Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Antivirus DEFENSE!


  • Please log in to reply
8 replies to this topic

#1 akoch

akoch

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 12 January 2012 - 04:33 PM

Hello,

Today I had to spend an entire day rebuilding a fresh OS/software package for a user on my domain who was infected with one of those nasty AV/fake programs. After running unhide.exe and removing the bug on her old PC, most of her files were still hidden and I had decided it'd be more productive to set up a new PC for her.

My idea:

Create a group policy that restricts access to the hidden file attribute (gray out the option), then add the domain user account to this local group.

I was digging around in the registry and I found out how to remove the "show hidden files and folders" option from FOLDER options, but I haven't yet found a place where I can disable the hidden file attribute on an object properties box, on the general tab.


Would anyone know where to add, or modify an existing key in the registry on windows XP to achieve the desired results?

BC AdBot (Login to Remove)

 


#2 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:19 AM

Posted 12 January 2012 - 04:59 PM

I believe that file and directory attributes are directly handled by the filesystem driver. You can use registry items/group policy objects to control whether Windows offers users a GUI for these features (the tick box) but doing so won't prevent a malicious application from setting these attributes on any file or directory which is writable by the program's security context. In order to prevent any hidden files from being created, you would need to intercept all calls to the SetFileAttributes function which is exported by kernel32.dll.

Unhide.exe will skip any files marked as System Files. It may be that the files which were not unhidden in this case also have the System File attribute set.

Edited by Andrew, 12 January 2012 - 05:02 PM.


#3 akoch

akoch
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 12 January 2012 - 05:12 PM

Thank you for your input. When these programs install, do they act like any other installer? If that is the case, I could remove the user from their local administrators group (so they can't install programs) and defend against it that way.

#4 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:19 AM

Posted 12 January 2012 - 05:25 PM

Removing the user from the Local Admin group is highly advisable. If they run as an admin on Windows XP then any program they run inherits these rights by default. This means that their e-mail client, web browser, etc. is also running with administrator privileges and any successful exploit of these programs can be potentially devastating.

There is a tool called DropMyRights which can be used by an administrator to launch any program will all admin-level privileges dropped. Once a privilege is dropped, it cannot be recovered by the program. One trick XP users may find handy is to replace their shortcuts for high-risk programs (like browsers) with shortcuts to batch files which launch the desired program through DropMyRights. This is a workable middle ground if the user must have local admin rights. The browser and e-mail client are by far the most targeted applications, so running them with minimal privileges greatly reduces the attack surface of the computer. The batch file is simple, just one line:

C:\Path\to\dropmyrights.exe C:\Path\to\desired\program.exe

Edited by Andrew, 12 January 2012 - 05:27 PM.


#5 akoch

akoch
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 13 January 2012 - 02:08 PM

I just set this up on a virtual machine. Now I need to purposely infect it, haha. I've been looking for a half an hour already. :(

That's cool its an MSI too. Deployable via GPO. Didn't think it was a microsoft utility.

Thanks!

#6 Andrew

Andrew

    Bleepin' Night Watchman


  • Moderator
  • 8,260 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:07:19 AM

Posted 13 January 2012 - 03:13 PM

:thumbup2:

I just found this tool, StripMyRights. It's based on DropMyRights but simplifies its usage by hijacking the Image File Execution Options for the specified executable. This means that any time the executable is run, StripMyRights is run instead (which in turn launches the original exe with dropped rights.) This means that you don't have to bother with creating special shortcuts at all.

Edited by Andrew, 13 January 2012 - 03:22 PM.


#7 akoch

akoch
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 16 January 2012 - 05:53 PM

I like that one better. Users on my network have to test functionality of different browers on different websites too, so I'll need to find a way to set those up with a simple merge like that as well.

Thanks!!!

Edited by akoch, 16 January 2012 - 05:54 PM.


#8 akoch

akoch
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 19 January 2012 - 10:56 AM

I decided against using StripMyRights because of the registry change (which is not easily reversible).

Instead, I decided to get a few volunteers to test DropMyRights out for a few days.

I used this batch file to run a vbscript (as well as modified versions of it to affect all the browsers being used on my network)

IE, firefox, aurora, chrome, outlook

echo off
set linkName=Internet Explorer (Protected)
set linkPath=%userprofile%\desktop
set program=%userprofile%\My Documents\MSDN\DropMyRights\DropMyRights.exe
set arg1="C:\Program Files\Internet Explorer\iexplore.exe"
set workDir=C:\Windows\System32
set iconfile=%C:\Program Files\Internet Explorer\iexplore.exe
set icon=0
set windowStyle=2

echo Set oWS = WScript.CreateObject("WScript.Shell") > temp.vbs
echo sLinkFile = "%linkPath%\%linkName%.LNK" >> temp.vbs
echo Set oLink = oWS.CreateShortcut(sLinkFile) >> temp.vbs
echo oLink.TargetPath = "%program%" >> temp.vbs
echo oLink.Arguments = chr(34) ^& %arg1% ^& chr(34) >> temp.vbs
echo oLink.IconLocation = "%iconFile%, %icon%" >> temp.vbs
echo oLink.WindowStyle = "%windowStyle%" >> temp.vbs
echo oLink.WorkingDirectory = "%workdir%" >> temp.vbs
echo oLink.Save >> temp.vbs

WScript.exe temp.vbs
del temp.vbs

After installing DropMyRights, I run the batch file and it places a shortcut on the desktop:

Internet Explorer (Protected)

After some testing:
It looks like DMR will only drop rights on XP machines, not 7. 7 does have UAC so that should be a good enough layer of protection -- We've never had a windows 7 machine be infected by one of these programs yet. DropMyRights.msi also does not install correctly via GPO software deployment.

Thoughts:
Being I can't implement DMR properly via GPO, I can't use it. If I could, I would be able to write a logon script to run shortcut creation.

Edited by akoch, 19 January 2012 - 03:45 PM.


#9 akoch

akoch
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:09:19 AM

Posted 19 January 2012 - 03:42 PM

Another way to defend against it is to remotely create a local administrator account for each user via the local users and groups mmc snapin, "usernameadmin", then remove their domain account from the local admin group.

Whenever they need to run anything with elevated privileges they can do a run-as and use their local admin account.

Edited by akoch, 20 January 2012 - 01:30 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users