2008-12-17:

A malware "stealing" AppInit_DLLs entrypoint

re:malware:windows:security:easy
I've caught in my hands some malware, that had a very interesting idea about using one of Windows's entrypoint for making sure it would be run after a reboot.

One may know, that Windows has a lot of potential system entrypoints. Let's review some of them:
- placing a shortcut / executable in %USERPROFILE%\Menu Start\Autorun, or, in case of Vista, %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ or C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (run after a specific or any user logs in)
- entering a path to an executable file to HKCU or HKLM \SOFTWARE\Microsoft\Windows\CurrentVersion\Run(Once) or HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run (Vista x86-64) (run after a specific or any user logs in)
- entering a path to an executable file to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SOME.EXE\Debugger (run instead of SOME.EXE)
- entering a path to a DLL file to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (loaded by everything that uses user32.dll)
- placing a DLL named the same as some non-system DLL that is normally placed in the system directory (for example ws2_32.dll) to some application directory (np. mIRC) (loaded when an application would be executed)
- entering a path to an executable file to HKLM or HKCU \Software\Microsoft\Command Processor\AutoRun (run when executing cmd.exe console)
- etc...

Malware normally use one of these entry points, and AV software of course keep an eye on these places. But the sample I'm talking about just wouldn't use the AppInit_DLLs as any "proper" malware would do. No. Instead, it began with patching the name of the AppInit_DLLs value in the %SYSTEMROOT%\system32\user32.dll file to xxxInit_DLLs (where xxx there would be 3 random letters). After the patch, it would create a registry string value named xxxInit_DLLs in the same place as the normal AppInit_DLLs would be, with the value being set to target the malware's DLL file.

I must say, it is a very interesting idea. Many applications (including winlogon) use user32.dll, and therefor, will load the malware DLL. But the AV software will scan the old not-used-anymore AppInit_DLLs, and won't even think about checking the user32.dll if the name had changed. Someone had a good idea.

Of course, the problem is still the "noise" that patching a system DLL maked - it's (or at least it should be) easy to detect by AV software. But thats good news I guess ;>

And that is all for today ;> See you next time.

Comments:

2008-12-18 06:01:33 = vmalvarez
{
interesting ;-)
}
2008-12-19 00:15:58 = Gynvael Coldwind
{
Yep ;>
}
2008-12-19 14:42:14 = alrc
{
indeed, interesting ;o)
}
2008-12-20 09:24:45 = Gynvael Coldwind
{
Yep, interesting ;> :D
}
2010-08-20 20:57:25 = frogg
{
wow, that's interesting! me likey!
}

Add a comment:

Nick:
URL (optional):
Math captcha: 2 ∗ 1 + 8 =