Pages

Tuesday, March 22, 2005

Latest goings on

Have you been keeping abreast of the happenings in the world of Windows incident response? My first thought is that it shouldn't be hard, because its likely a pretty small world. But the fact remains that its also a scattered world. Part of the problem seems to be that with regards to blogs, many of the entries I'm coming across are simply links or trackbacks, with no opinion, commentary, or analysis. This has the effect of making the community look a bit larger than it really is...

Anyway, on with the show!

Dana Epp had a really interesting post recently about how to use the Image File Execution Options Registry key to launch one file instead of another. In his example, he shows how to have the command prompt run instead of Notepad, whenever someone tries to launch Notepad. Interesting, but Dana also points out that Administrator privileges are required. On my XP Pro system (the only one I have to look at right now), the permissions on the Image File Execution Options key (under HKLM\Software\Microsoft\CurrentVersion\Windows NT\) give users read access, and only Administrators and System have full access to the key. So the usefulness of this attack vector may be somewhat limited...in order for it to work, the attacker has to have Administrator level access to the system. Once he or she does, are they going to go messing with this sort of vector, or are they going to go with something else? This vector does have potential, though, as it is less well known than, say, the ubiquitous "Run" key. Oops, did I say "potential"? Wow...Trend Micro calls this on "Worms_Jean.A", and Symantec calls it "W32.Zellome".

Interestingly enough, a quick search on MSDN reveals quite a bit about this key. Microsoft provides a great deal of documentation regarding how to debug services (go here, here, or here).

This topic was also mentioned before on greggm's blog, but Junfeng Zhang's blog entry provides more detailed information. A quick glance through these and other information about the key seems to indicate that Dana was one of the first to point out a potential malicious use for this key. Also, if you use the Process Explorer tool from SysInternals, you can choose "Replace Task Manager" from the Options menu item, and the procexp.exe image will be entered into the Debugger key for taskmgr.exe. To see this, open RegEdit and navigate to the Image File Execution Options key. Leave this open, and make the menu choice in Process Explorer, then go back to RegEdit and hit F5 to refresh the view. Then go back to the shell and launch Task Manager via your favorite means.

Note the "Discovery Date" on the Symantec write-up, and then compare that to the MSDN and blog entries...

This isn't the first time this has happened, nor will it be the last. Combine the tools provided by MS for Administrators and developers to have access to more detailed information on the system with weak security by those same individuals (i.e., weak passwords, lack of auditing/monitoring, etc.), and you've got a recipe for disaster...or a really cool hack, anyway.

I have to say, though, that this one ranks right up there with some other ones (WRT Registry keys) I've seen. For example, there's HKLMHKCU\Software\Microsoft\Command Processor\Autorun. This key also requires Administrator privileges for full access, but it definitely looks like a good place to autostart something...like a batch file or even malware. Yet another interesting place for malware to hide is the HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\TaskMan key, which is included in the list of keys checked by AutoRuns 7.0.

Speaking of tools for Administrators, I dropped by the SysInternals site this morning and found some updates to tools on the site. First, RootkitRevealer is now in version 1.30...the update is in response to attackers setting up the HackerDefender configuration file to look for RootkitRevealer. This version of the tool allows the process to run with a randomly chosen name. Also, SigCheck has been updated, and a version of WhoIs has been released.

No comments:

Post a Comment