Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Protection against Poweliks


  • Please log in to reply
11 replies to this topic

#1 caleb89sw

caleb89sw

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 02 November 2014 - 07:33 PM

Hello. Recently, I've been hearing a lot of the new, evasive malware called Poweliks. I have not seen any symptoms of it, but I am concerned about a future infection seeing how common it appears to be. I have a Windows 7 with Norton 360 on it. Are there any precautionary steps I can take to reduce the risk of infection? Thanks.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 PM

Posted 02 November 2014 - 08:26 PM

Trojan.Poweliks (and Win32/Xswkit, a Poweliks clone) are unique when compared to traditional malware because it resides in Windows registry and memory. It does not exist on a compromised computer as a physical file but does create a randomly named .dll file in memory and injects code into legitimate running processes, like Internet Explorer. In doing this, Poweliks is able to run on the back of the legitimate process and avoid detection. Since Poweliks resides only in the registry (which technically is stored on the file system) and everything it does is performed within the system memory, it can survive a reboot. The developers hid the autostart registry key by using a non-ASCII character as the name of the key which prevents most tools from processing the malicious entry. Windows Regedit cannot read or open the non-ASCII key entry.

When executed, Poweliks creates the following registry entry:

[HKEY_CURRENT_USER\Software\Classes\clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32]
(Default)=”rundll32.exe javascript:\”\\..\\mshtml,RunHTMLApplication \”;eval…….”
a=”#@~^XHoAAA=……”

poweliks2_fig4.jpg
.

Poweliks typically affects the ability to browse or download files using Internet Explorer and causes PowerShell error alerts. Task Manager typically shows numerous occurrences of (COM Surrogate) dllhost.exe or dllhst3g.exe. If using a 64-bit version of Windows, then these entries will be listed as dllhost.exe *32 or dllhst3g.exe *32. These processes are known to spawn and consume a large amount of system resources as described here. When attempting to download files in Internet Explorer you may receive the message "Your current security settings do not allow this file to be downloaded." or you may see a pop-up alert advising that "powershell (powershell.exe) has stopped working".

Poweliks is also a Trojan Downloader...meaning it has the ability to download more malicious files so systems risk being infected by other malware, causing a more damaging infection and compromising security. Once the malware compromises a machine it's able to receive commands from a remote attacker and has the capability to steal system information which may be used by cyber-criminals to launch other attacks. Zbot, ZeroAccess, Tracur, Chromeinject and some ransomware variants which encrypt data are commonly downloaded and seen on systems infected with Poweliks and other types of malware.

Poweliks has reportedly been spread and delivered through social engineering...by opening malicious spam emails (attachments) and by exploiting a vulnerability in Microsoft Word (CVE-2012-0158 Exploit). Emails from fake Canadian Post or U.S. Postal Service typically use subjects (missed package delivery, purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment. Poweliks can also spread via exploit kits that deliver drive-by downloads.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 rp88

rp88

  • Members
  • 3,059 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:07:07 PM

Posted 09 November 2014 - 10:17 AM

Does this mean that this type is impossible to detect or protect against then? I assume future attacks wil become more and mroe like this.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 PM

Posted 09 November 2014 - 10:25 AM

There are some tools which will detect and remove...and most likely more on the way.

Protection involves following safe computer practices to avoid social engineering attacks, exploits and drive-by downloads.

Basic Prevention Tips:

:step1: Do not open email attachments from an unknown or unsolicited sources). Beware of fake PDF files in email attachments which appear to be legitimate correspondence from reputable companies such as banks and Internet providers or UPS or FedEx with tracking numbers. Attackers will use email addresses and subjects (purchase orders, bills, complaints, other business communications) that will entice a user to read the email and open the attachment...see here.

:step2: Do not open Office documents with embedded macro as they can be infected...see here.

:step3: Do not click links in an email message, an instant message or on a social networking site. If the link is malicious, you can be redirected to a compromised site and become infected by exploit kits that deliver drive-by downloads.

:step4: Turn on file extensions in windows so that you can see extensions. Ransomware disguises .exe files as fake PDF files inside a .zip file attached to the email. These disguised files have a PDF icon and are typically randomly named. Since Microsoft does not show extensions by default, they look like normal PDF files and people routinely open them. Another common tactic of malware writers is to disguise malicious files by hiding the file extension or adding spaces to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. Microsoft does not show extensions by default.

:step5: Turn Off Flash to Avoid 'Malvertising' Attacks and block advertisements in your browser with AdBlock.

:step6: Using Java is an unnecessary security risk so remove Java if you don't use it or disable Java Plug-ins or add-ons in your browsers if you do.

:step7: Don't disable UAC in Vista or Windows 7/8, Limit user privileges and use Limited User Accounts in Windows XP.

:step8: Follow Best Practices for Safe Computing when browsing the web. Important Fact: It has been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software.


Note: Windows XP users should stop using Internet Explorer as that version is no longer supported and is vulnerable to exploits. Instead, they should use an updated alternate Browser. XP users wondering what else they can do to mitigate their risks also need to either update the operating system or Ditch the Free AV & Get a Paid Solution.

XP users may also want to read these topics for more tips and suggestions...
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Fardooste

Fardooste

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 19 November 2014 - 12:51 PM

Which programs currently detect poweliks? I saw an infection today where something kept invoking powershell in process explorer and disappeared. 



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 PM

Posted 19 November 2014 - 02:15 PM

Which programs currently detect poweliks? I saw an infection today where something kept invoking powershell in process explorer and disappeared.


Poweliks can be a difficult infection to remove since most security scanning tools will not detect it.Roguekiller and Rkill should also detect/terminate Poweliks. I have been told that TDSSKiller...detection of Poweliks is to be added soon.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Fardooste

Fardooste

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 20 November 2014 - 11:56 AM

Thanks. 



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 PM

Posted 20 November 2014 - 01:57 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 PM

Posted 16 January 2015 - 06:06 AM

For those keeping up with this topic...Win32/Xswkit (aka Gootkit, a Poweliks clone)

RKill has been updated to detect this variant.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:07 PM

Posted 16 January 2015 - 11:27 AM

Does this mean that this type is impossible to detect or protect against then? I assume future attacks wil become more and mroe like this.

 

No, many AV products also scan (and clean) the registry.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 Fardooste

Fardooste

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:02:07 PM

Posted 16 January 2015 - 12:41 PM

I have found that mbam still misses poweliks completely. I always need to use the poweliks cleaner with poweliks. would poweliks cleaner work with this new variant, or do i need yet another tool?



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:07 PM

Posted 16 January 2015 - 02:10 PM

...would poweliks cleaner work with this new variant, or do i need yet another tool?

Yes...I just used it today to help someone clean up their computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users