`

[转]malware persistence

 
阅读更多
原文地址:http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html

[b]1. Autoruns[/b]
My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.

On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on live system is that a good rootkit can fool the analyst easily.

For quick wins, I usually filter out Microsoft entries, look for per user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps finding 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.


Logon
"This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations."
There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.
One of my favorite regarding this topic is the file-less Poweliks malware, 100% pure awesomeness. Typical ring 3 code execution.

Explorer
"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually this is not about auto-malware execution, but some of them might be a good place to hide malware.

Internet explorer
"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicous BHO is installed into your browser, you are pretty much screwed.


Scheduled tasks
"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.
I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.
Did you know that you can create custom events which trigger on Windows event logs?
Did you know you can create malware persistence just by using Windows tools like bitsadmin and Scheduled tasks?

                            Scheduler in the old days

                            Scheduler in the new days
Services
HKLM\System\CurrentControlSet\Services is a very common place to hide malware, especially rootkits. Check all entry with special care.

Drivers
Same as services. Very common place for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates which can be chained back to "Software Publisher Certificates". Typical startup place for Ring 0 rootkits.
Starting from Windows 10, even this will change and all drivers has to be signed by "Windows Hardware Developer Center Dashboard portal" and EV certificates.

Codecs
22 registry keys. Not very common, but possible code execution.

Boot execute
"Native images (as opposed to Windows images) that run early during the boot process."
5 registry keys here. Good place to hide a rootkit here.

Image hijacks
"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.
This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to set a debug program on sethc.

AppInit
"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into explorer, browsers, etc. Luckily it is going to be deprecated soon.

Known DLLs
"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.

Winlogon
"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.

Winsock providers
"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.

Print monitors
"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hide their persistence module.

LSA providers
"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer.

Network providers
"Missing documentation". If you have a good 1 sentence documentation, please comment.

WMI filters
"Missing documentation". Check Mandiant for details.

Sidebar gadgets
Thank god MS disabled this a while ago


2. Common ways - not in autoruns
Backdoor an executable/DLL
Just change the code of an executable which is either auto-starting, or commonly started by the user. To avoid lame mistakes, disable the update of the file ... The backdoor factory is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the code signer CA, and your executable will blend in.



Hijack DLL load order
Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from Mandiant and DLL hijack detector.

Hijack a shortcut from the desktop/start menu
Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.

File association hijack
Choose the user's favourite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!

COM object hijack
The main idea is that some COM objects are scanned for whether they are on the system or not, and
when it is registered, it is automatically loaded. See COMpfun for details.

Windows Application Compatibility - SHIM
Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.


3. Bootkits
Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.

MBR - Master boot record
Malware can overwrite the Master boot record, start the boot process with it's own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attach the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infection like this.

VBR - Volume boot record
This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check GrayFish for details. SecureBoot can be used to prevent malware infection like this.

BIOS/UEFI malware
Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, but implementation and design errors happens. Check the Computrace anti-theft rootkit for details.

Hypervisor - Ring -1 rootkit
This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot See Rutkowska's presentation from 2006 But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simple delete it after it is fully functional after reboot.

SMM (System Management Mode) malware - Ring -2 rootkit
Somehow related to the previous type of attacks, but not many people know that System Management Mode can be used to inject code into the OS. Check the DEITYBOUNCE malware for more details ;) Also, abusing Intel Dual Monitor Mode (DMM) can lead to untrusted code execution, which basically monitors the SMM mode.

Intel® Active Management Technology - Ring -3 rootkit
According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possible go wrong? See Alexander Tereshkin's and Rafal Wojtczuk's great research on this, or Vassilios Ververis thesis about AMT.
As not many people click on links, let me quote the scary stuff about AMT:
Independent of main CPU
Can access host memory via DMA (with restrictions)
Dedicated link to NIC, and its filtering capabilities
Can force host OS to reboot at any time (and boot the system from the emulated CDROM)
Active even in S3 sleep!

4. Other stuff
Create new user, update existing user, hidden admins
Sometimes one does not even have to add malicious code to the system, as valid user credentials are more than enough. Either existing users can be used for this purpose, or new ones can be created. E.g. a good trick is to use the Support account with an 500 RID - see here, metasploit tool here.

Esoteric firmware malware
Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see GrayFish again), graphic card, etc.

Hidden boot device
Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.

Network level backdoor
Think about the following scenario: everytime the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered GPO MiTM attack, the Evilgrade tool, or even the Xensploit tool when we are talking about VM migration.

Software vulnerability
Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...

Hardware malware, built into chipset
I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!
  • 大小: 24.3 KB
  • 大小: 166.4 KB
  • 大小: 35.4 KB
  • 大小: 82.5 KB
  • 大小: 28.6 KB
  • 大小: 36.9 KB
  • 大小: 8 KB
  • 大小: 13.6 KB
  • 大小: 4.2 KB
  • 大小: 89.5 KB
  • 大小: 13.7 KB
  • 大小: 26.7 KB
  • 大小: 28.4 KB
分享到:
评论

相关推荐

    360malware(安全检测软件)

    标题中的“360malware”指的是360公司推出的一款安全检测软件,主要用于帮助用户检测和清除计算机上的恶意软件,如病毒、木马、广告软件等。这款软件结合了360在网络安全领域的专业技术和丰富的数据库,为用户提供了...

    Cuckoo Malware Analysis

    Analyze malware using Cuckoo Sandbox Overview Learn how to analyze malware in a straightforward way with minimum technical skills Understand the risk of the rise of document-based malware Enhance ...

    Practical Malware Analysis

    Malware analysis is big business, and attacks can cost a company dearly. When malware breaches your defenses, you need to act quickly to cure current infections and prevent future ones from occurring....

    Malware-Patch屏蔽国产软件

    标题“Malware-Patch屏蔽国产软件”涉及到的主题是网络安全与软件兼容性问题,特别是关于一个名为Malware-Patch的工具如何影响中国产软件的运行。这个工具可能是一种安全补丁或者防护程序,其功能在于阻止特定类型的...

    Malware Defender

    Malware Defender

    IObit Malware Fighter注册码

    IObit Malware Fighter是一款功能强大的反恶意软件工具,旨在为用户提供全面的安全保护,防止各种恶意软件、广告软件、间谍软件等对计算机系统的侵害。该软件通过其先进的扫描技术和实时防护系统,能够有效地检测并...

    wp-gateway-anti-malware-sets-bar

    **知识点详解:McAfee Gateway Anti-Malware技术在网络安全防护中的创新与突破** 随着网络威胁的不断演变,传统的安全防御机制已经难以应对新型、复杂且隐蔽的恶意软件攻击。针对这一挑战,McAfee推出的旗舰级...

    Malwarebytes Anti-Malware 1.7 官方中文注册版

    Malwarebytes Anti-Malware是一个反恶意软件的应用,可以彻底删除即使是最先进的恶意软件。 它包括了间谍软件扫描和常驻防护功能,其中包括一个内置的保护监测,能在恶意程序启动之前开始阻止。 你曾经认为是什么让...

    Windows Malware Analysis Essentials

    ### Windows Malware Analysis Essentials #### 一、概述 《Windows Malware Analysis Essentials》是一本针对Windows平台上的恶意软件分析的专业书籍。本书旨在帮助读者掌握基本的恶意软件分析技能,并提升其在反...

    MALWARE DATA SCIENCE

    MALWARE DATA SCIENCE MALWARE DATA SCIENCE

    Practical Malware Analysis 无水印pdf

    Practical Malware Analysis 英文无水印pdf pdf所有页面使用FoxitReader和PDF-XChangeViewer测试都可以打开 本资源转载自网络,如有侵权,请联系上传者或csdn删除 本资源转载自网络,如有侵权,请联系上传者或...

    Malware-Patch屏蔽国产软件.rar

    "Malware-Patch屏蔽国产软件.rar"这个压缩包文件显然与防止恶意软件感染和保护计算机系统免受潜在威胁有关,特别是针对国产软件。下面将详细讨论相关知识点。 首先,我们要理解什么是“Malware”(恶意软件)。...

    Malware, Fighting Malicious Code

    Malware, Fighting Malicious Code

    Malware Defender规则设置完全参考

    Malware Defender不用多说,大家都知道是干什么的吧!这个是Malware Defender风霜规则的完全设置图,新人可以比照学习后,设置自己系统的规则。

    malware: fighting malicious code.

    在信息技术领域,恶意软件(Malware)是令人头疼的问题,它包括病毒、蠕虫、特洛伊木马、勒索软件等多种形式,这些程序设计的目的是非法侵入用户系统,窃取数据,破坏设备功能,或者对网络造成干扰。本文将深入探讨...

    Windows Malware Analysis Essentials 无水印pdf

    Windows Malware Analysis Essentials 英文无水印pdf pdf所有页面使用FoxitReader和PDF-XChangeViewer测试都可以打开 本资源转载自网络,如有侵权,请联系上传者或csdn删除 本资源转载自网络,如有侵权,请...

    malware analysis how to

    恶意软件(Malware)分析在传统意义上被认为是一项极其复杂的工作,其中涉及到的技术与方法往往超出了普通用户的理解和操作能力范围。然而,在当前互联网高度普及、网络安全威胁日益增多的情况下,人们越来越需要...

Global site tag (gtag.js) - Google Analytics