Scribd
Upload
60 views

Typical Goals of Malware and Their Implementations

This document discusses techniques that malware uses for persistence on Windows systems. It describes legitimate Windows persistence mechanisms like registry keys and startup folders. It also covers more advanced techniques malware uses to hide persistence artifacts, such as storing malicious files in alternate data streams, special folders, or the Windows registry to avoid detection. The document advises monitoring registry changes and startup items to hunt for malware persistence.

Uploaded by

Saluu TvT
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
60 views

Typical Goals of Malware and Their Implementations

This document discusses techniques that malware uses for persistence on Windows systems. It describes legitimate Windows persistence mechanisms like registry keys and startup folders. It also covers more advanced techniques malware uses to hide persistence artifacts, such as storing malicious files in alternate data streams, special folders, or the Windows registry to avoid detection. The document advises monitoring registry changes and startup items to hunt for malware persistence.

Uploaded by

Saluu TvT
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

Module 2

Typical goals of malware and their


implementations

https://github.com/hasherezade/malware_training_vol1
Persistence
Basics of Persistence
• WHO?
• Most of the malware needs it (except some ransomware)
• WHY?
• To start the application after each reboot
• HOW?
• Using legitimate persistence methods
• Using custom, creative methods....
Basics of Persistence

Windows offers various legitimate persistence ways – let’s recall them...


Basics of Persistence
• Registry keys, i.e.:
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• The most commonly used technique (also by malware)...

https://support.microsoft.com/pl-pl/help/179365/info-run,-runonce,-runservices,-runservicesonce-and-startup
Basics of Persistence:
Startup link
• %APPDATA%\Microsoft\Windows\Start
Menu\Programs\Startup
Basics of Persistence:
Scheduled task
• Task scheduler view

•Task scheduler view:


Basics of Persistence:
System Services

UAC
Bypass
required
Basics of Persistence:
System Services
• Administrator rights required
• Creating a service:

UAC
Bypass
sc create <service_name> binPath= <service_path> required
DisplayName= <service_display_name> start= auto
Basics of Persistence:
System Services
• Related registry keys:
• HKLM\SYSTEM\ControlSet001\services\<service name>
• HKLM\SYSTEM\ControlSet002\services\<service name>
• HKLM\SYSTEM\CurrentControlSet\services\<service name>
UAC
Bypass
required
Basics of Persistence:
System Services
• Regedit view:

UAC
Bypass
required
Hunting for malware
persistence artifacts
SysIntenals’ Autoruns

https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
RegShot
• RegShot allows for monitoring changes in the Windows Registry

https://sourceforge.net/projects/regshot
Hiding Persistence
Hiding Persistence - ideas
• Typical methods, but with extra measures to cover/protect
• Abuse of other mechanisms of the system for automated injection, i.e.:
• AppInit_DLL, COM Hijacking, Shims, MS Application Verifier Provider
("DoubleAgent” technique), etc
• User-triggered persistence – hide in other elements, that are likely to be
clicked/deployed by a user
Typical methods + extra
measures
• Last minute persistance (i.e. Dridex v. 3)
• Make sample inaccessible: ADS, special folders (i.e. Diamond Fox)
• Hide in the plain sight:
• behind legitimate applications: Korplug
• hide the executable in the windows registry - „fileless” malware
• use scripts to load malicious modules – often Powershell
Last minute persistence
1. Inject and delete yourself -> no malicious PE on the disk
2. Set callbacks on messages:
• WM_QUERYENDSESSION, WM_ENDSESSION :
to detect when the system is going to shut down
3. On shutdown event detected: write yourself on the disk and the Run key for
the persistence
4. On system startup: delete the Run key, go to 1.

https://www.cyberbit.net/wp-content/uploads/2016/09/Analysis-of-Dridex-AnD-for-IT.pdf
Make file inaccessible –
special folders
• Example: Diamond Fox

Normal persistence key

lpt8.{20D04FE0-3AEA-1069-A2D8-08002B30309D With a special directory


name

https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1
Make file inaccessible –
special folders
• Restricted names – starting from:
CON, PRN, NUL, LPT1, LPT2, LPT3, LPT4, LPT5, LPT6,
LPT7, LPT8, LPT9, COM1, COM2, COM3, COM5, COM6,
COM7, COM8, COM9

http://windows.mercenie.com/windows-xp/create-folder-any-name
Make file inaccessible –
special folders
• Special CLSIDs:
GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}
Administrative Tools.{D20EA4E1-3957-11d2-A40B-0C5020524153}
All Tasks.{ED7BA470-8E54-465E-825C-99712043E01C}
History.{ff393560-c2a7-11cf-bff4-444553540000}

Clicking on folder triggers


different action
-> no access to the
content

http://www.thewindowsclub.com/the-secret-behind-the-windows-7-godmode
Make file inaccessible –
special folders
• Benefits from using special folders:
• User cannot access the content – special CLSID triggers event
other than opening the folder
• Cannot be removed/renamed in a typical way – restricted name
prevents operating on the folder
Restricted name + special
CLSID
lpt8.{20D04FE0-3AEA-1069-A2D8-08002B30309D

http://www.thewindowsclub.com/the-secret-behind-the-windows-7-godmode
Make file invisible – ADS
• ADS - Alternate Data Streams
• A feature of NTFS file system
• Implemented, but practicaly not used by Windows...
• Only the main stream of the file is listed/accessible in a typical way
• Format:
One file can have many
alternative datasteams
<filename.extension>:<alternate_stream_name>

https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/
Make file invisible – ADS
Make file invisible – ADS
• Get a demo.dll: https://goo.gl/wl7ZNJ
• Copy the DLL into ADS of some file, i.e.:
type demo.dll > test.txt:demo

• Deploy the DLL from the alternate stream (DllMain):


regsvr32.exe /s test.txt:demo

• Deploy a specific function (i.e. Test1) from the DLL:


rundll32.exe test.txt:demo,Test1
Make file invisible – ADS
• Result:
Make registry keys inaccessible

• NULL character at the beginning of the key


• Example: Kovter
\0c:\\users\\tester\\appdata\\local\\bcd7\\62d2.lnk Malformed key:
Regedit cannot display it

Still can be viewed by


Autoruns....

https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/
Make registry keys harder to spot

• By default, Autoruns hides keys leading to Microsoft apps


• Example: Moker trojan
By default, Autoruns
shows only two keys...

...but there are more

https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/
Make registry keys harder to spot

• Example: Moker trojan The malware is deployed


by a Microsoft application:
Rundll32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@="Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\ProgramData\\<malware>.exe\""

https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/
Hide behind legitimate
applications (DLL abuse)
• Korplug (PlugX) - spyware
• Uses vulnerable, digitally signed, legitimate application (old AV products)
• Exploits DLL side loading (DLL is a decoder)
• The real malware is decrypted in memory -> no malicious PE file on the
disk -> hard to detect!

https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/
Hide behind legitimate
applications (script)
• Terdot Zbot (Zeus-based banking trojan):

C:\AppData\Roaming\Haxyka\php.exe ushautre.php
Hide behind legitimate
applications (script)
• Terdot Zbot (Zeus-based banking trojan)
• Uses a legitimate application (PHP)
• PHP is used to deploy obfuscated script
• Script decrypts and loads the malware
• The real malware is revealed in memory:
• no malicious PE file on the disk -> hard to detect!

https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
Hide code in the registry

• So called „fileless” malware


• Phasebot
• Poweliks
• Gootkit
• Kovter
• PoshSpy (APT29) using WMI component and PowerShell
• Others...
Hide code in the registry

• Trivial case - PE file saved in the registry key:


Hide code in the registry
(multilayer: Kovter)
• Kovter – a click-fraud malware
• Persistence is achieved by a basic Run key – but the flow leading to the malicious
executable is obfuscated

• The malicious PE is stored in the registry in encrypted form

• Multiple layers till the real payload is loaded...

https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
Hide code in the registry
(multilayer: Kovter)

https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
Abusing AppInit_DLLs

• Define DLLs that are injected to every application that uses user32.dll:

UAC
Bypass
required

Disabled in Win 8
and above, when
secure boot is
enabled

https://support.microsoft.com/pl-pl/help/197571/working-with-the-appinit-dlls-registry-value
Abusing AppInit_DLLs

• Registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 32 bit OS + 32 bit DLL


NT\CurrentVersion\Windows\AppInit_DLLs Or
64 bit OS + 64 bit DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\
64 bit OS + 32 bit DLL
Windows NT\CurrentVersion\Windows\AppInit_DLLs

https://support.microsoft.com/pl-pl/help/197571/working-with-the-appinit-dlls-registry-value
Abusing shim databases

• Microsoft Application Compatibility Toolkit – creates patches:

https://www.microsoft.com/en-us/download/confirmation.aspx?id=7352
Abusing shim databases

• Shim Database
• Allows setting automated injection of a patch into selected application
• Can be used to automatically load malicious modules when the target
application is deployed (DLL, shellcode, etc)
• Installation requires elevated privileges

UAC
Bypass
required

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
Abusing shim databases

• sdbinst.exe – standard Windows tool, manages patches (.sdb)


sdbinst /q <path_to_shim_db>.sdb

• Example: Ramnit malware deploying sdbinst

UAC
Bypass
required

https://www.hybrid-
analysis.com/sample/c823183b49148e7e60d84142ccefc8fe16fe44bec94d5eabdbd623c65cdaff8c?environmen
tId=100/
Abusing shim databases

• To trigger less alerts, install a shim without sdbinst.exe


• Example of edited keys:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\InstalledSDB\{7c6002f0-559a-488a-9fc1-bd54c33fdfa9}]
"DatabasePath"=<path_to_shim>.sdb
"DatabaseType"=dword:00010000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Custom\<shimmed_app>.exe]
"{7c6002f0-559a-488a-9fc1-bd54c33fdfa9}.sdb"=hex(b):90,58,2d,0d,1a,b7,d2,01

https://github.com/hasherezade/persistence_demos/tree/master/shim_persist
COM Hijacking

• COM – Component Object Model


• „enables interaction between software components through the operating
system”
• Identified by CLSID – examples:
{3543619C-D563-43f7-95EA-4DA7E1CC396A} – Shell Icon Overlay Handler
{BCDE0395-E52F-467C-8E3D-C4579291692E} - MMDevice Manipulator

More: https://msdn.microsoft.com/en-
us/library/accessibility(v=vs.110).aspx

https://attack.mitre.org/wiki/Technique/T1122
COM Hijacking

• Substitute legitimate COM by your own


• When the application using the defined COM is loaded, malware is executed
• Keys: 32 bit OS + 32 bit DLL
Or
64 bit OS + 64 bit DLL

HKCU\Software\Classes\CLSID\[hijacked CLSID]\InprocServer32

HKCU\Software\Classes\Wow6432Node\CLSID\[hijacked CLSID]\InprocServer32

64 bit OS + 32 bit DLL

https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
COM Hijacking

• Examples:
[HKEY_CURRENT_USER\Software\Classes\CLSID\{BCDE0395-E52F-467C-8E3D-
C4579291692E}\InprocServer32]
@="C:\\ProgramData\\demo.dll"
"ThreadingModel"="Apartment

[HKEY_USERS\S-1-5-21-1929933236-2258453022-3626796957-
1000_Classes\CLSID\{BCDE0395-E52F-467C-8E3D-C4579291692E}\InprocServer32]
@="C:\\ProgramData\\demo.dll"
"ThreadingModel"="Apartment

https://github.com/hasherezade/persistence_demos/tree/master/com_hijack
User-triggered persistence: link
hijacking
• Example: Spora ransomware
HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\IsShortcut

https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware
User-triggered persistence: link
hijacking
• Hijacking in the style of Spora ransomware:
1. Disable showing link indicators:
• Delete:
HKEY_LOCAL_MACHINE\Software\Classes\lnkfile\IsShortcut
2. Hide folders and substitute them by links
3. Clicking the link causes opening the original program + deploying the
dropped malware

https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware
User-triggered persistence: link
hijacking
• Similarly: existing shortcuts can be overwritten by shortcuts
deploying malware

C:\ProgramData\ProxyApp.exe
C:\totalcmd\TOTALCMD.exe

https://www.uperesia.com/booby-trapped-shortcut-generator
User-triggered persistence
(handler hijacking)

extension
handler

https://github.com/hasherezade/persistence_demos/tree/master/extension_hijack
User-triggered persistence
(handler hijacking)

Hijack the handler

handler
genuine app
malicious app

https://github.com/hasherezade/persistence_demos/tree/master/extension_hijack
User-triggered persistence
(handler hijacking)
• Applications handling particular extensions are defined in the registry
• Globally defined extensions and handlers, in:
• HKEY_CLASSES_ROOT
• It can be also defined per user:
• HKEY_USERS -> <user SID>_Classes
• Redefine a handler: no Administrator rights required

https://github.com/hasherezade/persistence_demos/tree/master/extension_hijack
User-triggered persistence
(handler hijacking)
• When the user click a file with hijacked extension, the malware is deployed
• DEMO:
• https://www.youtube.com/watch?v=IE9H0qZbi18

https://hshrzd.wordpress.com/2017/05/25/hijacking-extensions-handlers-as-a-malware-persistence-method/
Conclusions

• Authors of the malware are very creative in finding new ways of hiding
persistence
• The easiest way to detect the persistence method is by observing the
installation – post-infection analysis is much harder
• „Fileless” malware also creates artifacts that can be found in a typical way

You might also like