Beyond good ol’ Run key, Part 8

February 21, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

The last two posts in the series covered autorun mechanisms that could be called a ‘side-effect’. Today a slightly different topic – one that relies on the social engineering of users, and a very old concept of a companion virus. The idea described below is not a typical autostart mechanism and is actually a description of an existing, legitimate functionality, but as long as users are using jumplists frequently it may be actually acting quite successfully as a persistence mechanism. It may also be a secondary option for malware disabled by an antivirus software/user from the typical autorun entries. Nothing new here and it’s the topic covered by lot of other blogs, but since I am trying to document all possible persistence mechanisms, it’s worth mentioning it for the completeness.

Jumplists that have been introduced in Windows 7 are used to organize recently opened files, favorite files, folders, and websites. They offer more options that shortcut files and this flexibility can be easily abused. I will show you one simple example of such abuse, done manually; there are a lot of other options of course and they can be obviously automated using exposed Jumplist interface.

To test it, you may want to download JumpList Editor – it’s a handy tool that allows one to edit Jumplists present on the system.

Here, I am using it to add a fake entry under Internet Explorer:

  • First, we select existing entry for Internet Explorer:

win8_jumplist_1

  • Now we add a Link entry:

win8_jumplist_2

  • We can call it e.g. “My Bank Web Site”; in real-world scenario, malware could re-use existing entry and replace it (hence, companion virus reference)

win8_jumplist_3

  • Once we click Save, we can observe the entry added to the Internet Explorer Jump list

win8_jumplist_4

  • Clicking the icon launches the Calculator

win8_jumplist_5

There are other interesting options out there. For example, one can add a Multiple Link – this will create a link that launches two applications at the same time. Therefore, one could swap existing link to an application to a Multiple Link that would launch both of them simultaneously.

win8_jumplist_6

Despite looking like a link to the Notepad Double Trouble launches both preprogrammed applications at the same time (when clicked): Notepad and Calculator. Quite a nice way to hide in a plain sight.

win8_jumplist_7

It’s easy to notice that the links we have added are all located under ‘Tasks’ entries; This may not be ideal and a savvy user may notice something ‘funny’, but how many people really pay attention to such small details? Besides, this is the only option offered for an easy manipulation by the JumplistEditor. In reality, pretty much any aspect of the JumpLists can be abused – either by using documented APIs, or by manually modifying the actual Jumplist or Shortcut LNK files. One could replace legitimate tasks like ‘Start InPrivate Browsing’, ‘Open new Tab’, etc.

Share this :)

Comments are closed.