Category Archives: Incident Response

Beyond good ol’ Run key, Part 35

Posted on by

A long time ago in a galaxy far, far away…. Microsoft was releasing new versions of a super uber cool pre-web era editing control called Rich Edit. I remember programming one of my early Windows API apps ages ago and at that time I was a bit puzzled. Puzzled, because I had to distinguish a version of Rich Edit control I could use and then I had to ensure that I load respective library myself to use certain features of the Rich Edit control.

The Rich Edit control was and still is a great editing control – it supports multi-line editing, Unicode, COM, and lots of other whistles and fireworks. It became a foundation of many applications and editors and in many aspects was ahead of its time. The libraries used by the various versions of the library are as follows:

  • 1.0 – Riched32.dll
  • 2.0 – Riched20.dll
  • 3.0 – Riched20.dll
  • 4.1 – Msftedit.dll

And yes, you know where it is going…

Many apps following the Microsoft’s mantra of loading the appropriate Rich Edit control would use LoadLibrary API and open it up to a nice DLL hijack.

Dropping malicious Riched20.dll and/or Riched32.dll in the same directory as the applications relying on Rich Edit control will lead to the execution of the malicious code each time the app is launched.

A popular example of such app is WinRar. Many people use it as a standalone app and winrar.exe works w/o any supporting files so can be dropped anywhere. Other examples include a very old, but still popular Resource Hacker, as well as some tools from Sysinternals f.ex. ADInsight.exe, Bginfo.exe, FileInsight from McAfee, old EditPad, OllyDbg, and many more…

riched

The newer version of Rich Edit DLL (Msftedit.dll) is maybe less common, but can be still found in popular applications. One I came across is aswMBR.exe from AVAST – the below pops up with my decoy DLL being dropped inside the same dir as aswMBR.exe and activates when I try to Save the log.

Msftedit

Since many applications using the Rich Edit are signed, the unsigned DLL may be loaded in a very same manner as PlugX malware i.e. signed .exe loading an unsigned .dll.

The art of Stuffing and Dressing of Application Data folder

Posted on by

Application data folder is a very popular destination for malware. The files are typically dropped either directly inside it, or into subdirectories that are either randomized, leverage existing OS subdirectories, or sometimes malware creates their own – often mimicking the well-known applications’ folders (f.ex. Mozilla).

The attached list contains over 7000 file names for files that are ‘dropped’ inside the application data folder. The file names are extracted from a large set of sandbox reports.

Once stuffed in the folder, the malware often dresses itself impersonating popular applications f.ex.:

chrome.exe

  • \Application Data\23405d2\Chrome.exe
  • \Application Data\4236aa7\Chrome.exe
  • \Application Data\cchrome.exe
  • \Application Data\Chrome.exe
  • \Application Data\Directory\Chrome.exe
  • \Application Data\Google\Chrome\Application\chrome.exe
  • \Application Data\GoogleChrome.exe
  • \Application Data\Orbitum\Application\chrome.exe
  • \Application Data\qChrome\chrome.exe
  • \APPLICATION DATA\SVCHOST\CHROME.EXE
  • \Application Data\temp\chrome.exe
  • \APPLIC~1\chrome.exe

firefox.exe

  • \Application Data\firefox.com
  • \Application Data\firefox.exe
  • \Application Data\firefox32.exe
  • \Application Data\firefox32\fox32.exe
  • \Application Data\Mozilla\Firefox\firefox.exe
  • \APPLIC~1\Firefox.exe

java.exe

  • \Application Data\google\java.exe
  • \Application Data\Java.exe
  • \Application Data\java\java.exe
  • \Application Data\logjava.exe
  • \application data\sys\jre\bin\java.exe
  • \application data\x10flasher_lib\jre\bin\java.exe
  • \application data\x10flasher_lib\winjre32\bin\java.exe
  • \application data\x10flasher_lib\winjre32\jre\bin\java.exe

smss.exe

  • \Application Data\CDWD\ntsmss.exe
  • \Application Data\GHGF\ntsmss.exe
  • \Application Data\ipseol32\rtcssmss.exe
  • \Application Data\Microsoft\smss.exe
  • \Application Data\Microsoft\Windows\smss.exe
  • \Application Data\secetupn\mqsvsmss.exe
  • \Application Data\smss.exe
  • \Application Data\sys\smss.exe
  • \Application Data\sysdrivers\smss.exe
  • \Application Data\syssmss.exe
  • \Application Data\System\Oracle\smss.exe
  • \Application Data\WINDOWS\SMSS.EXE
  • \Application Data\winhelp\smss.exe
  • \Application Data\zbwpukwyg\smss.exe
  • \APPLIC~1\smss.exe

and so on and so forth including some ridiculous Corporate hybrids like these:

  • \Application Data\\Application Data\Google\hkcmd.exe
  • \Application Data\google\java.exe
  • \Application Data\Google\MicrosoftSecurity64.exe
  • \Application Data\Google\svchost.exe
  • \Application Data\GOOGLE\winlogon.exe
  • \Application Data\install\csrss.exe
  • \APPLICATION DATA\INSTALL\EXPLORER.EXE
  • \APPLICATION DATA\INSTALL\IEXPLORER.EXE
  • \Application Data\Java\svchost.exe
  • \Application Data\MicOffice\MicOffice.scr
  • \Application Data\Microsoft\Adbeflashplugin.exe
  • \Application Data\Microsoft\GoogleToolbarNotifier.exe
  • \Application Data\Microsoft\Micromedia\winconime.exe
  • \Application Data\Microsoft\SystemCertificates\LeapFTP.exe
  • \Application Data\Microsoft\SystemCertificates\My\CRLs\Flashfxp.exe

or AV impersonators:

  • \Application Data\Karpesky.exe
  • \Application Data\KASPERANTIVIRUS.EXE
  • \Application Data\KasperskyAV.exe
  • \Application Data\MCAFEEANTIVIRUS.EXE
  • \Application Data\MCAFEEAV32.EXE
  • \Application Data\NOD32KERNELS.EXE
  • \Application Data\NOD64.EXE
  • \Application Data\NORMANANTIVIRUS.EXE
  • \Application Data\NortonLive.exe
  • \Application Data\SYMANTECAV.EXE
  • \Application Data\SYMANTECAV2.EXE

Since it’s a blacklist, it can be applied to hunting and file list analysis. FPs are definitely there, so you have been warned 🙂