Beyond good ol’ Run key, Part 34

Posted on by

I mentioned various laptop/touchpad software in my older posts in this series (Synaptics, Alps). I recently came across yet another production from the Alps which is installed on some of the Toshiba laptops. Browsing through the available options of the Alps Pointing-device Driver software I discovered two potential exotic persistence locations which probably will never be abused, but are still worth mentioning – for completeness, and because the software is somehow vintage and hilarious at the same time.

First, the vintage part. Alps offers a tray-icon based Easy Launcher. I think the software was designed really long time ago, way before Windows XP and 7 existed (let alone newer versions) and at that time it was probably a nice extension to have. In today’s Window’s user interface world there are so many better ways of achieving the same goal that it is really funny to see an archaic-looking Easy Launcher at work (let alone being installed on laptop from 2015; touche Toshiba).

Let’s see:

  • To launch the Easy launcher, we need to click the Touchpad icon in the tray icon (notification) area
  • We will see the following user interface:

easylauncher1

  • We then need to click the Easy Launcher which shows us… an old-school menu

easylauncher2

  • Selecting Specified Files will show the available options, including one item which I defined for demonstration purposes – a menu element that launches Calculator

easylauncher3

All the data that Easy Launcher shows is taken from the following registry location:

  • HKEY_CURRENT_USER\Software\Alps\Apoint\EasyLauncher

as seen below:

easylauncher4

where:

  • C01 = A command being executed by the menu item #1
  • I01 – A path to a file that the icon shown by Easy launcher will be taken from
  • T01 – A title, as seen in the Easy Launcher menu

It is pretty obvious that we can modify the C01 entry (and other, relevant Cxx entries) in the Registry to point to some man-in-the-middle malicious executable that will execute calculator (in our case) when launched, or we can simply hijack the whole entry.

For example: changing C01 to point to C:\Windows\System32\notepad.exe will launch Notepad anytime Calc is selected from the menu. Interestingly, since it is the I01 entry that holds an information about the source of the icon presented on UI, there will be no visible clue that the entry now points to Notepad.

Such malicious hijacking effort certainly won’t fool an experienced power-user of the Easy Launcher who will be able to swiftly discover the modifications by exploring the modified settings as shown below:

easylauncher0

The second best exotic persistence mechanism I am going to describe is like the second best exotic Marigold Hotel – it is certainly promising, but to deliver, will require a lot of effort; and this time not from the attacker, but from the attackee. This is the hilarious bit.

There is a mysterious gesture function that Alps touchpad offers called 3-Fingers Press which relies on a simultaneous caress delivered to the touchpad with a power of 3, precisely synchronized fingers. The gesture is so subtle and refined that any threat actor considering this maneuver as a way to persist on the targeted system is definitely the Sun Tzu of all APT actors, both the real ones and those imagined. Despite many efforts, boot camps and 1000 hours on the touchpad simulator, I yet have to accomplish the mission of mastering this unique fingering stance – and for that reason (and one more reason mentioned below) I name this APT persistence mechanism the self-touch of death.

On a technical note, the secret setting enabling the magic gesture is hidden in Advanced options:

selftouchofdeath1

There, one can enter the Settings dialog box and – lo and behold – add multiple executables in one go:

selftouchofdeath2

In an attempt to understand the logic behind the design of this feature, I came up with a hypothesis that I cannot unfortunately share on a public forum. The ability to run multiple executables with a single stroke is certainly a stroke of genius. And as such, a perfect reason to call it the self-touch of death.

Last, but not least, the settings that manage this feature are stored in the following location:

  • HKEY_CURRENT_USER\Software\Alps\Apoint\Mouse

selftouchofdeath3

Due to a unique nature of this persistence mechanism and APT actors potentially hidden behind it I do not recommend developing regripper plug-in for it.

The art of disrespecting AV (and other old-school controls), Part 3

Posted on by

This is the third part of the series (part 1, part 2) which this time is somehow shorter, but it is just an excuse to jot down some notes about the actual engines that AV uses internally.

Many people complain about AV using hashes to detect malware – I would say that AV that detects malware via hashes only should not be even on the market, because it would not survive. Your average AV contains a significant number of engines, and subengines using many algos – many of which are lightning fast. Reducing the discussion about AV internal working to ‘AV uses hashes’ is simply not fair.

Let’s have a look – I use the word ‘engine’ quite loosely here and it does not necessarily help with pure detection-specific logic, but it often facilitates the detection itself – each of these are typically quite serious programmatic efforts that are combined to create the ‘holistic’ coverage – yes, it fails, it contains vulnerabilities like any other software, but take a moment to think about the effort that goes into designing, testing all this clustergoodness:

  • static binary string search
  • binary string with a simple wildcards search
  • binary string with a regex (or regex-like) search
  • multi-pattern search engines that are using lookup tables of any sort/trees/tries and proprietary algorithms
  • container/archiver processor – reads files or streams embedded inside the other files/containers
  • file/specific content analyzer/processor – for each file type, content type there is a dedicated engine f.ex. MBR, old Dos .COM file, Flash, OLE files, Symbian SIS, ISO, etc. – note that many of engine expire due to technologies being no longer in use/popular, but it is _there_
  • unpacker  – decompresses streams of data to present them to other engines
  • emulator – simple state machines with a basic understanding of some opcodes
  • emulator – full-blown emulator with most opcodes supported
  • sandbox – full-blown emulator with support of API & memory
  • hooks – dynamic, for on-access scans
  • heuristics engine
  • whitelisting engine
  • detection engine based on file properties
  • rootkit detection engine
  • native file system parser (for various file systems)
  • memory dumper/file rebuilders
  • online scanner (virustotal-like)
  • behavioral engines
  • reputation engines
  • quarantine engine
  • crc/incremental crc search
  • hash-based search
  • entropy analysis
  • X-rays
  • and finally… removal and repair engine – if none of the above engines impress you… think for a second what effort goes to ensure you can remove a complex polymorphic or metamorphic file virus from a gazillion of files on the system without corrupting the files and crashing the system.

There are probably others which I forgot about, but this is really a lot more than just hashing.

If you talk about AV detection and the only thing you talk about is hash, it is probably because you smoke too much of it… 🙂