Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

New malware exists as encrypted JS code in registry

- - - - - Trojan.Poweliks

  • Please log in to reply
17 replies to this topic

#1
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 211 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
According to this:

http://www.symantec....-080408-5614-99

Windows 9x/me is vulnerable to this exploit. Under the registry RUN keys, an entry is created where the name of the target is composed of encrypted javascript as well as using "non-ascii" characters (which renders the entry as invisible when viewed using standard tools such as regedit).

Would msconfig show such entries - even if it just lists them on a separate blank line with nothing printed on it?

Can Win-9x/me process javascript code present in the registry?

Something else that has been said of this malware:

"The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked."

So, how compatible is win-9x in terms of operability with this method of storing and running "mal-code" from the registry?


How to remove advertisement from MSFN

#2
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,338 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

?

That article clearly indicates it runs Powershell.

http://en.wikipedia....dows_PowerShell

Powershell on a Win9x?

Maybe that article is mistaken. :unsure:


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#3
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,923 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Well, I wonder about the ability of using rundll32.exe to execute JavaScript via CMD. A poc was posted on facebook which apparently will open calculator. However if worried, test in a VM:

 

Spoiler

 

If it does work, it would be possible to have a half-way installed virus on the system.... presuming .NET Framework and Powershell add-ons do not exist for Win9x.


MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#4
M()zart

M()zart

    Member

  • Member
  • PipPip
  • 280 posts
  • Joined 17-June 08

presuming .NET Framework and Powershell add-ons do not exist for Win9x.

 
.NET Framework exists for Win9x up to .NET Framework 2.0 (without SPs).



#5
MrJinje

MrJinje

    Tool™ Developer

  • Developer
  • 1,055 posts
  • Joined 14-October 09
  • OS:Server 2012R2
  • Country: Country Flag

I guess you could run powershell from the registry as base64 gzip encoded blobs via system.io.memorystream. Maybe throw some encryption on top of that, rename the key with unicode characters and we have a powershell only version of this hack.  

 

or am I missing something, is javascript really needed ?  



#6
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,923 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

I don't think it is. Whoever wrote this particular delivery method merely found that it is possible to execute javascript via rundll32.exe and used it as the infection vector. The run-down on the link show it as such, after the javascript is executed (and minimum requirements are met) then the payload is delivered. That seems to be the only function of the javascript, and everything afterwards is handled with whatever the payload is and .NET and Powershell.

However, note the exploit uses mshtml to create an ActiveX object. If you were to disable ActiveX in IE, would this then fail or are those things in Internet Options only used when iexplore.exe is running?
MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#7
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,338 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

Hey, I've got a great idea. We already know that .NET can be installed, so someone go ahead and install Powershell in a Win98SE and see if it works. Wouldn't that settle the issue? :unsure:


Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#8
MrJinje

MrJinje

    Tool™ Developer

  • Developer
  • 1,055 posts
  • Joined 14-October 09
  • OS:Server 2012R2
  • Country: Country Flag

Here is a more interesting read on the subject.

 

http://blog.trendmic...ndows-registry/

 

EDIT:

 

https://blog.gdataso...out-a-file.html


Edited by MrJinje, 08 August 2014 - 11:00 AM.


#9
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,970 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Hey, I've got a great idea. We already know that .NET can be installed, so someone go ahead and install Powershell in a Win98SE and see if it works. Wouldn't that settle the issue? :unsure:

 

Sure. And I bet Powershell 1.0 does not run in native 9x/ME. Perhaps it does run, sort of, under KernellEx, but even if it does, I doubt there's even one user with Powershell installed in 9x/ME, or we'd already have heard about it here...

 

Here is a more interesting read on the subject.

 

http://blog.trendmic...ndows-registry/

 

Good to see you here, Mr. Jinje! :hello:

 

And, BTW, do y'all remember RegDelNull:P



#10
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,338 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

Thx, exactly my point!

 

Maybe that article is mistaken. :unsure:

:lol: So Nomen, the answer is -no- don't worry about it as the article clearly states that in order to function it -needs- both .NET -and- Powershell even if the registry stuff works, downloading ?what? to install and run. ;) IOW, it won't even work on 9X/ME OS. :no: Symantec flys away on nonsense...


Edited by submix8c, 06 August 2014 - 01:51 PM.

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#11
-X-

-X-

    Member

  • MSFN Sponsor
  • 2,421 posts
  • Joined 08-January 04
  • OS:XP Pro x86
  • Country: Country Flag

Donator

The malware downloads PowerShell if it's not already installed.

Download all Windows XP Post SP3 High-Priority Updates with a simple double click @ xdot.tk post-12166-0-42859000-1399044129.png ]
               If someone helps you fix a problem, please report back so they and others can benefit from the solution. Thanks!


#12
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,970 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Yes. I understand that. But... AFAIK, Powershell does NOT *itself* work on 9x/ME, that's my point.

You see: 9x/ME support ended on Jul 11, 2006... while PowerShell was initially launched Nov 14, 2006... so, at least officially, it surely wasn't ever meant to work on 9x/ME. This being so, I'm pretty sure if nobody ever posted about PowerShell on 9x/ME (and that *is* the case) means nobody ever even unofficially has managed to have it run on 9x/ME.



#13
submix8c

submix8c

    Inconceivable!

  • Patrons
  • 4,338 posts
  • Joined 14-September 05
  • OS:none specified
  • Country: Country Flag

...and that was -my- initial point. The Symantec page has to be erroneous. It will not "infect" a 9x/ME machine AFAICT.

Next, the Trojan decrypts a PowerShell script from its encrypted JavaScript. It runs this Powershell script to execute a binary program.
How can it run a Powershell script without Powershell? :crazy: or is it just me?

Someday the tyrants will be unthroned... Jason "Jay" Chasteen; RIP, bro!

Posted Image


#14
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,923 posts
  • Joined 28-April 06
  • OS:Server 2012
  • Country: Country Flag

Donator

Well it would still be a partial infection. I had a similar case where some AOL IM virus was on my Win98 PC... The initial infection did occur, however the virus would not function properly because AOL IM was not installed. All it did was fill up my HDD with text files with errors in them.

Now, Symantec could clarify what the behaviour would be like if a Win9x was infected with this. Maybe it would show an error because Powershell isn't installed or doesn't work, or maybe it will just make text files until you run out of hard disk space. :w00t:


MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
msfn2_zpsc37c7153.jpg

#15
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,970 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Be as it may, RegDelNull will find and, if told so, get rid of the so-called "undeletable" registry entry, so it cleans the partial infection.

 

And, BTW, do y'all remember RegDelNull:P


#16
Nomen

Nomen

    Member

  • Member
  • PipPip
  • 211 posts
  • Joined 07-July 12
  • OS:98SE
  • Country: Country Flag
RegDelNull won't run on (my) win-98se system. The first error I got was "requires Windows NT/2000/XP/2003". After changing the Kex properties to Win-2k compatibility, the error changed to "Unable to locate required NTDLL exports. RegDelete requires Windows NT4 or higher". (I was running it without any command-line arguments).

Now, why did it mention "Regdelete" in the error message? Was that it's original name?

Edited by Nomen, 08 August 2014 - 08:16 PM.


#17
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 5,970 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

It does not work, because it's unicode and requires the NT NativeAPI!
Hence, case closed! Not only PowerShell won't run, but not even the secret Run entry can be created!!!
So, don't worry: the said malware cannot possibly run under 9x/ME.
 

Now, why did it mention "RegDelete" in the error message? Was that it's original name?


So it seems! :yes:
If you run RegDelNull /? it'll display it again in "Usage: RegDelete <path> [-s]"

#18
LostInSpace2012

LostInSpace2012

    OS: Ubuntu 12

  • Member
  • PipPipPipPip
  • 581 posts
  • Joined 20-August 12
  • OS:none specified
  • Country: Country Flag

Donator

"Security Through Obsolescence" strikes again. Winning!

http://www.theregist...h_obsolescence/

Here's an interesting way to secure an Internet-connected computer against intruders: Make sure the operating system and software it runs are so old that current hacking tools won't work on it. This was suggested by Brian Aker, one of the programmers who works on Linux.com, NewsForge, Slashdot, and other OSDN sites; he runs several servers of his own that host a number of small non-profit sites in the Seattle area. "I have one box still running a version of Solaris that's so old none of the script kiddies can figure it out," Brian says. "They tend to focus on the latest and greatest, and don't have the slightest idea how to handle my old Sun box."

Brian points out that some of the most secure Department of Defense Web sites -- ones that don't make headlines by getting cracked all the time -- run old versions of Mac OS and the venerable WebSTAR server suite. "[Mac is] a great operating system for that application," he says. "No scripting or remote capability at all, so there's no way for them to get in."

Not only that, the hacker/cracker crowd is fixating, as usual, on the latest versions of everything, like Windows 2K/XP, Mac OS X, the most recent Linux kernels and BSDs, the newest Solaris, and so on. What fun is there in breaking into a system running something so ancient only a dad would even consider using it? There's also an obscurity factor to consider here, and not the one proprietary software advocates usually trot out when discussing security issues.

True "security through obscurity"

Most Web site takedowns and system intrusions make use of known vulnerabilities in a particular operating system or server software package. These vulnerabilities are typically discovered, a little at a time, by thousands of bad hackers who poke and prod at systems, port-scanning and probing them, sharing the information they gain from their (mostly failed) attempts with each other. A million monkeys with Internet connections may not reproduce any Shakespeare plays -- they need to use old-fashioned typewriters to do that -- but they sure as bleep are going to find vulnerabilities in any host they contact sooner or later simply by sheer weight of numbers, especially if the operating system or software they attack is popular enough that they have many instances of it out there to look and poke at. It doesn't matter whether the operating system and server software under attack is proprietary or Open Source. Sooner or later, with enough monkeys scratching at it, every single chink or opening can be discovered and exploited.

Imagine a custom operating system used by only a few servers, running server software so oddball that cracking lessons learned on mainstream servers don't apply to it at all. Or imagine running a DOS variant or an OS like AIX that has never been widely used for Net-attached servers but is adequate for handing out simple Web pages and receiving responses through online forms and handling email, which are the primary tasks performed on most publicly-accessible servers.

Now imagine your local script kiddie trying to crack a box running an operating system and server software he's never seen before, about which no information is available in the usual online hacker hangouts. Chances are, he's going to move on to an easier target.

This is security through obscurity at its finest. Even if the custom operating system and server software are Open Source, low-level attackers aren't going to bother poring over the code thoroughly enough to find its vulnerabilities, and those few who have the skill level needed almost certainly have better things to do with their time -- like work -- and won't bother.
Really dumb stuff

Never forget, most intrusions and defacements exploit really stupid administrator or user mistakes, like using "password" as the password for remote access or running all kinds of unnecessary services that create security holes so big a whale could dive through them. These lapses have nothing to do with the operating system or software being used. No operating system or application ever written is immune to user stupidity. Some just take more stupidity to botch than others, you might say. But that's enough about that. Let's go back to talking about old operating systems.
Age before beauty

One advantage of mature software is that lots of people have already tried to crack it and lots of patches have been written. A smart sysadmin like Brian, running an ancient version of Solaris, has kept up with security updates over the years and has installed all of them he has found. What some people might sneer at as "obsolete" software, others might call "carefully tested" or "proven." Indeed, Debian Linux users often point to the fact that Debian's stable branch does not include the latest kernel or software as one of its great strengths; Debian lets others explore the latest and greatest -- and fall victim to the latest and greatest exploits -- before all the kinks are worked out to the Debian maintainers' satisfaction.

Note that an awful lot of servers out there are still running on Red Hat 6.1 or 6.2, not Red Hat 7.x, and that it takes a long time for the latest version of Apache to trickle out into the world full-strength. Because these programs have zero licensing cost attached to updates, why would so many sysadmins keep using old versions when new ones no doubt offer more and slicker features? Obviously, those sysadmins have the same outlook as delivery truck fleet managers who refuse to buy a new model during its first year or two in production. They prefer to wait until all the kinks are worked out and all the defects and maintenance tricks have been discovered and applied by early adopters before jumping from the tried and true into something new.

This is sane behavior for a conservative business manager whether she is running a fleet of Web servers or a fleet of trucks -- or even a fleet of Web servers for a trucking company. But it may be even more sane to hold on to the same servers and trucks even when others sneer at them as being old, even if new versions are smoother and easier to administer or drive. Quite simply, once you have worked with a piece of software or a truck for a number of years, you know its quirks inside and out. When it acts up in a subtle way someone not used to it might not even notice, long experience with it can point an observant sysadmin or mechanic straight to a problem, thereby saving downtime and repair costs.

Because "Total Cost of Ownership" is the big management buzz phrase that cuts across all business areas, and anything new requires a learning curve, sometimes it is best to just keep on using the old whatever as long as it does its job reasonably well.

At some point -- hopefully before Microsoft stops supporting it -- Windows NT may be reasonably secure against most common exploits. If nothing else, by that time there will be hundreds of thousands of sysadmins who have learned how to secure it as hard as possible, even if they had to learn some lessons the hard way -- by getting cracked. At the same time, the script kiddies and malicious hackers who ran roughshod over NT servers when they first appeared have aged. Most of them probably have jobs and responsibilities by now, and aren't getting their kicks playing in other people's systems but are busily securing ones they run themselves.

The next generation of bad-kid hackers probably won't mess much with NT -- or pre-X Mac OS or Linux pre-2.5 kernels or Apache pre-2.x or any of the other operating systems and server applications their fathers or older siblings ran "back in the day," while those same fathers and older siblings will have piled up endless experience securing those old, now-obscure programs, making them harder targets than the latest stuff.

You never read about this kind of "security through obscurity," which can just as correctly be called "security through obsolescence." Despite this lack of publicity, it may be as effective a tactic as any other, and it can be implemented without spending a dime.

© Newsforge. All rights reserved.


Sorry, kinda old article.

Edited by LostInSpace2012, 09 August 2014 - 03:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users