Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US

Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US
June 18, 2018
https://www.bleepingcomputer.com/ne...reaks-havoc-among-windows-10-users-in-the-us/

 

Another example of "free" security software costing you dearly.

 

Get Your Apps for Nothing, Your Malware for Free

https://www.infosecurity-magazine.com/news/get-your-apps-for-nothing-your/

 

Indeed. Exactly. Ugh

 

Does anyone understand how this malware survives Windows reinstallation?

 

Quickly searched the Bitdefender whitepaper: it does not survive installations, just reboots.

 

Thanks

 

The most interesting part is that it's using a signed driver, which allows it to run on Win 10. I wonder if anti-loggers/HIPS would still be able to block most of the stuff it performs, as long if it's done from user-mode it should be able to.

 

Well, not exactly. The cert. is expired and revoked; appears revoking was done after the hack was discovered. Per the Bitdefender whitepaper .pdf on the malware:

So it is a bit of a mystery to me how Win 10 allowed the driver to be installed. Implied is Win 10 is not performing basic cert. validity checks for kernel driver installation which I guess someone needs to check out. These validations excluding Secure Boot considerations are that all kernel mode drivers are validity signed by a MS authorized driver cert. issuing CA of which less than a handful exist. Again, an expired driver certificate is not a valid certificate; or is it?

https://docs.microsoft.com/en-us/wi...t-a-code-signing-certificate#code-signing-faq

What is odd about the above is no mention is made to expired driver certs. issued prior to July 29, 2015?

In any case it appears as long as expired driver certs. issued prior to July 29, 2015 are properly time stamped, they are valid.

 

You should read the whitepaper more thoroughly.

It has multiple persistence methods; the most obvious being the rootkit kernel mode driver it installs.

The malware appears to specifically target Windows Defender, disabling it to install itself and then reenabling it afterwards to hide its presence. It also targets many of the other major AV vendor solutions.

Overall, it is one nasty bugger.

 

Could someone who understands the paper explain how it survives a Windows reinstall?

 

Sorry, thought you meant a reboot.

Whether it would survive a reinstall, who knows. I don't believe the Bitdefender analysis touched that subject. Malware that does like activities create a hidden partition on the drive or like activities. Doing a disk wipe from bootable media is always recommended after a serious malware infection prior to OS reinstallation.

A UEFI based rootkit can persist after a OS reinstallation. Example of one is here: https://www.pcworld.com/article/294...es-uefi-rootkit-to-survive-os-reinstalls.html . This malware's rootkit is not UEFI based. What makes this malware's rootkit unique is it is 64 bit; almost unheard of these days.

 

Another important point from the Bitdefender .pdf:

Many of these products employ Win 10's ELAM driver. The AV's ELAM driver is one of the first app drivers to load. The problem is the rootkit is a device driver, namely a Disk Filtering driver. All device drivers load prior any app drivers including the AV ELAM driver. So what we also have here is a Win 10 ELAM driver bypass.

 

Sounds like the kind of thing Driver Radar Pro was made to protect you from.

 

Also Win 10 Secure Boot would protect you since the malware rootkit driver was obviously not signed with a Microsoft driver code signed cert..

 

Shmu- this has really been poorly worded in the lay press. The failure would be more of a repair of an infected system using a Windows disk (that would not work) rather than actually starting over with a formatted hard drive (or SSD) and re-installing Windows (Also a Windows based anti-malware recovery thingy would also no doubt fail). Of course a re-image of your system (which everyone here has, correct?) will also put you back to square one with a pristine system.

I'm fairly convinced that the confusion arose because some initial Chump misread the original BD paper- then as usual everyone else from other websites copied the same drivel (with slight rephrasing) because God Forbid they actually have to think for themselves.

Oh, and by the way- an Outbound Alerting Firewall (and No, Windows Firewall is not and never has been Enough) would have either alerted to or just outright stopped the outbound connection to BlackHat Central and would keep Zacinlo from getting started in the first place. But no one ever listens...

 

That's funny...I listen.

 

Yes and no.

It is common behavior for an app to perform additional updating after installation.

The best way to prevent like infection is not to install software with a low-rep from a likewise low-rep source. Again this is a classic example of something free costing you dearly in the long run.

Also a larger a more pressing question is why did most of the major AV's, it appears, did not detect the s5Mark app as a PUA? It appears it has been in existence for some time as noted by this 2016 removal guide for it: http://guides.uufix.com/how-to-remove-s5markcpx-exe-from-your-pc-completely/ .

The Bitdefender article is silent in this regard and this point needs further examination.

Per a PC Mag article:

https://www.pcmag.com/news/361955/watch-out-for-adware-posing-as-vpn-apps

In any case, this malware is a classic example why one should never blindly ignore a PUA/PUP alert from your security solution.

 

It is actually Yes and Yes (and yes). Although your point about CCleaner is well taken, but WF also would not in any way have blocked this as the user is assuming all is well. But that is a specific case- Symbolic Logic points out the flaw of this "WF would be enough" argument:

1). 3rd Party Firewalls will allow some things
2). WF will allow all things
3). Therefore use WF

Most malware are neither signed nor masquerade as legit software. For these, trojan downloaders must download, and info stealers (bankers, keyloggers, etc) must transmit out the stolen info. Something that alerts to this activity can save the User- but those things that are oblivious to OutBound transmission will not.

Other cases would be a simple Forked process that requests Outbound communication- just about any freeware firewall (that is not WF) will block this transmission silently without any input needed. Even worse would be in the case of a Scriptor which can create a Beacon (more correctly- Network Telemetry) with a simple Post command, then by adding either a further Send (or a Get command like site-send), or Recv, stuff can be Downloaded or Uploaded with ease to Blackhat Command. Although this is not Rocket surgery, both WF and a vast majority of Security solutions are clueless to this, but an Outbound firewall gives the user an indication that something is amiss.

Finally there will be those that want to add Rules to WF. Sadly for a number of years malware can easily Disable or add a specific malicious Rule to WF, so getting cute with Windows firewall is not worth the work.

 

Only if malware process has enough privileges. People using account not belonging to the Administrators group should be safe against this, unless malware uses some zero-day exploit.

 

I find it interesting that many don't realize that WF rules are stored in the registry in plain text and can therefore be easily modified by any malware with admin privileges. And we all know how easy it is for malware to acquire those.

 

IMO firewall protection for this kind of thing is too little, too late. You need to block it at the point of first execution, either by a default/deny setup or by using good user habits and a bit of luck.

 

It's easy to bypass UAC on admin account, but not so easy to elevate privileges from standard user account.

 

This comment actually makes me cry (and Ophelia purr happily). Although you are absolutely correct in that it would be optimal to stop malware at the point of initial run, often this is not possible, like with trojans being true Zero-Day, or worms just being ignored. An Outbound alerting firewall will add an additional layer of protection that can prevent damage.

As an example I did a few videos a while back on a FUD keylogger. Although the keylogger was able to run and collect information, an Outbound firewall was both able to block the transmission of the stolen info and alerted the user that something evil was afoot.

So Please, please, please don't dismiss the utility of a firewall. It can save your ***.

Sure it is.

 

How? Any example how to do this without zero-day exploit?