Beyond good ol’ Run key, Part 48

October 21, 2016 in Anti-Forensics, Autostart (Persistence), Forensic Analysis, Incident Response, Malware Analysis

I have just updated my very old post about HKLM\SOFTWARE\Microsoft\VBA\Monitors. I discovered its additional ‘properties’ while looking at the VBE (Visual Basic Engine). On the way, I have also discovered that Visual Basic for Application’s old-school IDE allows programmers to create Add-ins. A quick googling followed and I immediately found a number of Addins for VBE – I was actually quite surprised that there are so many!

Seriously, there is a huge interest in it! With all the C, Java, python programmers out there… it would seem that VBA is strong and here to stay…

So, anyway… I didn’t spend much time on it as many programmers already provide good examples of VBE Add-ins, so I will just document where to find the possible persistence entries.

The Add-ins are discovered by VBE by enumeration of the following key:

  • HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\<AddInName>\…

Each Add-in has a dedicated subkey where it lists the properties:

  • Description – Full description
  • FriendlyName – Short name
  • LoadBehavior – A DWORD that indicates whether the Add-in is loaded at startup (1), is currently unloaded (0)
  • SatelliteDllName + SatelliteDllPath  – references to localized information about the plug-in

So, anyone wanting to load the VBE Add-in needs to set up the Registry key with the aforementioned values, and then create the appropriate entries under HKCR:

  • HKCR\<AddInName>\Clsid = <GUID>
  • HKCR\CLSID\{<GUID>}\InprocServer32 = …

The cyberchild of Omelas, Quick Addendum

October 18, 2016 in Preaching

In the first part I claimed a number of things about the ‘Simpsons already did’ phenomenon, but I realize that w/o a solid proof, it is just trolling. I had a few minutes on my hands and googled around for the evidence for at least some of the claims made by yours truly 🙂 It was not hard, because I remembered many of the cases I referred to and it was just a matter of finding and linking to them…

1992 –

Virus monitors/detection by behavioral abnormality In this approach to virus detection, the machine is booted from uninfected files and a virus monitor is installed that monitors vari0us activities of the machine while in day-to-day use. The program monitors known methods of virus activity including attempts to infect and evade detection. 1his may also include attempts to write to boot sectors. modify interrupt vectors. write to system files. etc.

1998 –

IBM’s anti-virus technology, part of the IBM SecureWay comprehensive portfolio of security offerings, has been awarded six patents for inventions, ranging from a neural network that uses artificial intelligence to detect new viruses automatically to the immune system itself. IBM is the first company to develop an immune system that can detect previously unknown viruses, analyse them, and distribute a cure worldwide, all automatically and within minutes of first discovering new viruses.

2000 –

Automatically generated Win32 heuristic virus detection

Heuristic classifiers which distinguish between uninfected and infected members of some class of program objects have usually been constructed by hand. We automatically construct multiple neural network classifiers which can detect unknown Win32 viruses, following a technique described in previous work (Kephart et al, 1995) on boot virus heuristics.

These individual classifiers have a false positive rate too high for real-world deployment. We find that, by combining the individual classifier outputs using a voting procedure, the risk of false positives is reduced to an arbitrarily low level, with only a slight increase in the false negative rate. Regular heuristics retraining on updated sets of exemplars (both infected and uninfected) is practical if the false positive rate is low enough.

Plus, many articles listed here

And then there are patents…

1992 – US 5319776 A –

In transit detection of computer virus with safeguard

Data is tested in transit between a source medium and a destination medium, such as between two computer communicating over a telecommunications link or network. Each character of the incoming data stream is tested using a finite state machine which is capable of testing against multiple search strings representing the signatures of multiple known computer viruses. When a virus is detected the incoming data is prevented from remaining on the destination storage medium. Both hardware and software implementations are envisioned.

1997 – US 5842002 A –

Computer virus trap

A computer virus trapping device is described that detects and eliminates computer viruses before they can enter a computer system and wreck havoc on its files, peripherals, etc. The trapping device creates a virtual world that simulates the host computer system intended by the virus to infect. The environment is made as friendly as possible to fool a computer virus into thinking it is present on the host, its intended target system. Within this virtual world, the virus is encouraged to perform its intended activity. The invention is able to detect any disruptive behavior occurring within this simulated host computer system. It is further able to remove the virus from the data stream before it is delivered to the host and and/or take any action previously instructed by a user.

1997 – US 6167520 A –

System and method for protecting a client during runtime from hostile downloadables

A system and method examine execution or interpretation of a Downloadable for operations deemed suspicious or hostile, and respond accordingly. The system includes security rules defining suspicious actions and security policies defining the appropriate responsive actions to rule violations. The system includes an interface for receiving incoming Downloadable and requests made by the Downloadable. The system still further includes a comparator coupled to the interface for examining the Downloadable, requests made by the Downloadable and runtime events to determine whether a security policy has been violated, and a response engine coupled to the comparator for performing a violation-based responsive action.