SysJoker will create persistence by adding an entry to the registry run key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
I regularly run tools like Autoruns to disable unwanted new entries in places like this. These days it's more of a problem for me with regular software than it is malware.
Unfortunately locking down the registry key can break legitimate installers.
Does anyone know of a decent utility that monitors for changes in the background and notifies you via an unintrusive little icon in the system tray (no balloons) which you can click when convenient to review the offenders?
Have also contemplated a process "whitelist" that allows you to whitelist regular programs (maybe it has a mode you can run for a time where it learns automatically) and let's you easily view stuff running that you don't recognize.
I know your question is for Windows, but in case someone was wondering about MacOS:
Aside from being able to manage some persistent login items under Settings > Users > Login Items, there is a free tool available from Patrick Wardle that helps manage the hidden launch items (like updaters) on MacOS called Knock Knock.
Have you checked how many users are running on Windows though?
Its all very well checking _your__own_ HKCU keys, but what if the persistent entry was setup in another window user account??? That point isnt made obvious on that website link!
On Win10 how many people can easily see the Administrator (500), DefaultAccount (503), Guest(501) & WDAGutilityAccount (504) and checked their metrics???
Who checks their services are all genuine?
There are loads of place to run apps at system startup besides the registry.
This link shows you where you can autorun apps buts it was written in 2016 and I think there are now a few more places where you can autorun at startup.
https://www.ghacks.net/2016/06/04/windows-automatic-startup-...
You could also piggy back off another common utility if you know how to delta patch an app, or even use a driver if you can get in that deep without arousing any suspicion!
The next problem is trying to avoid getting picked up by the AV/malware running, unless your group policy doesnt allow anything to run other than what is allowed in the group policy.
Havent tried this on home in win10 but it might/should work
https://www.howtogeek.com/howto/8739/restrict-users-to-run-o...
Basically in Pro and above you can use group policy to restrict windows so it only runs allowed programs, then you are in the same situation as Linux users.
Does Linux? OSX? There's a hundred and one different ways to get Windows to run something at boot, even as an unpriviliged user. So it's not as simple as just monitoring HKCU\..\Run. With Linux at least it's somewhat more limited: Unpriviliged users typeically only have access to cron for running things at boot.
I think this is more like adding lines to /etc/profile.d or .bashrc than adding a service. Linux has a pretty complicated flow if you want to know what runs on login or on startup.
If the application choses to do so. Installation used to require root and I don't see a way who root could prevented from be enabling a systemd service. Short of having a signed read-only rootfs which no common distro has.
Nowadays you don't even need root to install something that runs a every login: There is the user instance of systemd. Of course without root those services are limited in what they can do.
Right, collectively we can't really trust those Fly-By-Night startups with root on our machines. Probably the folks in this case are currently benign, but I don't know them so how can I really know? And what about the future as startup finances and resources for the Community Edition dwindle?
In past weeks wasn't it revealed that even major AV vendors have been begun auto-installing shady crypto miners on end-user machines?
Running all mounts as RO isn't feasible in every case. Maybe docker and VMs can help insulate and protect to a degree. Yet even still, once an attacker makes it into your private network it's pretty likely that the state converges to Game Over.
Right. We need to run anti-virus programs in jails with read-only file system access. That should be a standard OS feature. They should output a list of files to be examined or deleted or jailed, but not actually do anything about them. That should be the job of a separate, very dumb, open source program.
>Right. We need to run anti-virus programs in jails with read-only file system access
Modern antiviruses do more than just scanning files. They also have system hooks as well, for behavioral analysis and real time scanning. It's unclear how that would be implemented with the scheme you just described, without a massive API being added to the kernel.
I'd rather see 'phoenix' style systems catch on, even for desktops. Don't try to repair a system with 1,000,000 random files in it. Just have a plan to automatically rebuild it from a list of pinned packages and a folder of your personal data.
Scanning the system from within the system feels bound to fail, when a lot of my stuff has to run as root. Even if I'm not root, there is this: https://xkcd.com/1200/
But if you want jails and read-only FS, you can try to construct it from something like Docker. With LVM you can make point-in-time FS snapshots and scan those. Docker probably has known escapes, but if your scanner is FOSS you could layer it inside a wasm runtime too.
Defense-in-depth doctrine says that something is better than nothing, but I feel like expecting a broken system to report that it's broken and fix itself is a bit doomed. Having a physically separate audit server behind a data diode is also an approach I've considered. That way malware is less able to hide logs once it's in. The trouble is, all these ideas require lots of new code that nobody has a reason to trust or maintain or use.
It's not a big overhead item. You should be able to configure Linux for that, via SELinux. Read anything,communicate with nothing, write only to one file.
Examining incoming stuff also needs to be split between the examiner, with the power only to report, and the trusted input and output parts, which should be dumb.
The whole concept of anti-virus software being trusted is just wrong, both in theory and practice.
Modern malware is so often quite boring. Like this one, it doesn't actually perform any interesting attacks on its own, it just uses bog-standard autorun for persistence and generic names to obfuscate its presence. Nothing particularly sophisticated or technically impressive imho.
You want to look as "boring and regular app" as possible, to avoid detection based on heuristics. So that means using no "malware techniques" like DLL injection, process scanning, fancy persistence, ...
Hah yeah, I have had the same observation as well, but as other replied noted this makes sense.
I’ve also noticed I don’t really find much malware in the wild, at least nothing targeting you’re typical PC user. Maybe I’ll find some boring, barely obfuscated adware, but of it seems to target larger, enterprise organization, which I suppose also makes sense. There was a write up a few days ago about an exploit targeting MS Word that was at least mildly more interesting than most of the stuff I hear about now.
Yeah. If the article is right, SysJoker is "stage 1" to infiltrate networks. The C&C servers will only deploy a more interesting "stage 2" to the target they care about.
Maybe the attack is already completely done, and they're just leaving the C&C servers and the rest of the botnet up to avoid leaking "The C&C servers went offline at X time" as a piece of information.
What are the odds of some of these software peddlers being in the malware business directly or indirectly? The chances of them happening to want you to download an otherwise unknown piece of stuff and run it privileged seem to be more of a risk than that you have the malware on your system.
I agree it doesn't show anything about how it gets itself run/installed in Linux, but there are some details on what it does once it's running on Linux, checksums for elf binaries, etc. They do at least provide some evidence of Windows, Linux, and MacOS payloads.
Is there a CVE-like thing for malware? It seems as though CVEs/MITRE are just security hole reports, and the viruses that use these holes are left as an exercise of one's imagination.
> SysJoker masquerades as a system update and generates its C2 by decoding a string retrieved from a text file hosted on Google Drive. During our analysis the C2 changed three times, indicating the attacker is active and monitoring for infected machines.
There are infinite ways. One for example is to generate a dns address from the uct time and try connect to that. It's easy to simply buy the correct dns name and send an order out to the botnet. Or to hide the commands in a DNS request itself, or lookup a gist, or a tweet ect.
not sure if this specific TTP is common, but generally there are a lot of ways that malware authors perform first c2 discovery and then actual c2. attackers can use DNS itself for both of these aspects of C2. Even very old reports of since-long-gone attackers like APT1 https://www.mandiant.com/media/9941/download indicate use of covert c2 over otherwise benign web applications like google calendar.
I regularly run tools like Autoruns to disable unwanted new entries in places like this. These days it's more of a problem for me with regular software than it is malware.
Unfortunately locking down the registry key can break legitimate installers.
Does anyone know of a decent utility that monitors for changes in the background and notifies you via an unintrusive little icon in the system tray (no balloons) which you can click when convenient to review the offenders?
Have also contemplated a process "whitelist" that allows you to whitelist regular programs (maybe it has a mode you can run for a time where it learns automatically) and let's you easily view stuff running that you don't recognize.