Registry-infecting reboot-resisting malware has NO FILES

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
And I continue to ask why all AV/AM products are LAME, LAME I say,
because they can't scan the registry of a drive that's been connected as
a slave to a known/good system.

At least in Windows 9x/me, you can boot into DOS and switch your
system.dat and user.dat files to a previous version or backup.

  "The non-ASCII trick is a tool Microsoft uses to hide its source
   code from being copied, but the feature was later cracked."

Let me guess.  These "non-ascii" registry entries were introduced /
enabled by Macro$haft at some point in the deployment of the NT-based
line of Windoze, and as such are not possible under 9x/me - right?

What have I said before?

The Windoze NT line of Operating Systems:  The bloat and vulnerabilies
go in before the name goes on.

------------------------------------

Registry-infecting reboot-resisting malware has NO FILES
Anti-virus doesn't stand a chance becuase there's nothing for it to scan

By Darren Pauli, 4 Aug 2014

Researchers have detailed a rare form of malware that maintains
infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not
easy to detect.

It code reaches machines through a malicious Microsoft Word document
before creating a hidden encoded autostart registry key, malware
researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says.
It then creates and executes shellcode and a payload Windows binary.

"All activities are stored in the registry. No file is ever created,"
Rascagneres said in a post.

"So, attackers are able to circumvent classic anti-malware file scan
techniques with such an approach and are able to carry out any desired
action when they reach the innermost layer of [a machine] even after a
system re-boot.

"To prevent attacks like this, anti-virus solutions have to either catch
the initial Word document before it is executed (if there is one),
preferably before it reached the customer's email inbox."

Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres
said the feature set was akin to a Matryoshka Doll due to its subsequent
and continual 'stacked' execution of code.

The non-ASCII trick is a tool Microsoft uses to hide its source code
from being copied, but the feature was later cracked.

Security kit can alternatively detect the software exploit, or as a
final step monitor the registry for unusual behaviour, he said.

Malware geeks on the KernelMode.info forum last month analysed one
sample which exploited the flaws explained in CVE-2012-0158 that
affected Microsoft products including Office.

Deviants distributed the malware under the guise of Canada Post and UPS
emails purportedly carrying tracking information.

"This trick prevents a lot of tools from processing this malicious entry
at all and it could generate a lot of trouble for incident response
teams during the analysis. The mechanism can be used to start any
program on the infected system and this makes it very powerful,"
Rascagneres said.

Rascagneres has made a name ripping malware and bots to uncover and
undermine black hat operations. He won last years' Pwnie Award at Black
Hat Las Vegas for tearing through the infrastructure of Chinese hacker
group APT1.

http://www.theregister.co.uk/2014/08/04/registryinfecting_rebootresisting_malware_has_no_files/

Re: Registry-infecting reboot-resisting malware has NO FILES

Virus Guy wrote on 8/4/2014 :

Isn't a Microsoft Word document a file?

Is a bootsector a file?

Is BIOS a file?



Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

Yes


No. It's the first sector of the drive being booted from, though
many boot loaders will also use additional sectors, up to the 64th
sector, as that was the standard location for starting the first
partition on old ata hard drives.

Quoted text here. Click to load it

No. It's usually an eprom chip on the motherboard, that is used
during startup to find the hard drive to boot from, and then load
the boots ector from that drive, and then transfer control to the
code from that boot sector. I say usually, as some older mother
boards used a prom, so a bios update required replacing the chip.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Registry-infecting reboot-resisting malware has NO FILES

David W. Hodgins submitted this idea :
Quoted text here. Click to load it

No, I wrote that.

Quoted text here. Click to load it

Exactly so. My point to VG was, malware start method persistence not  
based on a file is nothing new.

Granted, the approach being used is interesting. I wonder if Virus  
Guy's modified Win98 still has the decoder - he might have eradicated  
it. I don't think it is strictly necessary, looks like just obfuscation  
related.



Re: Registry-infecting reboot-resisting malware has NO FILES

On 2014-08-04 8:29 PM, FromTheRafters wrote:
Quoted text here. Click to load it

Semantics. The boot sector contains a file. The data in the file points  
to the location of the program that loads the OS, but, as you well know,  
you can start all kinds of things before loading the OS. Etc.

Quoted text here. Click to load it

BIOS is a file (data and program) that starts the boot process. Where  
and how BIOS is stored is irrelevant. It's still a file. Eg, PROM vs  
EEPROM makes no difference. In very early micro-computers, as you may  
recall, BIOS was a configuration of switches on the front panel. In  
later computers, much of what we now consider BIOS was on the external  
storage media from which the OS was loaded. For that matter, a universal  
bootloader could be included in BIOS, if the industry agreed on a  
standard. Etc. Think of BIOS as a minimal OS.

Quoted text here. Click to load it

Start method persistence is impossible without some data stored  
somewhere. IOW, sure, there's a file. You just have to figure out where  
it is.

Have a good day,

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: Registry-infecting reboot-resisting malware has NO FILES

Wolf K explained on 8/5/2014 :
Quoted text here. Click to load it

I disagree with this usage when in this context. These entities exist  
and are accessed before there is a file system extant to access true  
files.



Re: Registry-infecting reboot-resisting malware has NO FILES

On 2014-08-05 9:58 AM, FromTheRafters wrote:
Quoted text here. Click to load it

"True" files????

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: Registry-infecting reboot-resisting malware has NO FILES

Wolf K formulated on Tuesday :

Quoted text here. Click to load it

Yes, that which is supported by whatever file system is loaded.



Re: Registry-infecting reboot-resisting malware has NO FILES

On 2014-08-05 2:04 PM, FromTheRafters wrote:
Quoted text here. Click to load it

I think there is some confusion there.

Unless I am much mistaken,

a) The BIOS chip has a file system on it, else there could be no BIOS.  
BIOS == programs and data needed to start the boot process. Etc. As I've  
said, BIOS is a minimal OS. It has to be, else it could not (for  
example) present a screen for changing things like the boot sequence.  
AFAIK, all OSs can read the BIOS with a suitable utility, which means  
that BIOS is a collection of files. When you update the BIOS, you are  
writing data to it. Data == file(s). QED

b) No filesystem is "loaded". A storage device is formatted for a  
specific file-system. An OS must be able to read that filesystem in  
order to access any data on the storage device.

c) All HDDs must be low-level formatted, which marks all tracks and  
sectors. Only then can the disk be formatted with a filesystem. A  
filesystem organises the information about tracks and sectors so that  
the OS will not overwrite old data with new data. This is usually called  
"high level formatting". (A failing disk can sometimes be rescued by  
doing a low-level format).

e) The physical structure of the SSD is blocks of memory locations, not  
tracks and sectors. The firmware on the SSD (more files) translates  
tack/sector information into whatever block structure it contains. That  
firmware is what makes it possible to format and SSD.

Footnote: it's technically feasible to have all the filesystem stuff  
done by the disk, which would make it OS-neutral. That is, from the OS's  
POV, the disk would merely be a device to which data is sent, and from  
which data is received. A protocol analogous to TCP/IP would do the  
trick. In fact, you could use TCP/IP.

Hope this clears up any confusions.

Of course, you are at liberty to use "file" to refer only to data  
written to a disk formatted with a file system, but as the OP's post  
indicates, this usage creates some confusion about how malware that  
bypasses the boot process actually works.

Have a good day,

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: Registry-infecting reboot-resisting malware has NO FILES

Wolf K pretended :
Quoted text here. Click to load it

[...]

Quoted text here. Click to load it

None of that is in context for this discussion, where the malware is  
said to not create a file on the filesystem for its persistence. It is  
obvious that they are only talking about files as stated above.



Re: Registry-infecting reboot-resisting malware has NO FILES



Quoted text here. Click to load it

I totally disagree. The bios and mbr both do contain code, but they are
both just blocks of code, with no names, no index, and each can only
contain the code (though the mbr also contains the partition table).

When the computer starts, it loads the block of code stored in the
bios, and then runs it. It does not search through a file system to
decide which "file" to load, as it doesn't yet have any code to run
that could search a file system.

See https://en.wikipedia.org/wiki/BIOS for more details about the
bios usage.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

This information should be mandatory learning before anything else is  
taught... seriously.
  



--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it


Agreed!

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Registry-infecting reboot-resisting malware has NO FILES

On 2014-08-06 12:00 PM, David W. Hodgins wrote:
Quoted text here. Click to load it

If there is no index, then how can you change the boot sequence? BIOS  
has to have some ind of index to user-changeable data. An index to data  
is a file system. The partition table on MBR is located at fixed  
locations, a structure that constitutes a primitive file system. There  
is a good deal more to BIOS and MBR than "blocks of code". As I've  
pointed out before: BIOS is in fact a collection of small programs plus  
data. BIOS has been growing, too, as more and more functions have been  
added to it.

Quoted text here. Click to load it

IOW, it addresses a storage location, copies a block of data from there  
into RAM, and then treats that block of code as a program. The fact that  
this storage location is physically on a chip instead of a disk is  
immaterial. The simplest BIOS would simply fetch the block of data from  
track 0 (and possibly more) on the disk. That would mean that every  
bootable disk would have to come preloaded with information about where  
to find the bootloader, etc. That could be done, in fact was done with  
bootable floppies, which some of you may be old enough to remember.

Quoted text here. Click to load it

I think what's at issue here is the notion that what an OS does is  
somehow fundamentally different from what BIOS does. It ain't. The  
process is always the same: fetch data, and deal with it. BIOS is a  
minimal OS: it does very little, but that little is essential. Mess up  
the code, and the computer will not boot.

There is also the notion that a "real" file has to have a name in order  
to be accessible to the OS. It doesn't. Basically, a directory is a set  
of pointers to blocks of data, ie, the files. Names are added for human  
convenience. The OS doesn't need them. You can in fact read the BIOS  
from any OS, given a suitable utility. You can even write to BIOS, given  
a suitable utility. This utility is in practice packaged with the BIOS  
update.

A filemanager could be written to allow you to see the files that  
constitute the BIOS, the MBR, etc. There are of course good reasons  
that's not done. But the malware makers have no scruples about reading  
and writing these files. The fact the filemanager can't see them is a  
bonus from their POV. Rootkit removers do the same as the malware  
installers: they read and write to BIOS, the MBR, and other hidden files  
in order to destroy the evil stuff residing there.

I fail to see why a file needs a name etc, and needs to be found by a  
file manager, in order to be a "true" file. In fact, I think this usage  
misleads people, as the Subject of this thread the subsequent discussion  
illustrates. Of course the malware consists of files. If you think these  
files are somehow not files, it may be difficult for you to understand  
a) how they can do their evil work; and b) how they can be destroyed.

Granted, in common usage "file" means "a block of data with a name,  
locatable by the OS". In most contexts, this is the proper usage. But  
when it comes to malware that hides from the OS, it is IMO bad usage. In  
such contexts, nit-picking insistence on technical precision is important.

Have a good day.

--  
Best,
Wolf K
kirkwood40.blogspot.ca

Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it

Are you serious? The boot menu is showing and interpreted by the code
loaded from the bios (or in more modern systems uefi).

Quoted text here. Click to load it

In a dos style bios, all it does is the power on self test (POST),
then (with some bios code), present the option of selecting the
boot device. Once the boot device has been selected, all the bios
does is load the code from the first sector and then transfer
control to it. It's up to the code in the first sector whether or
not additional sectors are loaded too.

Quoted text here. Click to load it

I do not agree. Whether the code is loaded from a chip, or a file system
on a disk, is the whole point of this discussion.

Quoted text here. Click to load it

The bios will only load the code from sector 0, of track 0.

Quoted text here. Click to load it

I do not agree. A file has a name, and is stored in a file system.
The bios is just a chunk of code stored on a chip. It does not have
a file name, and is not accessible using regular disk io.

Quoted text here. Click to load it

The i/o calls to write to a disk or do a bios update are quite different.

Quoted text here. Click to load it

There are not multiple files in the bios. It's one chunk of code, and
that is all there is.

Quoted text here. Click to load it

It is possible to have unnamed files (at least in linux), but the
file does have to have a name when it's created. The file can then
be unlinked, making it inaccessible to regular file browsers, but
won't be deleted until all programs accessing it are closed.

Quoted text here. Click to load it

As before, the mbr, and the bios are not files.

Quoted text here. Click to load it

Understanding the difference is needed when removing malware. Removing a
root kit installed in the mbr is different then removing a virus from a
file the os has access to.

Quoted text here. Click to load it

You too.

Regards, Dave Hodgins

--  
Change nomail.afraid.org to ody.ca to reply by email.
(nomail.afraid.org has been set up specifically for
use in usenet. Feel free to use it yourself.)

Re: Registry-infecting reboot-resisting malware has NO FILES

After serious thinking David W. Hodgins wrote :

[...]

Granted what follows is not in context with the articles being  
discussed.

Devil's advocate mode on.

Quoted text here. Click to load it

[...]

Quoted text here. Click to load it

If the very essence of being a general purpose OS is that you  
facilitate the execution of user's choice programs - here is where one  
could draw the line. The user has a choice of what goes in this  
specific location. A boot loader or an OS loader program for a more  
capable feature rich OS - or even some other special purpose program if  
it is to be a special purpose computer.

Quoted text here. Click to load it

Again, at a very low, very rudimentary level, a computer is a file  
system.

I figure that you already know this, but this link goes to a somewhat  
lengthy lecture that some readers here might find interesting. Feynman  
on Computer Heuristics.


https://www.youtube.com/watch?v=EKWGGDXe5MA


Oh, and what about the hippo?

One entry found for amphibian.
Main Entry:    am·phib·i·an
Pronunciation:    am-primarystressfib-emacron-schwan
Function:    noun
1 : any organism that is able to live both on land and in water;  
especially : any of a class of cold-blooded vertebrate animals (as  
frogs and salamanders) that in many respects are between fishes and  
reptiles.

Yep, just find the right definition and run with it. :)



Re: Registry-infecting reboot-resisting malware has NO FILES

@news2.open-news-network.org:

Quoted text here. Click to load it

I'm not sure I agree with this?  
  
Quoted text here. Click to load it

LOL :)


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Registry-infecting reboot-resisting malware has NO FILES

After serious thinking Dustin wrote :
Quoted text here. Click to load it

It was half in jest, but did you view the video? As it starts out it  
sounds very much below your skill level, but it gets better. Some cats  
may want to argue with Feynman though.

Quoted text here. Click to load it



Re: Registry-infecting reboot-resisting malware has NO FILES

@speranza.aioe.org:

Quoted text here. Click to load it

Not yet, but I'm going to.
  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Registry-infecting reboot-resisting malware has NO FILES

It happens that Dustin formulated :
Quoted text here. Click to load it

It's all stuff you already know, but he uses a 'filing system' analogue  
to fetching and manipulating data as a way to explain how a computer  
works at the lower level of machine code.

It provides a glimpse into this lower level that even non-tech types  
can understand. You may find it extremely boring just because you  
already know the details.



Site Timeline