Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    We spotted a malware that hides all its malicious codes in the Windows Registry. The said tactic provides evasion and stealth mechanisms to the malware, which Trend Micro detects as TROJ_POWELIKS.A.  When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further system infection. In addition, it has the capability to steal system information, which may be used by cybercriminals to launch other attacks.

    Evasion Mechanism

    Apart from stealth mechanism, this may also provide difficulty in forensics because there are no file references. As much as possible, threats tried to avoid being detected in the system and network in order to instigate more malicious activities. Based on our analysis, TROJ_POWELIKS checks if Windows PowerShell is installed on the affected system, if not, it downloads and installs it to the infected system.  This will be used later to execute the encoded script file. As such, PowerShell runs the encoded script containing the malware’s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application.

    It then creates a blank or NULL Autostart entry using the API ZwSetValueKey:

    powerliks_registry

    This is not necessarily a new feature and is documented in MSDN. Through a NULL registry value, users cannot see the content of the registry key with null value. Although there is an option to delete the registry key, deleting it will just result to an error due to the null value. However, the specific data will still execute during the system’s restart without any problem. To put simply, users cannot see and therefore, delete the entry thus when they reboot the system, the malware will still run.

    It also creates another registry entry that contains the malware code.  This created registry data is shown below:

    POWERLIKS2

    This registry data is an encoded file. After several decoding, a .DLL file can be found in the following code:

    POWERLIKS4

    This .DLL file is then injected in the normal DLLHOST.EXE process.  The injected code is capable of downloading other malware, thus compromising the security of the system. It also steals the following information from the affected system:

    • Operating system and architecture
    • UUID
    • Malware version
    • Build date

    This information is then sent via POST command using the following format:

    • http://178[dot]89[dot]159[dot]34/q/type={status: start, install, exist, cmd or low}&version=1.0&aid={id}&builddate=%s&id={iuuid}&os={OS version}_{OS architecture}

    We detect the .EXE and .DLL files as TROJ_POWELIKS.A and the encoded script as JS_POWELIKS.A. The hashes used in this threat are:

    • EXE – BFA2DC3B9956A88A2E56BD6AB68D1F4F675A425A
    • DLL – 3506CE5C88EE880B404618D7759271DED72453FE

    Impact to the Threat Landscape

    Cybercriminals often use new tactics and techniques to avoid being detected in the system and remain under the radar. These tactics can be from simple hidden file attributes to the more advance rootkit technology. In the past, we blogged about attacks that exhibit various notable evasion tactics:

    Notable malware like EMOTET and MORTO also employed the same tactic of leveraging the registry. EMOTET, which sniffs network activity for information theft, has its PE component in the registry.  In addition, its (EMOTET) downloaded files are located in the entries. The encrypted stolen information is also stored in the registry entry. On the other hand, MORTO was encrypted in the registry.

    While routine of abusing Windows registry is no longer new, it may indicate that cybercriminals and attackers are continuously improving their ‘arsenal’ or malware so as to go undetected and to instigate more malicious activities without the user’s knowledge. The use of registry for evasion tactics is crucial given that file-based AV solution won’t be able to detect anything malicious running on the system. Furthermore, unsuspecting users won’t necessarily check for the registries but rather look for suspicious files or folders.  We surmise that in the future, we may see other malware sporting the same routines as AV security continuous to grow.

    Trend Micro protects users from this threat via its Smart Protection Network that detects the malicious file despite its evasion tactics.

    With additional analysis from Rhena Inocencio





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • alt307

      How do I get rid of it?

    • Walter Chapman

      I can’t get my email or post comments. Does this malware cause that? I tryed everything.Nothing works short of a new computer.Can you help? I can’t even post this comment it’s so bad.What gives.Bout ready to throw this damn laptop in the garbage.It’s worthless.Other people can get their mail and post comments with their own email address on this computer no problem but when I use my email address it won’t do anything.Starting to p(iss me off!!!



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice