Salted Hash: Live from Black Hat USA (Day 2)

Early morning in Las Vegas (or for some – late evening) is actually rather quiet, when you drown out the sound of slot machines, cleaning crews, and overhead elevator music.

Today’s update begins with research on an unusual form of malware. Contained entirely in the system’s registry, this infection works without a file, and was recently seen leveraging Microsoft Word vulnerabilities to spread.

Registry Malware:

Paul Rascagnères at GData Software recently posted a blog detailing a type of malware that exists persistently in the system’s registry. Detection is rather difficult, as this malware isn’t present as a file, rendering the usual AV detection methods useless.

“When security researchers talk about malware, they usually refer to files stored on a computer system, which intends to damage a device or steal sensitive data from it. Those files can be scanned by AV engines and can be handled in a classic way. This technique is something rarely put into focus,” Rascagnères wrote, discussing the malware and the problem it creates.

The malware itself, at least in the case examined by GData, exploits Microsoft Office in order to infect a system. In one example, the malware was spreading via spam, posing as a USPS email or a message from Canada Post.

Once on the system, an auto-start key is created in the registry, but it’s disguised in order to prevent detection, as the registry key’s name is not an ASCII character. This prevents tools like Regedit from reading the key, and actually hides it from passive visible inspection.

After that, the malware will check to see if PowerShell is installed on the system, and if it isn’t, it’s downloaded and installed. From there, the malware executes a PowerShell script (shellcode), and then the payload. GData calls the malware Poweliks, and a detailed write-up on the infection process is available on their blog.

Speaking to the same topic, Roddell Santos, a Threats Analyst at Trend Micro, noted that while routine of abusing Windows registry is no longer new, it could be an indication of things to come.

“The use of registry for evasion tactics is crucial given that file-based AV solution won’t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won’t necessarily check for the registries but rather look for suspicious files or folders. We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.”

CryptoLocker support:

FoxIT and FireEye have teamed-up to offer some help for those who might still be struggling with CryptoLocker infections. While the core operations for CryptoLocker are offline, and the infrastructure that supports it has essentially crumbled to pieces, there are victims out there that still have infected files.

With that as a starting point, the two security firms are offering a service that they’re calling DecryptCryptoLocker, at no cost. In some cases, the service can help CryptoLocker victims, and restore their files. However, exactly how this feat was achieved wasn’t explained in great detail.

All a victim needs to do is upload an encrypted file (preferably one without any sensitive data in it) and wait for an email that will contain a private key, which can be used with a decryption tool to decrypt the files on their hard drive.