ScaryBear Software

Jake Williams: So, service failover is the next technique we’re going to talk about. Services failovers are all kinds of cool. We can take an existing service, a legitimate service; I think every forensics professional here knows you got to go through the service – we’re not interested in that. We’re looking at using an actual service failover. So we’re going to piggyback on an existing service, maybe even something cool like antivirus – that’s a big one that you always want to attack. I always liked to attack an antivirus.

So we can set the services, basically the recovery actions that happen when services fail. Now what we have to do is guarantee that the service is going to fail. We can do something creative like make the service dependent on our primary malware. And then when our primary malware is removed by the incident responder, the service fails and it kicks off our secondary malware – and we’re right back on the box. Well, that’s an immediate thing and that may get me caught by a really good incident responder. I mean, I don’t want that to happen. But what I can do is forget about the whole dependency thing, and maybe I want to set it just so when a service fails – and now I have to depend on the service failing – let’s see…How many of you guys have done pentests this year? MS12-020 – anybody find any boxes still vulnerable to MS12-020.  I can’t go anywhere and not find boxes still vulnerable to MS12-020.

So that’s the RTP service: I send the packet, cause the RTP service to fail – malware back in business, we’re back on the box.

Mark Baggett: Everybody knows to check the services, but when you’re checking for the recovery options to see whether or not there’re executables set to fire in there.

 Jake Williams: Yeah, and let’s not forget from a recovery options standpoint – this is another place it’s right. We have a custom startup or startup recovery – doesn’t matter, Microsoft has already configured a number of these for you; and it’s interesting, they say “Hey, go run this command.” This command happens to not already be on the box; it’s like Microsoft woke up one day and said “Hey, we’re going to set up a bunch of service failover providers, and here’s a nice box that you can just put malware in. We haven’t put anything there, you don’t have to replace anything, you don’t have to worry about system file checking – just go stick something here and execute any time a service fails.” They’re pretty custom and configured for you.

 Mark Baggett: To be clear, there’re at least 2 services that are defined on Windows boxes that, if that service fails, it will launch a script on your hosts. And today that script doesn’t exist, but it’s already configured at launch. You put that script there, and when that service fails it’s going to launch that script for you.

Jake Williams: So, the next technique we’re going to talk about is Winlogon events.  I think this one is really awesome because, again, from a counter-forensics standpoint, it kind of screws up my methodology. I love this whole memory capture thing, and this really screws it up. And so, Microsoft decided to begin to enable to execute some code on some Winlogon events, something like logon or logoff, or maybe even a shutdown event. And we really like the shutdown event because that allows us to run code as the machine is shutting down. And as the machine is shutting down, guess who can’t run forensics tools? Right, absolutely. So, we like that. And so, unfortunately, this causes our code to get loaded up on boot. So, when we use this technique Winlogon is going to load some code as soon as the machine boots.

What we’ve done here is we’ve taken the loading of only a bootstrap process, or bootstrap.dll. All that does, essentially, is load our malicious dll that checks for a persistence during shutdowns. So now somebody takes the memory captures during normal operations – good to go, there’s nothing to see here, just load a library; that happens, thousands of times it’s all over memory. Again, what’s really cool about this is that it’s only firing on machine shutdown, there’re no forensic tools that can be run, memory forensics is going to miss the real payload.

Mark Baggett: Alright, this last technique is the use of Bitsadmin. You probably know about Bitsadmin. BITS is used by Windows update to download your updates for Microsoft installers. Bitsadmin is an admin utility that allows you to manage those updates. You can use Bitsadmin as the command line ‘wget’ on Windows to download executables. You can also specify options on Bitsadmin to tell it to retry, if it fails to download, every, say, 24 hours; and when it does successfully download, execute the program.

So I go into Bitsadmin, I just schedule it to download malware from a pre-defined URL, which there is no malware today, retry it every 24 hours, and when you’d successfully download it – execute the code. So, go away, you clean up the hard drive by formatting it. No – you just install the antivirus software. Does your antivirus software check your Bitsadmin queue?

Jake Williams: Do YOU check your Bitsadmin queue? Not today…Maybe tomorrow.

Mark Baggett: So, at scheduled job your Bitsadmin fires, it launches, downloads this system. We have a demo here.

Jake Williams: We originally said “Hey, we’re going to produce the script,” so we’re going to set up the script, it’s going to detect all this stuff. And as we were working through we realized that on average this produces somewhere around 10MB of textual output to check for all this stuff. We said “Hey, we would like to go through and figure out what it looks like so we could start whitelisting,” and then we realized that was a bad plan. We don’t ever want to say “Your stuff is good,” when indeed it is not good. We’d rather just do data collection and then let you analyze – you have to know what good looks like. Good is going to vary depending on, you know, system to system.

So, the good news is that despite the fact that we can’t do the analysis for you, we can do the remediation for you.

Mark Baggett: We do have an awesome remediation technique. So, here is the script that will detect when any of these methods that we use are in use, and remediate them.

Jake Williams: Okay, ready? So, we run malware check.

Mark Baggett: Found one! I have program.exe on my machine. “Would you like to remediate this now?”

Jake Williams: So, again, all laughing aside, we contend that we’re not that smart. We came up with these 8; we’ve seen a lot of these already used; and we think there are a lot more out there. So, laying all joking aside, that ‘format C drive’ – that is the remediation. I don’t think, as a forensics professional, that I’m smart enough. Obviously I’m checking for these things now, but I don’t think that I’m smart enough to beat every attacker out there. I’m going to continue to recommend the clients: “Once you’re owned, reinstall the system from scratch.”

Mark Baggett: I hope we stirred the pot. As you come up with other ideas based upon event logs and things like that, send them our way – we’ll give you full credit on these and make sure that they get posted as we collect up these ideas, with full credit, on wipethedrive.com. There’s our Twitter, if you’re interested.

FOLLOW UP:

Follow us on twitter
◦ @MarkBaggett
◦ @MalwareJake

Get the slides:
◦ http://www.wipethedrive.com

More Techniques?
◦ Submit them to shmoo@wipethedrive.com

Jake Williams: We really appreciate your time and we’re definitely interested to hear better ideas or potentially different ideas for malware persistence. Thanks guys!

Previous:
Wipe the Drive Dude! Techniques for Malware Persistence. Part 1.
Techniques for Malware Persistence. Part 2.