Registry Keys Vulnerable with COM Hijacking

Discussion in 'other security issues & news' started by guest, Jul 31, 2018.

  1. guest

    guest Guest

    Registry Keys Vulnerable with COM Hijacking
    July 31, 2018
    https://www.infosecurity-magazine.com/news/registry-keys-vulnerable-with-com/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes exactly, this is old news, but good to bring it back to people's attention again. The problem is that I still don't fully understand this technique and why the hell does the Win OS makes it possible in the first place? I do believe that both Comodo and SpyShelter claim to protect against such attacks. Also weird that not that much malware seem to make use of this technique, I wonder why.

    https://www.gdatasoftware.com/blog/...ect-hijacking-the-discreet-way-of-persistence
    https://help.comodo.com/topic-72-1-451-4766-.html
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Actually, the mitre.org link I posted explained that. Also the link you posted from GData is excellent.

    Simply put, the technique is very similar to the way .dll hijacking is done that Microsoft refuses to do anything about. If you recall, .dll loading into a process employs a default loading order for non-system .dlls that load into every process. Windows will always look for a .dll by default in the directory where the process was loaded from. Malware deletes the legit .dll from the directory and substitutes their malicious .dll in its place.

    COM hijacking works in principle the same way but instead modifies the registry location where COM module loading references are stored.

    The mitigation problem is that the there are dozens of COM entries stored in the associated registry keys. These keys are also constantly being updated by both the OS and app software. Additionally is very difficult to differentiate between what is a legit COM entry and a malicious one.
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    And that's what I don't understand, is it enough to monitor existing COM objects from modification like Comodo does, or do you also need to deny apps from installing new ones. I don't see how this problem can be tackled, I can't visualize it.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Modification of existing COM reg. keys is only partial protection. COM based malware will often create new COM reg. keys and use those to launch itself.
    Like I posted previously, it is extremely difficult to determine is the key is legit or not. All the key contains is a reg address to another key that actually contains the id of the COM process.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  8. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,002
    Location:
    Member state of European Union
    So how to harden system against this hijacking? Does simple removal of write privilege to keys at:
    "HKCU\Software\Classes\CLSID\" and "HKCU\Software\Classes\Wow6432Node\CLSID\" is enough? I understand that before installation of legitimate, trusted software that integrates inside OS I should add that privilege back to these keys.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As I mentioned in reply #4, I know of no source that recommends directly monitoring write activity to those reg. key areas. Obviously if some unknown process was attempting to do so, you probably would have blocked it prior to the reg. updating activity.

    As noted in the endgame.com article, their detection mechanism is to periodically scan of those registry areas for "suspicious" entries. Likewise, many AV's use their existing malware sigs. for detection.
     
  10. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I do believe that most HIPS monitor this area. I sometimes get alerts about apps trying to modify these keys, but there is absolutely no way of knowing if it's malicious or not, so you might as well not monitor it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.