Category Archives: Compromise Detection

Beyond good ol’ Run key, Part 13

Posted on by

Today we will look at yet another less-known persistence mechanism, and as a bonus – I will be talking about it twice. It only affects Windows XP so it’s a bit old, but there are still plenty of XP systems out there so I guess it still counts 🙂

The mechanism relies on the following Registry key:

  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\RunGrpConv

The presence of the key and its non-zeroish value tells the system (userinit.exe to be precise) to launch grpconv.exe when user logs on.  The grpconv.exe program itself is one of the migration applications designed to help converting Windows 3.1 groups to folders while upgrading to Windows 95+ – and now is obviously obsolete.

Persistence mechanism #1

Since the program is old and obsolete, most of people won’t even notice if it is gone. It’s also not protected by Windows File Protection so one could simply delete the legitimate grpconv.exe, replace it with a malicious program and set the registry key to ensure the program is launched every time user logs on.

This trick was successfully used by a malware family called Bredolab. The malware was also placing the file in a different location (%system%\­wbem\­grpconv.exe). You can see example malware report here.

You can experiment with this trick by replacing grpconv.exe on your test XP box with e.g. calc.exe. Once you restart the system (and log on) or simply log off and log on again you will notice that Calculator was launched…

RunGrpConv1

and it’s even before Windows Explorer is loaded:

RunGrpConv2

Persistence mechanism #2

The fact that grpconv.exe can be loaded every time user logs on is cool. Even cooler is the fact that it is an old school app and as such it relies on external libraries that are no longer present on the system. When executed, grpconv.exe attempts to load a non-existing imm.dll DLL.

So, adding the RunGrpConv key and dropping a malicious imm.dll will lead to its loading and execution anytime user logs on.

RunGrpConv3

A variant of this trick was previously described here.

Upatre’s gadgetry

Posted on by

During last week I have seen News reports talking about spam campaign delivering the malware that is using a .gadget file extension. Since one of my spambait accounts got it as well I decided to run a quick test and write down what I found about it.

And just in case you are wondering – despite the Gadgets being retired they still work.

The malicious attachment is called internal_use_only.gadget; Gadget files are zip files so one can enumerate their content e.g. with 7Zip:

Path = internal_use_only.gadget
Type = zip
Physical Size = 6878

   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2014-05-16 12:45:26 ....A          335          220  gadget.html
2014-05-16 12:44:14 ....A        10240         6151  main.exe
2014-05-15 22:08:40 ....A          326          199  gadget.xml
------------------- ----- ------------ ------------  ------------------------
                                 10901         6570  3 files, 0 folders

If dropped in a folder, we can see the icon of a Gadget

gadgetThe content of the gadget.xml:

gadget_xml2

The content of the gadget.html:

gadget_htmland the third file is a small executable called main.exe.

Quick analysis confirmed it’s Upatre, a well-known Zeus downloader.

When main.exe is executed it drops its copy as %TEMP%\ycare.exe and appends the original path to the main.exe so that ycare.exe can delete it once it’s executed. The executed ycare.exe attempts to connect to just* [ . ]com/wp-content/uploads/2014/02/1605UKmw.enc or grab the very same file from dot*[ . ]com/fonts/1605UKmw.enc.

If the user is silly enough to open this gadget on the computer the warning popup will show up:

gadget2

If the user is silly^2 enough, the ‘gadget’ will be ‘added’ to the Sidebar:

gadget3

– and the malware thingie will run.

The Gadgets leave Gadgetish remnants on the system and they can be potentially used to determine the original attack vector:

  • %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Gadgets\
    internal_use_only.gadget\gadget.html
  • %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Gadgets\
    internal_use_only.gadget\gadget.xml

and also

  • %USERPROFILE%\AppData\Local\Microsoft\Windows Sidebar\Settings.ini

– the latter will contain the description of Gadget(s) added to the system

gadget_settings
Other artifacts are less reliable e.g.:

  • HKCU\Software\Classes\Local Settings\MuiCache

may contain references to Sidebar binaries and

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

may contain the entry starting Sidebar via

  • C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

– it’s less reliable, because users may have other Gadgets installed and Sidebar installation is nothing unusual in their environment.

Nothing extraordinary – just yet another creative way to deliver the badness.