Since Windows 7 is the most popular operating system (OS) among PCs, many malware choose to target it. Malware often do so by using Windows’ very own artifacts. During 2015, Windows artifacts were increasingly abused for malicious operations. For attackers, this is an effective technique, since these artifacts are always present in a Windows environment. Processes that masquerade as valid Microsoft processes raise less suspicion and are likely to be overlooked by ordinary users.
We will review examples of processes used by malware, as well as the malware themselves. Some examples for Windows processes used by malware are svchost.exe, explorer.exe and Sdbinst.exe. These processes are widely abused, because they provide attackers with further capabilities, other than the basic advantages of using common Windows binaries. In some cases the attacker can even achieve privilege elevation by exploiting “normal” behavior of these processes.
System Processes Used by Malware
Windows processes are crucial for its operation. Without them the OS will not be able to supply the user with full functionality. Some processes require special rights or resources, which are unavailable for a regular user. This is exactly what malware writers are looking for. The following are processes commonly used by malware:
- svchost.exe – A system process that hosts multiple Windows services in the Windows NT family of operating systems. Svchost is essential in implementing shared service processes, where a number of services can share a process to reduce resource consumption.
- explorer.exe – Previously known as Windows Explorer, this is a file manager application, included in releases of the Microsoft Windows OS from Windows 95 onwards. It provides a graphical user interface for accessing the file systems. It is also the component of the OS, which presents many user interface items on the monitor such as the taskbar and desktop.
- Sdbinst.exe – This process is part of the Microsoft Desktop Optimization Pack (MDOP), which contains Application Virtualization (App-V). MDOP enables the user to make applications available for customers without installing them directly on their computers. App-V transforms applications into centrally managed services that are never installed and do not conflict with other applications. Sdbinst.exe allows the creator of the application to push updates via .sdb files. The process manages this behavior by serving as middle-ware between the application and the OS. For this purpose, sdbinst.exe runs code received from the creator with admin privileges.
How Ransomware and Malware Use Windows Processes
In some cases, it is not hard to understand why malware used Windows artifacts, but others can be tricky. Below are some examples of forensic analysis of real malware captured in the wild. We will demonstrate how they actually abused valid Microsoft binaries.
Cryptowall is a Ransomware Trojan, which targets Windows computers. It propagates via infected email attachments, as well as by existing botnets. The malware encrypts certain types of files, which are stored on local and mounted network drives, using RSA public-key cryptography. The private key is stored only on the malware’s control servers. The malware then displays the ransom demand and threatens to delete the private key if the deadline for the payment passes. If the deadline is not met, the malware offers to decrypt the data for a significantly higher price.
Below we can see the attack flow generated by SandBlast Agent Forensics displaying the normal behavior of Cryptowall. The interesting part in this attack is that the svshost.exe, which was previously injected, is causing a lot of damage by encrypting all of the files.
Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Once a computer is infected, Dridex attackers steal banking credentials and other personal information to gain access to the user’s financial records.
Dridex spreads through malicious spam e-mail with a Microsoft Word document attachment. Once the user opens the document, a macro surreptitiously triggers the malware’s download. Dridex first steals banking credentials and then attempts to generate fraudulent financial transactions.
Below we can see the attack flow generated by SandBlast Agent Forensics displaying the normal behavior of Dridex. We can see that it is using a known UAC bypass with the help of sdbinst.exe. Doing so, many of the malware’s child process run with administrator privileges.
After gaining elevated privileges it launches the payload of the attack, which initiates the malicious activity.
Tinba stands for Tiny Banker; the malware has a relatively small executable – approximately 20KB. Tinba uses a Man-in-the-Brower (MITB) attack and manages to evade most antivirus technology.
The malware injects itself into explorer.exe and svchost.exe, which are valid system processes. After the injection, Tinba looks for the execution of processes related to the most widely used browser, such as Internet Explorer or Firefox. Tinba’s infrastructure is typical for a classic HTTP botnet. The purpose of this attack is to steal credentials and send them to the C&C servers. The communication with the server is encrypted with RC4 algorithm to evade detection.
Below we can see the injected explorer.exe executing some suspicious operations, such as reading registry keys related to encryption, changing to internet proxy settings in the registry and installing itself as a service so it would be launched on the next boot. The attack flow generated by SandBlast Forensics demonstrates Tinba’s normal behavior.
There are many of ways to exploit valid Windows binaries’ normal behavior for malicious purposes. Usually, this is done by injections. The attacker first runs an executable that will exploit the artifact and consequently cause real damage. Since it masquerades as legitimate native operation, the activity is harder to detect. Doing so, attackers can enjoy all the benefits given to them by the artifact. It is important to note that ordinary AVs are unable to detect such malicious activity, since they overlook Windows Binaries, leaving users defenseless.