With every new technology comes a list of ways hackers can exploit weaknesses. In addition, these malicious actors find different ways every day to access your computers and retrieve your personal information – often leading to you losing money and data. It's never a good time for malware to strike, especially when the systems are tied to critical business assets.
Windows is no stranger to hackers trying to exploit weaknesses in the code of new or old programs. Sometimes, the very tools that are supposed to make system management easier for the average Windows user become the culprits of malware attacks. Let's take a look at how insecurities of these system management tools have been recently exploited in two Windows functionalities – God Mode and PowerShell:
"God Mode" malware hides out
The God Mode on Windows devices is a functionality that allows those who know about it to quickly access advanced capabilities. It's a useful hack that involves renaming a folder of control panel options some variant of "God Mode." This hack creates a handy shortcut – a one-stop shop – to all of the Control Panel menus, which it organizes into categories like Administrative Tools and Display. It saves Windows users the time it takes to find all these capabilities by laying them out all in one place.
However useful God Mode is, there are ways enterprising hackers can exploit it to gain access to your critical data. According to Extreme Tech contributor Ryan Whitwam, there is a new version of a malware called Dynamer, which works similarly to the God Mode folder hack. When Dynamer is installed on a system, it places itself in a master control panel directory – just like the ones created when putting control panel apps in a God Mode folder.
The reason the Dynamer malware is so dangerous is that because it hides within the God Mode folder, it may not be easily found. This is because the God Mode folder itself isn't recognized by some applications, as it's not an official feature of Windows. The malware slips past security tools for this reason.
Running undetected allows the malware to open the RemoteApp and Desktop Connections control panel applications to hide its movements, reported BetaNews contributor Mark Wilson. The file blocks deletion, as well. The malware uses the command name "com4," which denotes it as a Windows command and thus keeps the system from identifying it as a threat.
"This command not only allows the malware to run, but also opens the RemoteApp and Desktop Connections control panel entry as cover," Wilson wrote. "In using the name 'com4' the malware writers have made life for victims a little trickier. As this is detected as a Windows command, deletion of the file is blocked."
The malware can be removed by deleting it from the Task Manager and then running a specific command prompt. The most sinister part of this malware, however, is the fact that it's being used to exploit programs within Windows that are supposed to make your life easier – not more vulnerable.
Malware takes advantage of PowerShell
Another instance of malware taking advantage of system management tools is malicious code targeted toward PowerShell. The built-in scripting program of Windows is often the target of cyber attackers looking to exploit Microsoft systems. According to Trend Micro researchers, there are several reasons for its popularity among hackers.
"For one, users cannot easily spot any malicious behavior since PowerShell runs in the background," Trend Micro researchers recently wrote. "Another is that PowerShell can be used to steal usernames, passwords, and other system information without an executable file being present. This makes it an attractive tool for attackers for carrying out malicious activities while avoiding easy detection."
In March 2016, Trend Micro researchers discovered that PowerShell was being used to infect computers with malware that targeted tax return documents – adding to the already stressful tax season. Cyber attackers sought to encrypt critical return information in order to extract ransoms from unwary users, causing headaches all around.
Even more recently, researchers found a new instance of PowerShell being abused. PowerShell was used to deliver a variant of the FAREIT data-stealing software, opening users up to having their information leaked. The hackers could even use this program to steal bitcoin, as well.
FAREIT is a family of malware that is used to download other malicious code like ZeuS/ZBOT onto systems, often resulting in the installation of information-stealing programs. The data taken could include: directory list, passwords, port numbers, server name, server type or usernames. The latest incarnation exploits Windows PowerShell by first infecting a computer via email with a malicious PDF file or Word document attached. These emails may look like purchase orders or billing reminders and are designed to trick users into downloading and opening infected attachments.
"As both PDFs and macros are used in most organizations and enterprises, employees are quite susceptible to fall for FAREIT," researchers cautioned. "Users are advised to install security software that can detect spammed messages and malicious files related to this threat."
Extra: Symantec anti-virus weakness
Security tools are supposed to protect your systems, but what happens when malware exploits those, too? In addition to the security flaws affecting PowerShell and the God Mode functionality, researchers also recently discovered that the Symantec Antivirus Engine exhibited a critical weakness. It seems almost backward: A security tool that was supposed to protect systems ended up being the reason protection was needed in the first place.
"[The Symantec Antivirus Engine] was vulnerable to a buffer overflow when parsing malformed portable-executable (PE) header files," wrote ZDNet contributor Chris Duckett.
This vulnerability resulted in kernel memory corruption – a terrible flaw. The most common outcome of this kind of flaw would be a system crash and blue screen of death, Duckett stated. Symantec Endpoint Antivirus, Norton Antivirus, Symantec Scan Engine and Symantec Email Security were all affected by this important vulnerability.
When security patches aren't enough
System management tools serve to make your life easier when using a Windows machine, but malicious programs like the ones that recently infected the God Mode functionality and PowerShell are turning these useful tools into vulnerabilities that can be exploited on your system. In these situations, it's crucial that users of Windows systems have invested in the proper cyber security tools.
Weaknesses within Microsoft Windows could potentially impact millions of people. Making sure to invest in the right kinds of cyber security solutions is more critical than ever before in today's technology landscape, especially in light of the security flaws that have been found in Windows systems. Don't let hackers abuse the weaknesses within these programs.