In memory fileless malwar edetection ..... any antimalware software?

Yes, sandboxing or shadowing, reboot restore etc all will protect against this.

 

A Reboot-to-Restore program like Deep Freeze will protect C:\ which includes the Registry.

If Poweliks injects into (alters) a file in %System32%, that file will return to its normal state on reboot. There is no way it can serve as a "Watchdog."

Edit: I just saw aigle's post, and he mentions Shadowing, which I forgot about.

Edit #2: All of the above is based on my own current knowledge of these programs. There is always a possibility (unknown to me) that they can be bypassed.

----
rich

 

Thanks itman for sharing,

Certainly, I would consider restricting downloads and execution within protected user spaces as a necessary mitigation against a lot of common attack vectors.
Remember, that I my experience comes from working with small businesses that implement little security over the built-in windows firewall, windows defender, and security essentials. Many trust the installation and setup to their service provider and an even smaller number of them actually take steps themselves to harden the systems such as blacklisting malware domains. The problem is that these types of clients regurgitate advise or inquire about something they read online, but its evident they don't understand the problem. I count myself into this boat on topics that I have not yet research or know too little about to make solid recommendations. But I trust the experience of folks here at wilders, so thanks against for your feedback.

 

"this one doesn’t seem to take advantage of exploits or UAC bypasses techniques but its effectiveness remains equally high and the detection rate is extremely low."
For some reason you seem to be ignoring me. Doesn't that sentence mean anything to you?

Bravo for Rmus
"The point is that a true Reboot-to-Restore program, such as Returnil or Deep Freeze, will not permit anything written to the Registry to survive a reboot when in locked down or frozen mode."

That is why I use Returnil's new program, Quietzone

You think I am a newbie here but HAVE been around a very long time but new identity is only a few hundred posts. I am not Spy1, I am not him but have known him a very long time and BTW where has he gone? Just ask CLoneRanger

 

Took a look at "Deep Freeze." It's taking a system backup in essence and restoring from that. So of course, it will get rid of the malware. I thought you were just referencing some registry restore software only.

 

What do you think about Shadow Defender?

 

Should be no difference between SD and Deepfreeze.

 

OK, just to be clear for myself, I contacted Faronics Technical Support Manager about Poweliks, and confirmed that the malware is a no-go if the infection occurred while the system was in frozen mode.

The "Watchdog" dll is loaded from the encrypted Registry sub-Key, as member itman has quoted from the Symantec paper.

The paper also explains how this sub-key protects itself:

• The protection mechanism used here prevents the subkey from being opened. This in turn prevents the subkey from being deleted. This is achieved when Poweliks creates a registry subkey in Unicode with an ObjectName of 0608 that prevents users, even those with administrator privileges, from reading or deleting it.

None of this is of any value, since once the system is rebooted, Deep Freeze restores the Registry to its previous state.

I confess to not have paid much attention to Poweliks since its emergence on the scene last year, because it used the same old tried and true triggering mechanisms, such as:

• Typically, spam email messages disguising as open letter from reputable institution are used to deceive recipients.

• Malicious links from social media sites and instant messaging program

• Illegally distributed software and media materials

• Boobytrapped MSWord documents

• Later came browser plugin exploits

So, with due diligence at the gate, it seemed like an exploit easy to thwart.

In looking a little more closely, I see that Powershell.exe is used by the exploit, and if the system does not have it installed (mine does not) the Poweliks dropper will download/install it (not possible on my system w/o my permission).

Now, all of this is a bit off-topic from aigle's concern with detection, but since the (scary) notion of a "watchdog" dll came up, I had to investigate for myself.

----
rich

 

Thank you for detailed explenation. It still doesn't explain how it gains rights to write those registry keys. As I see it there are three options:
- malware has admin rights (user confirming uac prompt)
- it is using some privilege elevation exploit
- it is using uac bypass

 

Hi Pete,

Yes, old faithful.

I just set up an i-frame exploit with the URL to a download site for Powershell, to simulate an unauthorized attempt to download that file to my system, as Poweliks would attempt to do:




----
rich

 

Also Poweliks can be delivered via e-mail:

Poweliks has reportedly been delivered through social engineering...by opening malicious spam emails that claim to be a missed package delivery from the Canadian Post or U.S. Postal Service (USPS) purportedly carrying tracking information and exploit kits.

Crypto malware is also typically spread through social engineering and user interaction...i.e. opening suspicious emails and opening an infected word docs with embedded macro viruses and sometimes via exploit kits. It can be disguised in email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers. Attackers will use email addresses and subjects (i.e. example) that will entice a user to read the email and open the attachment.

US-CERT advises there have been reports that some victims encounter the malware after clicking on a malicious link within an email or following a previous infection from botnets such as Zbot/Z-bot (Zeus) which downloads and executes the ransomware as a secondary payload from infected websites. Other types or crypto malware have been reported to spread on YouTube ads, via browser exploit kits and drive-by downloads when visiting compromised web sites.

As well as opening a backdoor, Poweliks is known to download other malware onto the infected machine. I've often seen Zbot, Tracur and ZeroAccess downloaded onto systems infected with Poweliks

In addition to downloading more malicious file, Poweliks has the capability to steal system information which may be used by cybercriminals to launch other attacks.
​

ref.: http://www.bleepingcomputer.com/forums/t/555142/does-powelik-downloadinstall-cryptowall/

 

It's very simple, if in-memory malware is delivered via exploits, then you need specialized ant-exploit tools, HIPS can only block payloads that run from disk. If malware is executed by the user, then it depends on the HIPS, from what I've read, Poweliks uses the "process hollow" injection technique, this would be blocked by for example HMPA. So I agree with itman, a good HIPS should be able to block this kinda stuff.

 

I don't see the problem, code injection into all of these system processes is suspicious and should be blocked. I don't see how it would break the system.

 

Yes.

Poweliks has also used a now-patched remote privilege escalation vulnerability in Windows (CVE-2015-0016) to gain a foothold on targeted systems and ensare more computers into a click-fraud botnet.

Symantec also noted that Poweliks and Bedep malware “share a number of similarities,” such as using the Windows zero-day exploit to infect users, and Bedep even being used, in some instances, to install Poweliks.
​

ref.: http://www.scmagazine.com/poweliks-uses-novel-techniques-researchers-explain-in-whitepaper/article/419621/

Will also add that Eset is one of the few AVs that have botnet protection.

 

Regarding hollow process memory injection. A Eset HIPS rule against process modification might not catch this:

While the host process is suspended, the malware first unmaps (or hollows out) the legitimate code from memory in the host process. The ZwUnmapViewOfSection or NtUnmapViewOfSection WIN32 API function may be used to unmap the original code:
​

But it will catch this:

The malware then allocates memory for the new code using VirtualAllocEx. It must ensure the code is marked as writeable and executable using the flProtect parameter.
​

ref: https://www.trustwave.com/Resources/SpiderLabs-Blog/Analyzing-Malware-Hollow-Processes/

-EDIT- And yes, as noted above Poweliks does do "zombie-fication."

​

 

If you read the referenced articles and all the postings in this thread; Poweliks can have an exploit component. UAC is N/A since it uses Powershell and has used past vulnerabilities to escalate privileges, etc. etc..

Symantec rates its incidence level at low. I did an ad hoc survey last night at the following malware help web sites for number of postings since last fall:

Bleepingcomputer - 33
Malwaretips - 71
Avast - 30

The correlation of these incidents to total number of actual Poweliks infections I have no clue.

There are a number of cleaners for the known versions of Poweliks, so getting rid of it isn't a major issue. There are also signatures available for the known versions, so AV malware scanning should detect and possibly clean it from your PC. The same cannot be said for any other malware baggage that might hitch a ride on it.

Based on the articles on Powerliks in the last 3 months or so, it appears it is morphing into something a lot more potent. As such, I expect to see many more new variants of it.

 

For those who want to get really serious about preventing memory injection, consider a corp. endpoint solution. Those have HIPS's that are extremely flexible and powerful.

For example using McAfee's solution, you can actually specify and monitor API calls:

OpenProcess is often used when performing code injection, the catch is that it's also used by legitimate programs. You can try detecting code injection of explorer.exe for example by using the open_with_ directive, this Intel post has a good explanation but be wary of the false positives: https://software.intel.com/en-us/articles/intercepting-system-api-calls.

Taken from the link above the directive permissions you'll want are:

PROCESS_VM_OPERATION // For VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE // For WriteProcessMemory
PROCESS_CREATE_THREAD // For CreateRemoteThread​

ref.: http://pwndizzle.blogspot.com/2014/03/custom-mcafee-hips-rules-that-actually.html

 

Sorry itman, I was talking about Kovter.C that ripped off Powelik’s loader. So you have a new file less malware that does not use exploits or UAC bypasses techniques. Yes this thread is about Powerliks but when you have another malware that steals Powerliks code and remains a low detection, I just thought it worth mentioning.
I asked the Mods if I could post the total link to the article and they rejected the idea and so I can't go any further.

 

I found the link. Does the payload still download to AppData subdirectory? I have already blocked any program startup of in those directories using an Eset HIPS rule. Also another case of a .zip e-mail attachment.

Has a lot Poweliks characteristics. But in this case, it is using Powershell to write directly to the registry. Like Powerliks, the whole thing starts off by running wscript.exe to execute a javascript.

 

Yes you are correct wscript and is an email attachment not a drive by. I am posting the basic summery for those that have not seen the article,
emails received took three different forms:

• Airfare ticket receipts
• EZ-Pass invoices
• Notice to appear in court

The main target being the USA.

It doesn't call powershell until it's second stage.

After starting up the malware unpacks and checks for the presence of a VirtualBox VM, a behavior we didn’t notice previously in the same campaign. The second stage creates two random registry keys and then it spawns an instance of powershell through mshta.exe that, in turn, is used to spawn an injected instance of regsvr32.exe. These are the registry keys:

The commandline of mshta.exe contains a small javascript

its function is to read the newly created registry key and then run its content, which turns out to be another javascript,

The script is pushed inside an environment variable that is then passed directly to powershell.

This is the situation on the operating system after the impersonation has been completed.

https://reaqta.com/wp-content/uploads/2015/09/poweliks_spawn_tree.png
Poweliks doesn’t come without a fallback mechanism, should things go wrong, in fact if the process just described fails for some reason, the main process tries to spawn directly an instance of regsvr32.exe for a last resort attempt at injecting it.

https://reaqta.com/wp-content/uploads/2015/09/poweliks_fallback_injection.png
poweliks fallback injection
After Powershell terminates, we are left with one instance of regsvr32.exe running whose job is to spawn a second instance of itself, duly injected, that is used for several things: first of all the malware becomes persistent with a simple key installed in HKCU/Software/Microsoft/Windows/CurrentVersion/Run but it uses a simple parsing trick to make its persistence keys not readable directly from regedit.exe:
At this point browser injections begins and the unfortunate user will be presented with new ads and fake alerts, poweliks maintains its downloading capabilities, so it theory any number of other threats can be downloaded once the computer is infected. So far we’ve monitored the access to one single C&C server: h**p://xxx.xxx.xxx.xxx. Even though a long list of IPs is embedded into the binary, we didn’t investigate further but they might be rogue AD servers.

 

I have a feeling that a lot of HIPS simply don't cover the "process hollowing" technique, but I'm not sure.