Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    May 2013
    S M T W T F S
    « Apr    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
    • About Us
    Trendlabs Security Intelligence > WMI Abused for Malware Operations

    TrendLabsSM recently handled a client case last March wherein two peculiar malware leveraged a Windows service—Windows Management Instrumentation (WMI)—to execute their malicious routines.

    WMI lets users access and retrieve information about their OSs. It is particularly useful for administrators, especially in enterprise environments, as it manages applications found on systems connected to a network using any one of various coding languages. It can be considered a database that contains information on anything and everything related to a system’s OS and its users.

    Click for larger view

    As WMI contains a huge chunk of data, cybercriminals find it a very likely target for their malicious creations. They can, for instance, introduce specialized pragma to the service to make affected systems do their malicious bids such as:

    • Mine sensitive information that can only be accessed by the said service
    • Elevate a malicious user’s system privilege to spy on and probe the affected system and other systems connected to the same network
    • Embed malicious scripts into target services

    In this particular attack, TROJ_WMIGHOST.A, a WMI script, arrives on a system bundled with BKDR_HTTBOT.EA, a DLL malware. The malicious script opens two Internet browser windows. The first window allows BKDR_HTTBOT.EA to execute via an ActiveX content. The second window allows the backdoor to post Office files (e.g., Word, PowerPoint, or Excel) to a remote site and to execute other malicious scripts from the Ghost IP. These backdoor routines puts users at risk of losing pertinent data.

    This is, however, not the first time WMI was used for malicious purposes. In “Kiwicon 2008,” a security consultant introduced “The Moth,” a proof-of-concept (POC) Trojan that uses the service to deploy a malicious code capable of performing the following routines:

    • Dropping and executing other potentially malicious files onto the host system or onto removable drives
    • Hiding malicious codes
    • Relaunching an existing rootkit after having been found and removed

    Users need not worry, however, of being victimized by such an attack, as downloading this tool rids affected systems of TROJ_WMIGHOST.A. Trend Micro products via the Smart Protection Network™ also rids affected systems of BKDR_HTTBOT.EA.

    Update as of July 23, 2010 3:20 a.m. UTC

    Read more information about this malware technique through our research paper, Understanding WMI Malware.





    Share this article
    		 Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon



    This entry was posted on Wednesday, May 26th, 2010 at 11:07 pm and is filed under Bad Sites . Both comments and pings are currently closed.





     

    Other Trend Micro blogs
    CTO Insights
    CounterMeasures Blog
    Cloud Security Blog
    Consumerization Blog
    Fearless Web
    Internet Safety for Kids & Families
    Simply Security News
    Trend Micro Blog [German]
    TrendLabs Security Blog [Japan]
    Cloud Security APAC
    Trend Micro Free Tools Threat Encyclopedia Trend Micro Videos
    Do you have a product-related question? Visit our eSupport website.

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice