Spymel Info-Stealing Trojan Evades Antivirus Detection via Stolen Certificates

Discussion in 'malware problems & news' started by Minimalist, Jan 10, 2016.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    http://news.softpedia.com/news/spym...etection-via-stolen-certificates-498683.shtml
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
  3. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    Whomever wrote this malware, also knows their OS internals. The question for anti-exec uses is "Does it monitor executables run at boot time by task manager?"

    Spymel drops itself as “svchost.exe” and “Startup32.1.exe” in the following location: %AppData%\Roaming\Microsoft\Windows\StartMenu\Programs\Startup\Startup32.1.exe.

    The malware for persistence uses a infrequently used registry startup location that I am sure most AVs and AMs don't monitor:

    HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run Sidebar(32.1)

    More on this:

    Startup Tasks can be disabled using Task Manager in Windows 8.1 or msconfig in Windows 7. For example, I have disabled Box Sync from running at startup on my machine:

    upload_2016-1-11_9-7-11.png

    Enabling/Disabling though task manager sets a registry key at

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

    or

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run

    If the value starts with 02 00 00 then it is enabled. If it starts with another value (like 03 00 in my example) then it is disabled:

    upload_2016-1-11_9-7-11.png

    Ref: http://stackoverflow.com/questions/29994315/c-sharp-application-not-running-on-startup


     
  4. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    SRP stops execution from blacklisted folders no matter which app is trying to launch it.
     
Loading...