Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US

Discussion in 'malware problems & news' started by mood, Jun 18, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    36,613
    Rootkit-Based Adware Wreaks Havoc Among Windows 10 Users in the US
    June 18, 2018
    https://www.bleepingcomputer.com/ne...reaks-havoc-among-windows-10-users-in-the-us/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    Another example of "free" security software costing you dearly.
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,023
    Location:
    Slovenia
    Get Your Apps for Nothing, Your Malware for Free
    https://www.infosecurity-magazine.com/news/get-your-apps-for-nothing-your/
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    8,868
    Location:
    U.S.A. (South)
    Indeed. Exactly. Ugh
     
  5. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,458
  6. Sordid

    Sordid Registered Member

    Joined:
    Oct 25, 2011
    Posts:
    235
    Quickly searched the Bitdefender whitepaper: it does not survive installations, just reboots.
     
  7. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,458
    Thanks :)
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    13,763
    Location:
    The Netherlands
    The most interesting part is that it's using a signed driver, which allows it to run on Win 10. I wonder if anti-loggers/HIPS would still be able to block most of the stuff it performs, as long if it's done from user-mode it should be able to.
     
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    Well, not exactly. The cert. is expired and revoked; appears revoking was done after the hack was discovered. Per the Bitdefender whitepaper .pdf on the malware:
    So it is a bit of a mystery to me how Win 10 allowed the driver to be installed. Implied is Win 10 is not performing basic cert. validity checks for kernel driver installation which I guess someone needs to check out. These validations excluding Secure Boot considerations are that all kernel mode drivers are validity signed by a MS authorized driver cert. issuing CA of which less than a handful exist. Again, an expired driver certificate is not a valid certificate; or is it?
    https://docs.microsoft.com/en-us/wi...t-a-code-signing-certificate#code-signing-faq

    What is odd about the above is no mention is made to expired driver certs. issued prior to July 29, 2015?

    In any case it appears as long as expired driver certs. issued prior to July 29, 2015 are properly time stamped, they are valid.o_O
     
    Last edited: Jun 23, 2018
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    You should read the whitepaper more thoroughly.

    It has multiple persistence methods; the most obvious being the rootkit kernel mode driver it installs.

    The malware appears to specifically target Windows Defender, disabling it to install itself and then reenabling it afterwards to hide its presence. It also targets many of the other major AV vendor solutions.

    Overall, it is one nasty bugger.
     
  11. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,458
    Could someone who understands the paper explain how it survives a Windows reinstall?
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    Sorry, thought you meant a reboot.

    Whether it would survive a reinstall, who knows. I don't believe the Bitdefender analysis touched that subject. Malware that does like activities create a hidden partition on the drive or like activities. Doing a disk wipe from bootable media is always recommended after a serious malware infection prior to OS reinstallation.

    A UEFI based rootkit can persist after a OS reinstallation. Example of one is here: https://www.pcworld.com/article/294...es-uefi-rootkit-to-survive-os-reinstalls.html . This malware's rootkit is not UEFI based. What makes this malware's rootkit unique is it is 64 bit; almost unheard of these days.
     
    Last edited: Jun 23, 2018
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    Another important point from the Bitdefender .pdf:
    Many of these products employ Win 10's ELAM driver. The AV's ELAM driver is one of the first app drivers to load. The problem is the rootkit is a device driver, namely a Disk Filtering driver. All device drivers load prior any app drivers including the AV ELAM driver. So what we also have here is a Win 10 ELAM driver bypass.
     
  14. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,275
    Sounds like the kind of thing Driver Radar Pro was made to protect you from.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    Also Win 10 Secure Boot would protect you since the malware rootkit driver was obviously not signed with a Microsoft driver code signed cert..
     
  16. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,493
    Location:
    Paris
    Shmu- this has really been poorly worded in the lay press. The failure would be more of a repair of an infected system using a Windows disk (that would not work) rather than actually starting over with a formatted hard drive (or SSD) and re-installing Windows (Also a Windows based anti-malware recovery thingy would also no doubt fail). Of course a re-image of your system (which everyone here has, correct?) will also put you back to square one with a pristine system.

    I'm fairly convinced that the confusion arose because some initial Chump misread the original BD paper- then as usual everyone else from other websites copied the same drivel (with slight rephrasing) because God Forbid they actually have to think for themselves.

    Oh, and by the way- an Outbound Alerting Firewall (and No, Windows Firewall is not and never has been Enough) would have either alerted to or just outright stopped the outbound connection to BlackHat Central and would keep Zacinlo from getting started in the first place. But no one ever listens...
     
  17. XenMan

    XenMan Registered Member

    Joined:
    May 8, 2018
    Posts:
    130
    Location:
    Australia
    That's funny...I listen.
     
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    Yes and no.
    It is common behavior for an app to perform additional updating after installation.

    The best way to prevent like infection is not to install software with a low-rep from a likewise low-rep source. Again this is a classic example of something free costing you dearly in the long run.

    Also a larger a more pressing question is why did most of the major AV's, it appears, did not detect the s5Mark app as a PUA? It appears it has been in existence for some time as noted by this 2016 removal guide for it: http://guides.uufix.com/how-to-remove-s5markcpx-exe-from-your-pc-completely/ .
    The Bitdefender article is silent in this regard and this point needs further examination.

    Per a PC Mag article:
    https://www.pcmag.com/news/361955/watch-out-for-adware-posing-as-vpn-apps

    In any case, this malware is a classic example why one should never blindly ignore a PUA/PUP alert from your security solution.
     
    Last edited: Jun 24, 2018
  19. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,493
    Location:
    Paris
    It is actually Yes and Yes (and yes). Although your point about CCleaner is well taken, but WF also would not in any way have blocked this as the user is assuming all is well. But that is a specific case- Symbolic Logic points out the flaw of this "WF would be enough" argument:

    1). 3rd Party Firewalls will allow some things
    2). WF will allow all things
    3). Therefore use WF

    Most malware are neither signed nor masquerade as legit software. For these, trojan downloaders must download, and info stealers (bankers, keyloggers, etc) must transmit out the stolen info. Something that alerts to this activity can save the User- but those things that are oblivious to OutBound transmission will not.

    Other cases would be a simple Forked process that requests Outbound communication- just about any freeware firewall (that is not WF) will block this transmission silently without any input needed. Even worse would be in the case of a Scriptor which can create a Beacon (more correctly- Network Telemetry) with a simple Post command, then by adding either a further Send (or a Get command like site-send), or Recv, stuff can be Downloaded or Uploaded with ease to Blackhat Command. Although this is not Rocket surgery, both WF and a vast majority of Security solutions are clueless to this, but an Outbound firewall gives the user an indication that something is amiss.

    Finally there will be those that want to add Rules to WF. Sadly for a number of years malware can easily Disable or add a specific malicious Rule to WF, so getting cute with Windows firewall is not worth the work.
     
  20. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,335
    Location:
    Member state of European Union
    Only if malware process has enough privileges. People using account not belonging to the Administrators group should be safe against this, unless malware uses some zero-day exploit.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,267
    Location:
    U.S.A.
    I find it interesting that many don't realize that WF rules are stored in the registry in plain text and can therefore be easily modified by any malware with admin privileges. And we all know how easy it is for malware to acquire those.
     
  22. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,458
    IMO firewall protection for this kind of thing is too little, too late. You need to block it at the point of first execution, either by a default/deny setup or by using good user habits and a bit of luck.
     
  23. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,335
    Location:
    Member state of European Union
    It's easy to bypass UAC on admin account, but not so easy to elevate privileges from standard user account.
     
  24. cruelsister

    cruelsister Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    1,493
    Location:
    Paris
    This comment actually makes me cry (and Ophelia purr happily). Although you are absolutely correct in that it would be optimal to stop malware at the point of initial run, often this is not possible, like with trojans being true Zero-Day, or worms just being ignored. An Outbound alerting firewall will add an additional layer of protection that can prevent damage.

    As an example I did a few videos a while back on a FUD keylogger. Although the keylogger was able to run and collect information, an Outbound firewall was both able to block the transmission of the stolen info and alerted the user that something evil was afoot.

    So Please, please, please don't dismiss the utility of a firewall. It can save your ***.

    Sure it is.
     
  25. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,335
    Location:
    Member state of European Union
    How? Any example how to do this without zero-day exploit?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.