Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 13

Posted on by

Today we will look at yet another less-known persistence mechanism, and as a bonus – I will be talking about it twice. It only affects Windows XP so it’s a bit old, but there are still plenty of XP systems out there so I guess it still counts 🙂

The mechanism relies on the following Registry key:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\RunGrpConv

The presence of the key and its non-zeroish value tells the system (userinit.exe to be precise) to launch grpconv.exe when user logs on.  The grpconv.exe program itself is one of the migration applications designed to help converting Windows 3.1 groups to folders while upgrading to Windows 95+ – and now is obviously obsolete.

Persistence mechanism #1

Since the program is old and obsolete, most of people won’t even notice if it is gone. It’s also not protected by Windows File Protection so one could simply delete the legitimate grpconv.exe, replace it with a malicious program and set the registry key to ensure the program is launched every time user logs on.

This trick was successfully used by a malware family called Bredolab. The malware was also placing the file in a different location (%system%\­wbem\­grpconv.exe). You can see example malware report here.

You can experiment with this trick by replacing grpconv.exe on your test XP box with e.g. calc.exe. Once you restart the system (and log on) or simply log off and log on again you will notice that Calculator was launched…

RunGrpConv1

and it’s even before Windows Explorer is loaded:

RunGrpConv2

Persistence mechanism #2

The fact that grpconv.exe can be loaded every time user logs on is cool. Even cooler is the fact that it is an old school app and as such it relies on external libraries that are no longer present on the system. When executed, grpconv.exe attempts to load a non-existing imm.dll DLL.

So, adding the RunGrpConv key and dropping a malicious imm.dll will lead to its loading and execution anytime user logs on.

RunGrpConv3

A variant of this trick was previously described here.

Beyond good ol’ Run key, Part 12

Posted on by

After googling around I couldn’t find any reference to Rover autostart mechanism, so here is a quick introduction for you:

Adding this key [key only is enough]:

  • HKEY_CLASSES_ROOT\CLSID\{16d12736-7a9e-4765-bec6-f301d679caaa}

and dropping the following file:

  • c:\windows\system32\rover.dll

with an exported function called RunMonitor will cause rover.dll to be loaded.anytime user logs in [it’s loaded by userinit.exe].

Tested on Windows 7 and Windows 8.1.

rover

I have received a few questions with regards to this post, so here are some notes that I hope will be helpful:

  • Despite being placed under HKCR, it’s not a regular COM entry
  • It’s an equivalent of a Boolean flag stored in Registry; same as a presence of a file on a disk
    • If key exists
      { do something }
  • I believe it’s a part of some testing/QA platform; maybe some exotic extension used only in special builds [Windows is actually full of these conditionally loaded DLLs]

Note: For unknown reason this post disappeared. Re-adding it. (suspecting wordpress hiccup; update: after checking logs it looks more like a DB problem and it was restored by the provider from a backup /removing the post on the way/)