I’d like to continue the discussion on stealthy malware persistence techniques that I began Wednesday and provide two more techniques. The goal is to show that there are many unusual and often overlooked ways to cause processes to execute. This will provide incident responders with ammunition to take what they already know is the right course of action after a malware infection or compromise by an attacker and wipe the drive. So lets talk about technique #3 and #4. If you missed the first two methods for malware persistence, you can read about those here: http://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
TECHNIQUE #3 - Program.exe http://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464 This is the scenario. Malware or an attacker is on your machine. He has administrative or Power User access. The attacker drops a file called “program.exe” on the root of your C drive. “program.exe” is a small application that reads the command line parameters that were used to call it. It launches the real program you had intended to call and then executes its malicious payload. Simple but effective.
Detection: You can also check this information with the “SC QFAILURE <servicename>” command like this:
for /F "tokens=1,2 delims=:" %x in ('sc query ^| find "SERVICE_NAME"') do @echo %y & @sc qfailure %y | findstr /i "command_line" Summary: Add checking for c:program.exe and other strange executables to you incident response checklist. Also add checking for service failure recovery processes to your list. Wiping the drive is a costly endeavor. It can cost you time and it can cost you some political skin as you convince business leaders to endure additional downtime. Any political hit for wiping the drive is smaller than the hit you’ll take if the machine is still infected. Just wipe the drive. Still not convinced? I have a few more parts to this series to go. This is only the tip of the ice berg.
Follow me on twitter : @MarkBaggett http://www.sans.org/event/sansfire-2013/course/python-for-pen-testers There are two opprotunities to join Jake Williams (Twitter @malwarejake ) for FOR610 Reverse Engineering Malware. Join him on vLive with Lenny Zeltser or at the Digital Forensics & Incident Response Summit in Austin. vLive with Jake and Lenny begins March 28th, 2013: http://www.sans.org/vlive/details/for610-mar-2013-jake-williams Jake at DFIR Austin Texas July 11-15, 2013:
|
Mark 81 Posts ISC Handler Mar 15th 2013 |
Thread locked Subscribe |
Mar 15th 2013 9 years ago |
re: technique 4 - detection by windows script - 'sc queryex' will also return the process id
if the command line( run a program) is set via the windows GUI, I've noticed that (in XP Pro) it is not cleared (just greyed out) if the 'action' is reset to other than 'run a program' AND it is still reported by SC QUERY in the command line parameter. anyone remember the mayhem when services could originally be set to 'restart the computer' on service failure, by mischievous(malicious?) power users - good security policies should prevent that - else look out for your print spooler restarting your machine every time a print request crashes the service or worse. |
Anonymous |
Quote |
Mar 15th 2013 9 years ago |
re: Technique 3
Aha! Proved right at last: embedded spaces in file/pathnames is not the brightest idea to eminate from Redmond. Thank ${deity} for the detox command to remove them pesky spaces. ![]() |
Anonymous |
Quote |
Mar 16th 2013 9 years ago |
My technique was wipe C:\Program Files and C:\Windows, rename C:\Documents & Settings or C:\Users then reinstall Windows. Then I scan the disk with antivirus to be sure of the kill.
|
Anonymous |
Quote |
Mar 18th 2013 9 years ago |
The program.exe trick is nice, I also love the BITS abuse in another part. But the microsoft.exe variant discussed in entry +14464 back in November does not really work (for me), if C:\program does not exist the CMD shell won't try C:\program files\microsoft.
|
Anonymous |
Quote |
Mar 22nd 2013 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!