You are browsing the archive for Compromise Detection.

Beyond good ol’ Run key, Part 14

July 8, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

I have mentioned in my older posts that tracing, logging, debugging and various plugins, extensions and internal performance testing and development tools can be used and abused as a persistence mechanism; today’s topic is yet another list of phantom DLLs – this time courtesy of Windows Problem Reporting.

When applications crash on newer versions of Windows the WerFault.exe program is executed (subject to system’s settings); when launched at some stage it will try to locate and load the following files:

  • dbghelp.dll
  • ext.dll
  • exts.dll
  • ntsdexts.dll
  • uext.dll
  • wow64log.dll

The last one on the list may look familiar, I mentioned it in the part 5.

These DLLs are various debugger extensions that WerFault tries ‘to talk to’ when the crash occurs; the paths that WerFault is walking through is according to the Extension DLL search path – I believe this path is hard coded inside WerFault and can’t be changed (that could be yet another way to fool WerFault to look for the DLLs in other directories), but can be changed if the extensions are loaded from under WinDbg or other compatible with them debugger.

The searching activity can be easily observed using a Process Monitor and on my test system Windows 8.1 it is walking through a couple of C:\Windows\ sub-directories; the list below is a combined list from both 32- and 64-bit versions:

  • C:\Windows\ext.dll
  • C:\Windows\exts.dll
  • C:\Windows\ntsdexts.dll
  • C:\Windows\System32\ext.dll
  • C:\Windows\System32\exts.dll
  • C:\Windows\System32\ntsdexts.dll
  • C:\Windows\system32\pri\dbghelp.dll
  • C:\Windows\system32\pri\ext.dll
  • C:\Windows\system32\pri\exts.dll
  • C:\Windows\system32\pri\ntsdexts.dll
  • C:\Windows\system32\pri\uext.dll
  • C:\Windows\System32\uext.dll
  • C:\Windows\System32\wbem\ext.dll
  • C:\Windows\System32\wbem\exts.dll
  • C:\Windows\System32\wbem\ntsdexts.dll
  • C:\Windows\System32\wbem\uext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ext.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\exts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Windows\System32\WindowsPowerShell\v1.0\uext.dll
  • C:\Windows\system32\winext\arcade\dbghelp.dll
  • C:\Windows\system32\winext\arcade\ext.dll
  • C:\Windows\system32\winext\arcade\exts.dll
  • C:\Windows\system32\winext\arcade\ntsdexts.dll
  • C:\Windows\system32\winext\arcade\uext.dll
  • C:\Windows\system32\winext\dbghelp.dll
  • C:\Windows\system32\winext\ext.dll
  • C:\Windows\system32\winext\exts.dll
  • C:\Windows\system32\winext\ntsdexts.dll
  • C:\Windows\system32\winext\uext.dll
  • C:\Windows\system32\WINXP\dbghelp.dll
  • C:\Windows\system32\WINXP\ext.dll
  • C:\Windows\system32\WINXP\exts.dll
  • C:\Windows\system32\WINXP\ntsdexts.dll
  • C:\Windows\system32\WINXP\uext.dll
  • C:\Windows\System32\wow64log.dll
  • C:\Windows\SysWOW64\ext.dll
  • C:\Windows\SysWOW64\exts.dll
  • C:\Windows\SysWOW64\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\dbghelp.dll
  • C:\Windows\SysWOW64\pri\ext.dll
  • C:\Windows\SysWOW64\pri\exts.dll
  • C:\Windows\SysWOW64\pri\ntsdexts.dll
  • C:\Windows\SysWOW64\pri\uext.dll
  • C:\Windows\SysWOW64\uext.dll
  • C:\Windows\SysWOW64\wbem\ext.dll
  • C:\Windows\SysWOW64\wbem\exts.dll
  • C:\Windows\SysWOW64\wbem\ntsdexts.dll
  • C:\Windows\SysWOW64\wbem\uext.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ext.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\exts.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ntsdexts.dll
  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\uext.dll
  • C:\Windows\SysWOW64\winext\arcade\dbghelp.dll
  • C:\Windows\SysWOW64\winext\arcade\ext.dll
  • C:\Windows\SysWOW64\winext\arcade\exts.dll
  • C:\Windows\SysWOW64\winext\arcade\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\arcade\uext.dll
  • C:\Windows\SysWOW64\winext\dbghelp.dll
  • C:\Windows\SysWOW64\winext\ext.dll
  • C:\Windows\SysWOW64\winext\exts.dll
  • C:\Windows\SysWOW64\winext\ntsdexts.dll
  • C:\Windows\SysWOW64\winext\uext.dll
  • C:\Windows\SysWOW64\WINXP\dbghelp.dll
  • C:\Windows\SysWOW64\WINXP\ext.dll
  • C:\Windows\SysWOW64\WINXP\exts.dll
  • C:\Windows\SysWOW64\WINXP\ntsdexts.dll
  • C:\Windows\SysWOW64\WINXP\uext.dll
  • C:\Windows\uext.dll

Writing to the Windows directory is more difficult nowadays than it was in the past, but with a growing number of tricks used to escalate privileges one should not blindly assume that these files are not going to be there, because of the directory ACLs.

To test, drop a DLL into one of these locations and crash some app – WerFault will do the rest :-)

Anti-forensics – live examples, Part 2

June 27, 2014 in Anti-Forensics, Compromise Detection, Malware Analysis

I wrote about malware using anti-forensics tricks back in 2012. Recently I have been seeing quite a few (I believe CryptoLocker) samples coming to my spambait mailbox that use anti-forensics and evasion tricks that I believe is worth documenting.

The malware arrives as one of the typical VOICE<phone number>.zip packages embedding unencrypted VOICE<phone number>.scr file which when executed, delivers the payload.

The payload is delivered in an evasive way

  •  a new suspended explorer.exe process is created and a malicious thread is injected into it
  • the code injected into explorer.exe decrypts the second stage of the payload and drops a file into a directory directly on c:\ drive (c:\<hex-digits>\<hex-digits>.exe);

this is the first (kinda light) anti-forensic trick I want to talk about; it would seem malware authors try to avoid dropping the copies of malware into %APPDATA% folder (or to this folder only) as it is the place where it’s the easiest to find it

dropping the file into more than one folder and especially into folders that are less prone to be inspected is (I believe) an attempt to evade early detection

  • the malware also copies itself to
    • %APPDATA%\Start Menu\Programs\Startup\<hex digits>.exe – a typical, old-school persistence mechanism
    • %APPDATA%\<hex digits>.exe

      and then adds 2 Run Keys under HKCU to ensure its persistence on the system
  • the 2 keys point to
    • %APPDATA%\<hex digits>.exe
    • c:\<hex-digits>\<hex-digits>.exe (the location described earlier)
  • so, there are 3 autostart entries total and 3 copies of malware; that’s the second one – clean up of such infections may be a bit tricky and it highlights the importance of checking all the possible persistence mechanisms
  • next, the malware creates another suspended process, this time svchost.exe and injects code into it the same way as previously into explorer; it will be used to connect out to C&C
  • in the meantime, the explorer.exe launches vssadmin tool with a destructive command line arguments as follows:
    • vssadmin.exe Delete Shadows /All /Quiet

      that’s the third anti-forensic trick which basically deletes all the shadow copies (note, it doesn’t work under XP)

  • malware also disables the System Restore by setting the following key
    • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
      DisableSR (REG_DWORD) = 1

      that’s the fourth anti-forensic trick used by this malware

  • and then also tries to kill a couple of services
    • wscsvc
    • WinDefend
    • wuauserv
    • BITS
    • ERSvc
    • WerSvc
  • finally, it tries to connect out to the C&C (from the hijacked svchost.exe process)
    • bolizarsospos(.)com
    • covermontislol(.)com
    • milimalipali(.)com
    • torichipinis(.)com
    • vivatsaultppc(.)com

Some variants also disable Startup Repair using the following command

  • bcdedit /set {default} recoveryenabled No