The linked article, posted just over a week ago, has a nice walk through of how the Poweliks malware makes itself hard to detect and remove on Windows along with details of how you can actually get rid of it.
http://www.kahusecurity.com/2014/registry-dumper-find-and-dump-hidden-registry-keys/
The key point is using the old hack of non-ASCII character in the keys.
It also comes with a link to download the tools used in the Article.
This discussion has been archived.
No new comments can be posted.
How the Poweliks Malware Hides its Registry Keys and How to Remove it
|
Log In/Create an Account
| Top
| 16 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2) by aristarchus on Thursday December 18 2014, @08:41AM
So what you are saying, if I get this right, is, that, if you are not foolish enough to be running Windows, or any operating system with some kind of centralized weak point that could possibly be hacked WITH ONLY NON-ASCII CHARACTERS?? Holey, wholy, smoley fanding excremantoria! How could anyone build an OS that could be vulnerable to stuff like this? Point is" not running Windows = safe. Or at least not open to idiotic security holes like this. Hairyfeet, the floor is yours..
(Score: 3, Insightful) by PinkyGigglebrain on Thursday December 18 2014, @09:14AM
FTFY.
Even a Mac, Linux, UNIX or BSDsystem can be compromised if the user does something stupid, like run a bin with root privileges because the instructions for the "nude celebrity video viewer" said to. So far the non-Windows OSs have not been a priority target for malware writers, though Macs have started to be targets over the last decade.
Linux/UNIX and BSD also have the advantage that they were written from line one with security in mind, unlike Windows where it was a bolted on after thought. but that doesn't mean they are "completely safe" from attacks. It just means the attack vector will be more likely to exploit the ID10T vulnerability that exists between the chair and the keyboard of ALL desktop operating systems.
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2) by Leebert on Thursday December 18 2014, @12:53PM
With the possible exception of OpenBSD (which I would still disagree with), this is just patently untrue. The code quality and security capabilities of the various Linux and BSD distributions vary wildly. I *know* you aren't saying with a straight face that OpenSSL, to this day still an integral component of most distributions, was "written from line one with security in mind".
The fact is that much of the codebase of any modern general-purpose operating system dates back to much earlier times where threat landscape was completely different. Unix-style operating systems, while undoubtedly benefiting from their "day one" roots as multi-user operating systems, still have *plenty* of security bolt-ons themselves. Fine-grained ACLs were "baked in" to Windows NT way back in version 3.51; it's the *only* way to do permissions in Windows. How many people are still using rwxr--r-- style permissions in Unix, in spite of available ACLs in most modern file systems?
The codebase for pretty much any modern general-purpose operating system dates back to a time where the threat landscape was wildly different. They've all evolved over the decades through hard-learned lessons. Lessons which have resulted in not just "bolt-on" security everywhere, but plenty of "rip-and-replace" security. (Dump Sendmail and use Postfix? Don't mind if I do, thanks!)
By the way, IME the things malware writers target aren't inherent to Windows. They live in a world of compromised WordPress sites serving exploits targeted at third-party components like Flash and Java. And users can (and do) get compromised even if they're running without admin privilges.
(Score: 2) by emg on Thursday December 18 2014, @04:01PM
"Fine-grained ACLs were "baked in" to Windows NT way back in version 3.51; it's the *only* way to do permissions in Windows. How many people are still using rwxr--r-- style permissions in Unix, in spite of available ACLs in most modern file systems?"
How many people even begin to understand ACLs in Windows?
They're a useful tool for a minority of people, and a great way to completely hose your system for the majority. 99% of things people want to do can be handled by standard user/group/other permissions, and you can't then end up with files that no-one in the system can modify or delete.
Hiding files on Unix-based systems is much harder than doing so on Windows, precisely because almost no-one uses ACLs.
(Score: 2) by Leebert on Thursday December 18 2014, @05:05PM
Way to attack the first example that popped into my head and ignore the greater point. :)
Regardless, I'd wager that far more enterprise environments are using fine-grained ACLs on Windows than on Unix. I know that on a regular basis I add a single-user ACL for access to resources on Windows more than I do on any Unix. Although I'll concede that the use cases are different, generally.
My main point was: Security is a bolt-on in every modern general operating system. This "Unix is inherently secure; Windows is teh insecure sux0rs" attitude needs to stop. Credit where credit is due: Microsoft has come a LONG way since the Windows 95 days. They've made some choices which probably resulted from internal arguments that were difficult for the security people to win (UAC anyone?), and I for one think it's fair to recognize that. Sure, it was a bolt-on, but so was sudo(8), SELinux, and PAM.
(Score: 2) by Arik on Thursday December 18 2014, @10:00PM
No OS in wide use today is built with security in mind, that's for sure. *nix systems are multi-user from the beginning, which implies at least a little attention to at least one form of security (separation of user accounts) but that's still a far cry from an OS that is truly designed to be secure. And OBSD, although it's great what they do, is still bolting on security to a degree as well. Yes, they do a lot of security audits and rewrites that are just good form and common sense, and yes it's got fewer holes as a result, but the underlying system design is still the same and security is still, essentially, an afterthought.
We could write a system that truly was designed for security, but developers and users would all complain it's a PITA and go use something more vulnerable instead I fear.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by frojack on Thursday December 18 2014, @10:37PM
My main point was: Security is a bolt-on in every modern general operating system.
To an extent that is true, but only if you require some form of ACLs to meet your definition of security.
The very earliest 'nix systems had octal OGW permissions because they were designed from the ground up to be multi-user systems. Nobody could afford personal computers in those days. So almost from the very start, there was some form of permission control. And reasonably fine grained at that.
Quite frankly that has been quite sufficient for a long time, and even though things like X run under root, it is amazing how few actual exploits are running around in the wild for this. (Meaning its harder to pull off than it first appears).
Still your point about ACLs, and their use tending to be concentrated in Windows is valid, if for no other reason than that there was little else available in windows until NT arrived. One could say that "multi-user" was bolted on to windows, at which point security became a big issue.
No, you are mistaken. I've always had this sig.
(Score: 2) by Leebert on Thursday December 18 2014, @10:45PM
Again, I was just using file system ACLs as an example.
(Score: 1) by TheB on Thursday December 18 2014, @09:13PM
Even Linux has had problems with non-ASCII characters.
In Ubuntu 13.04 Thunar 1.6.2 would not display files with "$%" in the filename.
Using 'ls' in the terminal would give an error of "No such file or directory"
Non ASCII characters have long been a source of bugs/ backdoors in software.
In the old netware days I've gained root access on secured networks just using ALT+NUMPAD*4 to generate non ASCII characters.
There was even a combo that would echo keyboard input to the printer... Lots of fun watching sysadmins trying to figure out why everything they type is spewing out of the printer next to them.
Windows is not the only OS that isn't safe.
(Score: 3, Interesting) by pkrasimirov on Thursday December 18 2014, @09:18AM
IMO the interesting part is that "Registry Dumper [kahusecurity.com]" the blogger offers. He says it can deal with null values in Windows registry and even search a path for them. Too bad it does not work on my PC -- as soon as I hit [Scan] it pops "ntdll.dll call failed. Status: C0000022".
(Score: 3, Informative) by romlok on Thursday December 18 2014, @11:31AM
I hope you validated checksums[*] and ran at least one malware scan against that random executable you downloaded from some random person's insecure website.
*: That said, validating the checksums would be mostly worthless anyway, since an attacker intercepting the download could also trivially alter the checksums displayed on an insecure website.
(Score: 2) by pkrasimirov on Thursday December 18 2014, @03:52PM
These days I have much more trust in "some random person's insecure website" (given that this random person is a decent hacker), rather than big ISO-security-compliant certificate-signed corporations with unknown number of employees and agendas.
On other hand, if you warn me against MITM attacks, HTTPS would help me only against another (3rd-party) random person that already cracked something in the path between me and the website. No, I'm not using wireless at the moment.
If the attacker can make a CA company to sign them a new server certificate I would never know because I didn't visit the website before. And they have to fake the webpage content with the checksum as you said. But I'm nowhere near such a high-profile target so I think the risk for me is very low.
(Score: -1, Flamebait) by Anonymous Coward on Thursday December 18 2014, @09:47AM
1. Install a GNU/Linux system [gnu.org]
(Score: 0, Troll) by c0lo on Thursday December 18 2014, @11:24AM
Ok, done. Now, would you be so kind to get us through step 2:
??
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by Arik on Thursday December 18 2014, @06:21PM
Use Slackware/libre (no systemd not even an option) or Gentoo (optional, not needed.)
If laughter is the best medicine, who are the best doctors?
(Score: 1) by neleai on Thursday December 18 2014, @03:56PM
I am surprised that they still use registry thick instead of just running windows as VM and directly reading memory.