Other issues in this category (68)
Quick, discrete and reliable
Thursday, December 5, 2019
Let's talk about a little trick. You may be familiar with an operating system dialogue that users use to choose a program to open certain file types with. File associations are a very useful feature: a default application can be changed at any moment and even under specific conditions. But hackers can do that, too!
Among other things, the Windows registry contains the following entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. This key can be used to attach a debugger to a specific application. This way the debugger will start whenever the program is launched. For example, if we create the registry entry
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\хx.exe with the string value
zz.exe will start whenever we try to open
xx.exe, which in turn, will start
Would you like the calculator to start in place of the Task Manager?
Locate the entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe and add the item (
REG_SZ) Debugger with the string value "
Malicious programs operate in a similar way. A quick search brings back this example:
To start automatically and infect other files
The following registry entries are modified:
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Defender.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hostdl.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgmnt] 'debugger' = 'fixmapi.exe'
And here is another one:
Then we reboot the system and press SHIFT five times on the Windows login screen. As a result, a command prompt (the one we have replaced sethc.exe with) appears. And the beauty of it lies in the fact that the command prompt is started with SYSTEM permissions; and thus we gain full access to the computer and can launch whatever we please, even the Explorer shell.
The Anti-virus Times recommends
Naturally, a malicious program can pull off a trick like this only if the anti-virus is disabled. As you can see, it takes very little time to make changes to a system. Malware can manage it even if you disable your anti-virus for just one moment. That's why an anti-virus must always be up and running. Even at the system startup when we are so eager to speed things up as much as possible!