Can malware load/execute themselves without windows loader

Hello. I would like to know whether its possible for an executable (i.e. malware) to load itself into memory and execute without going through the windows loader. Say malware had a separate loader file that its only job was to load another file (malware) into memory and to start its execution but without using the aid of the windows loader. Please note that I am referring to the windows loader and NOT the boot loader. I am not sure whether there is an instance of malware that exist and that could do this but I thought I would ask. My interest is strictly from a detection stand point of view only.

Thanks in advance

Victor

 

If you are referring to malware being able to start without using CreateProcess(), then yes, that is possible so long as another program which is specifically designed to do this is involved. You can use CreateFileMapping, MapViewOfFile(), and specify the correct flags to get a process up and running. You'll need to use some undocumented functions and flags and functions which however are fairly widely known.

However, this requires the program that does this to be "in on it". And that first program has to be started somehow. And it would likely be classified as malware as no regular program does this. So, in short, you can't have malware just launch itself like this without the aid of another malware program.

 

Javascript through the browser maybe?

 

Thanks Magnus. Yes that is what I mean, an executable A gets executed via whatever legit method i.e window service or autorun or patching a windows system file but in turn it launches another executable B without using functions like shellexecute or winexec. If a malware executable B is a kernel mode driver then I suppose avoid the use of StartService...to get the driver module up and running...Does this exist in the wild ?

Thanks to both replies.

Victor

 

This is a good question, one I'm glad to see someone ask in a point blank manner

It seems drive-by downloads, the way they are often discussed in forums, are as close to "automatic" as an exploit can get, although from what little I understand about them, there is a "triggering" mechanism involved with them, too. I'd really like to see expert opinion, or even semi-expert for that matter, and discussion on them, if possible

There is pretty good, recent article on them here:

-http://blogs.technet.com/b/security/archive/2011/12/08/what-you-should-know-about-drive-by-download-attacks-part-1.aspx

There's a part 2 as well:

-http://blogs.technet.com/b/security/archive/2011/12/12/what-you-should-know-about-drive-by-download-attacks-part-2.aspx

 

GnuCitizen has some pretty good articles about Javascript malware and how it would access memory and various functions used to go deeper. The browser could be considered A in your scenario, executed by the user.

 

Though not exactly a malware but a penetration/hacking tool, the Metasploit framework's VNC and Meterpreter shells can be loaded from memory and it's very hard to detect using the usual rootkit detection tools. But of course by now AV with memory scan capability already have signature of those payloads but it could be obfuscated to go beyond the radar screen once again.

Those dlls loaded from memory still needed an initial exploit however.

 

I checked out a couple of those. Some nice easy to read and informative posts. Thank you!

 

I'm posting comments with loading on threads now...

Anyhow, how do we detect the forms of threats?

 

For detecting memory only malware...
http://www.siliciumsecurity.com/2010/09/07/metasploit-detection-and-memory-only-malware/


For detecting javascript malware...
http://threatpost.com/en_us/blogs/m...zzle-javascript-malware-detection-tool-120210

[haven't tried both]

 

Looks like rather limited distribution.

 

^
Not everyone will be a recipient of targetted attacks. But we can expect more and more future malwares having those types initially as initial trojans then downloading more malwares like tdl4 variants, mbr trojans or rootkits to hook deeply and persistently into the host systems.

 

The closest thing, probably, is Duqu. But not exactly(more on that later on).


Exploit -> kernel -> driver in kernel -> loader dll in services.exe -> big pnf in services.exe -> big pnf installing from lsass or AV process

Though, executable A is not actually an executable but a shellcode(the payload of the exploit on the win32k.sys vulnerability via true type font) loading a kernel mode Driver, your executable B. However B is not yet the main module and will still need to inject the main dropper dll to services.exe to install the main malicious module. Well, if you consider Executable A as the legitimate application, i.e. Microsoft Word. Then, this could be it. But, then again, Word is a legitimate trusted process and not a rogue one that was legitimately installed. Not exactly to your given scenario of two executables(malwares) since this is only a single malware.

==============
Nice to know...

[Still using CreateProcess, however]
Reverse shell through DLL Injection using undocumented API function

Code:

http://0x191unauthorized.blogspot.com/2011/08/reverse-shell-through-dll-injection.html

Shell of the Future – Reverse Web Shell Handler for XSS Exploitation

Code:

http://blog.andlabs.org/2010/07/shell-of-future-reverse-web-shell.html

Exploring Javascript Shellcode Using Metasploit

Code:

http://vinasupport.com/2010/exploring-javascript-shellcode/

 

After rereading the Duqu FAQ, we can definitely say that the Duqu malware fits your hypothetical scenario. Duqu(the TROJAN backdoor) was installed by an exploit in memory and was able to download IN MEMORY and execute another malware, an INFOSTEALER...

 

Yeah, I think most malware uses some type of hook/injection. I mean don't almost all of them rely on exploits in order to do this which is injection usually? I really can't see a piece of malware using a map api or shellexec type function because it would be be detected easily by avs and you would still have to inject code somewhere right? I mean what would you be executing? It would already have to be on the machine and in a specific location and how would you get it there?