You are browsing the archive for Malware Analysis.

Beyond good ol’ Run key, Part 30

April 26, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

Many laptops come with preinstalled packages that enhance user experience by responding to gestures and shortcuts available via a touchpad. One of the most popular packages offering such functionality comes from Synaptics. My old laptop has it preinstalled as well and… that’s how this post was born.

While exploring the options of the program I discovered that you can associate a lot of various actions with buttons and areas/zones of the touchpad. Turns out that one such interesting action is… running an arbitrary program :)

synaptics1Clicking the Configure button allows us to choose the path to the program:

synaptics2Same goes for the right button (and also zones shown at the bottom of the left pane):

synaptics3Once I configured these I was able to launch the program of my choice by just playing with the touchpad.

I must mention that it is not a vulnerability – it is just a flexibility offered by the program allowing user to define what they want to do with their computer. But of course it could be abused as a persistence mechanism.

The place in the Registry where these paths are stored is shown below:

  • HKCU\Software\Synaptics\SynTPEnh\PlugInConfig\TouchPadPS2

synaptics4The information about what action should be triggered is stored here:

  • HKCU\Software\Synaptics\SynTP\TouchPadPS2
    • LeftButtonAction = if equal 0 the default touchpad action is overridden with the action of the plugin defined by the next 2 entries below (LeftButtonPlugInID & LeftButtonPlugInActionID)
    • LeftButtonPlugInID = changed to ‘SynTP’
    • LeftButtonPlugInActionID = if this ActionID is equal to 5 then it is program execution

synaptics5Right button (and other buttons, if present)  as well as zones all have similar set of settings (again, their actual availability depends on a touchpad model/hardware/); the respective registry entries are:

  • TopLeftCornerPlugInID=
  • TopRightCornerPlugInID=
  • BottomLeftCornerPlugInID=
  • BottomRightCornerPlugInID=
  • LeftButtonPlugInID=
  • MiddleButtonPlugInID=
  • RightButtonPlugInID=
  • UpButtonPlugInID=
  • DownButtonPlugInID=
  • 2FingerTapPlugInID=
  • 3FingerTapPlugInID=
  • ExButton1PlugInID=
  • ExButton2PlugInID=
  • ExButton3PlugInID=
  • ExButton4PlugInID=
  • ExButton5PlugInID=
  • ExButton6PlugInID=
  • ExButton7PlugInID=
  • ExButton8PlugInID=
  • PressToSelectPlugInID=
  • Button5PlugInID=
  • ButtonModePlugInID=
  • 3FingerPressPlugInID=
  • PalmOnPadPlugInID=
  • 2FingerDoubleTapPlugInID=

and each of them have the respective ‘ActionID’ settings e.g.:

  • TopRightCornerPlugInID -> TopRightCornerPlugInActionID

The chance we will come across it on real cases are pretty low, but just adding it here for completeness.

Wow6432Node key stats

April 8, 2015 in Batch Analysis, Forensic Analysis, Malware Analysis

I recently came back to play with strings artifacts extracted from a decently sized sample set. Looking at a normalized, clustered data set is always a good starting point for a research. It can be very boring, but every once in a while you will find something interesting.

To kick it off here are some stats about Wow6432Node key that I generated overnight.

With 64-bit boxes becoming pretty much the norm we naturally see more and more samples referring to this Registry key. If there is one reason for us to look at this data is to find out if there are perhaps some keys under Wow6432Node that may deserve some special attention… Who knows, maybe some new persistence mechanism or some new, interesting artifact is out there waiting for someone to discover it.

Obviously, stats may be misleading so use it at your own risk. Also, not all the keys are necessarily malicious. It’s just a bunch of keys that specifically refer to Wow6432Node, and are extracted from a large sample set.

Looking at the data below one thing strikes me immediately – the Run and RunOnce keys are pretty low on the list. Either software authors are not hardcoding them to avoid heuristic detections, or… there is really not that much software that modifies these keys directly.

  179506 software\wow6432node\microsoft\windows\
  42517 software\wow6432node\clients\startmenuinternet
  23631 software\wow6432node\microsoft\windows\currentversion\uninstall\avast
   5074 software\wow6432node\javasoft\java runtime environment
   4859 software\wow6432node\javasoft\java development kit
   3274 software\wow6432node\beattool
   3020 software\wow6432node\avast
   2601 software\wow6432node\sweetim
   1861 software\wow6432node\avira
   1686 software\wow6432node\microsoft\internet explorer\extensions\{ebd24bd3-e272-4fa3-a8ba-c5d709757cab}
   1641 software\wow6432node\sweet-pagesoftware
   1641 software\wow6432node\awesomehpsoftware
   1639 software\wow6432node\webssearchessoftware
   1638 software\wow6432node\qone8software
   1638 software\wow6432node\microsoft\windows\currentversion\uninstall\{c4ed781c-7394-4906-aaff-d6ab64ff7c38}
   1638 software\wow6432node\microsoft\windows\currentversion\uninstall\{889df117-14d1-44ee-9f31-c5fb5d47f68b}
   1638 software\wow6432node\classes\clsid\{4aa46d49-459f-4358-b4d1-169048547c23}
   1637 software\wow6432node\aartemissoftware
   1636 software\wow6432node\avg
   1551 software\wow6432node\microsoft\windows\currentversion\uninstall
   1515 software\wow6432node\avast software
   1465 wow6432node\clsid\
   1399 software\wow6432node\baidu security\antivirus
   1387 software\wow6432node\google\chrome\extensions
   1141 \software\wow6432node\baidu security\pc faster
    913 software\wow6432node\microsoft\windows\currentversion\uninstall\avira
    623 software\wow6432node\omiga-plussoftware\omiga-plushp
    583 software\wow6432node\red gate\
    559 wow6432node\clsid\%s
    502 software\wow6432node
    434 software\wow6432node\microsoft\internet explorer\extensions
    417 software\wow6432node\mozilla\mozilla firefox
    403 software\wow6432node\microsoft\windows\currentversion\uninstall\
    384 software\wow6432node\microsoft\internet explorer\toolbar
    372 software\wow6432node\mozilla\zvu.com\%s\main
    372 software\wow6432node\mozilla\zvu.com
    363 software\wow6432node\microsoft\windows\currentversion\run
    356 software\wow6432node\{smartassembly}
    326 software\wow6432node\microsoft\office\outlook\addins
    295 hkey_local_machine\software\wow6432node\vitalwerks\duc
    281 software\wow6432node\babylontoolbar\babylontoolbar
    265 software\wow6432node\brapp
    263 software\wow6432node\microsoft\windows\currentversion\runonce
    253 software\wow6432node\asktoolbar\macro
    215 software\wow6432node\mozilla\mozilla firefox\
    204 software\wow6432node\realnetworks\dlp
    189 software\wow6432node\microsoft\net framework setup\ndp\
    186 software\wow6432node\qone8software\qone8hp
    168 software\wow6432node\v9software
    163 software\wow6432node\qvo6software\qvo6hp