Category Archives: Compromise Detection

Beyond good ol’ Run key, Part 8

Posted on by

The last two posts in the series covered autorun mechanisms that could be called a ‘side-effect’. Today a slightly different topic – one that relies on the social engineering of users, and a very old concept of a companion virus. The idea described below is not a typical autostart mechanism and is actually a description of an existing, legitimate functionality, but as long as users are using jumplists frequently it may be actually acting quite successfully as a persistence mechanism. It may also be a secondary option for malware disabled by an antivirus software/user from the typical autorun entries. Nothing new here and it’s the topic covered by lot of other blogs, but since I am trying to document all possible persistence mechanisms, it’s worth mentioning it for the completeness.

Jumplists that have been introduced in Windows 7 are used to organize recently opened files, favorite files, folders, and websites. They offer more options that shortcut files and this flexibility can be easily abused. I will show you one simple example of such abuse, done manually; there are a lot of other options of course and they can be obviously automated using exposed Jumplist interface.

To test it, you may want to download JumpList Editor – it’s a handy tool that allows one to edit Jumplists present on the system.

Here, I am using it to add a fake entry under Internet Explorer:

  • First, we select existing entry for Internet Explorer:

win8_jumplist_1

  • Now we add a Link entry:

win8_jumplist_2

  • We can call it e.g. “My Bank Web Site”; in real-world scenario, malware could re-use existing entry and replace it (hence, companion virus reference)

win8_jumplist_3

  • Once we click Save, we can observe the entry added to the Internet Explorer Jump list

win8_jumplist_4

  • Clicking the icon launches the Calculator

win8_jumplist_5

There are other interesting options out there. For example, one can add a Multiple Link – this will create a link that launches two applications at the same time. Therefore, one could swap existing link to an application to a Multiple Link that would launch both of them simultaneously.

win8_jumplist_6

Despite looking like a link to the Notepad Double Trouble launches both preprogrammed applications at the same time (when clicked): Notepad and Calculator. Quite a nice way to hide in a plain sight.

win8_jumplist_7

It’s easy to notice that the links we have added are all located under ‘Tasks’ entries; This may not be ideal and a savvy user may notice something ‘funny’, but how many people really pay attention to such small details? Besides, this is the only option offered for an easy manipulation by the JumplistEditor. In reality, pretty much any aspect of the JumpLists can be abused – either by using documented APIs, or by manually modifying the actual Jumplist or Shortcut LNK files. One could replace legitimate tasks like ‘Start InPrivate Browsing’, ‘Open new Tab’, etc.

Beyond good ol’ Run key, Part 7

Posted on by

In my last post of this series I discussed the VBA Monitor mechanism that can be used to execute code anytime Visual Basic application is started. Today’s topic is similar and talks about yet another internal Microsoft component that could be abused to load arbitrary code – this time it happens anytime the application crashes. As far as I can tell, it only works on XP, so it’s a bit old and not that practically useful, but given the fact XP is still out there in large quantities it is worth documenting it.

The component that we will abuse is called OAClient. It is an agent that is a part of a distributed test management system called Oasys (Office Automation System) and which is used internally by Microsoft to test their Office suites.

How do I know?

I have read about it in this pdf (‘Exploring Cross-Platform Testing Strategies at Microsoft”) that I found online while looking for the meaning of the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OASys\OAClient key – and I looked for it, because I spotted this key being queried by DWWIN.EXE anytime the application crashes under Windows XP.

Once I found out, all I had to do is to add the key, force the application to crash

notepad_crash

– so that DWWIN.EXE is launched and then confirm that the presence of the OAClient key leads the DWWIN.EXE to attempt loading of the BTLOG.DLL file from c:\windows\system32.

dwwin_load_btlog_dllThere you have it.

To reproduce:

  • Create %windir%\system32\BTLOG.DLL
  • Add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OASys\OAClient
  • Now launch the application that crashes and loads DWWIN.EXE as a result of the crash (e.g. copy notepad.exe to notepad2.exe and patch its entry point with 0xCC = int 3); the DWWIN.EXE will load the btlog.dll.

.