"Undetectable" virus

Moderators: b1o, jkerr82508

User avatar
viking60
Über-Berserk
Posts: 9279
Joined: 14 Mar 2010, 16:34

"Undetectable" virus

Postby viking60 » 26 Oct 2014, 16:00

Windows has its fair share of viruses and they can be avoided with Anti Virus programs. There was a worrying virus some time ago CVE-2012-0158 where the registry was infected.

Based on this, the malicious hackers have come up with a new variation that can infect your registry without any files on your system. Now those files are checked by the AV software you use - but here there is nothing to check!

The registry entries can infect your computer by opening Word attachments to mails or by downloading them. One approach that has been used is to inform you that you have received post at the post office, so you only have to open the attachment to collect it. This Word attachment exploits the vulnerability described in CVE-2012-0158.

You will not be able to detect this registry entry because the key does not begin with an ASCI character - that does hide it from the registry editor.
This technique is something rarely put into focus. The initial file, which starts all malicious activity on the computer system, holds all code necessary for the attack, crypted and hidden, waiting to be called and executed.


The only way to avoid this is to catch the attachment before it reaches your computer aka before it is executed.
If you don't; you can only monitor your computers for suspicious behaviour after you have been infected.

I suggest Process Monitor -from my old favorites site Sysinternals (bought by Microsoft). It usually makes sense to monitor by registry key here but it will be hidden so you probably have to register all registry activity without drilldown possibilities. If you are lucky there might be some working drilldown criteria to limit the amount of data.

Everything is happening in the registry without any files and the code is partially in assembly. It will call a Powershell script that executes assembly code; typically a hardcoded IP for further instructions but it could execute any action right after the infection.
It is a rather scary thought that your registry can contain entries that you cannot see with the tools that are made for it. :pray:

So here is a tip: Dual boot with Linux (Microsoft loves it) - open the attachement in Linux and check it out (check if it is from the post office or whatever the claim). If in doubt do not open any Word documents that are attached to e-mails (Windows users only).
If you use Linux you can open all you want +1

More here
Manjaro 64bit on the main box -Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz and nVidia Corporation GT200b [GeForce GTX 275] (rev a1. + Centos on the server - Arch on the laptop.
"There are no stupid questions - Only stupid answers!"

User avatar
Snorkasaurus
Berserk
Posts: 587
Joined: 30 Dec 2013, 19:19
Contact:

Re: "Undetectable" virus

Postby Snorkasaurus » 31 Oct 2014, 04:59

LAWL! Powershell? Microsoft Word? Never heard of them. :-)
S.


Return to “Win News”