, bypassing the file system layer completely and accessing the disk directly.
According to Lelli, given that Prioxer does not really try to actively hide itself, it is possible that this invisibility feature was not intended by the malware authors.
"It is just a handy side effect of misusing the system's functionality", he says.
"However, this example shows that this technique could be very effective if abused, and it can be run from Usermode without requiring the use of kernel drivers (which rootkits normally need)", he adds.