You are browsing the archive for Compromise Detection.

Beyond good ol’ Run key, Part 30

April 26, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

Many laptops come with preinstalled packages that enhance user experience by responding to gestures and shortcuts available via a touchpad. One of the most popular packages offering such functionality comes from Synaptics. My old laptop has it preinstalled as well and… that’s how this post was born.

While exploring the options of the program I discovered that you can associate a lot of various actions with buttons and areas/zones of the touchpad. Turns out that one such interesting action is… running an arbitrary program :)

synaptics1Clicking the Configure button allows us to choose the path to the program:

synaptics2Same goes for the right button (and also zones shown at the bottom of the left pane):

synaptics3Once I configured these I was able to launch the program of my choice by just playing with the touchpad.

I must mention that it is not a vulnerability – it is just a flexibility offered by the program allowing user to define what they want to do with their computer. But of course it could be abused as a persistence mechanism.

The place in the Registry where these paths are stored is shown below:

  • HKCU\Software\Synaptics\SynTPEnh\PlugInConfig\TouchPadPS2

synaptics4The information about what action should be triggered is stored here:

  • HKCU\Software\Synaptics\SynTP\TouchPadPS2
    • LeftButtonAction = if equal 0 the default touchpad action is overridden with the action of the plugin defined by the next 2 entries below (LeftButtonPlugInID & LeftButtonPlugInActionID)
    • LeftButtonPlugInID = changed to ‘SynTP’
    • LeftButtonPlugInActionID = if this ActionID is equal to 5 then it is program execution

synaptics5Right button (and other buttons, if present)  as well as zones all have similar set of settings (again, their actual availability depends on a touchpad model/hardware/); the respective registry entries are:

  • TopLeftCornerPlugInID=
  • TopRightCornerPlugInID=
  • BottomLeftCornerPlugInID=
  • BottomRightCornerPlugInID=
  • LeftButtonPlugInID=
  • MiddleButtonPlugInID=
  • RightButtonPlugInID=
  • UpButtonPlugInID=
  • DownButtonPlugInID=
  • 2FingerTapPlugInID=
  • 3FingerTapPlugInID=
  • ExButton1PlugInID=
  • ExButton2PlugInID=
  • ExButton3PlugInID=
  • ExButton4PlugInID=
  • ExButton5PlugInID=
  • ExButton6PlugInID=
  • ExButton7PlugInID=
  • ExButton8PlugInID=
  • PressToSelectPlugInID=
  • Button5PlugInID=
  • ButtonModePlugInID=
  • 3FingerPressPlugInID=
  • PalmOnPadPlugInID=
  • 2FingerDoubleTapPlugInID=

and each of them have the respective ‘ActionID’ settings e.g.:

  • TopRightCornerPlugInID -> TopRightCornerPlugInActionID

The chance we will come across it on real cases are pretty low, but just adding it here for completeness.

The Easter Bunny comes with a bag full of events

April 5, 2015 in Compromise Detection, Forensic Analysis, Malware Analysis

Easter Bunny decided to make this Easter a bit more … eventful [sic!].

Named events are quite similar to Mutexes and Atoms. They may be handy in recognizing some malware families so here is a bunch of them that I extracted from various malware samples.