One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1371006 |
| Date de publication | 2019-09-30 13:00:00 (vue: 2019-09-30 16:01:35) |
| Titre | GootKit malware bypasses Windows Defender | AT&T ThreatTraq |
| Texte |
Photo by Christopher Beddies on Unsplash
Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Andy Benavides, Professional - Technology Security, AT&T, Stan Nurilov, Lead Member of Technical Staff, AT&T and Mike Klepper, Principal Architect, AT&T Cybersecurity Services. Mike has written blogs here in the past.
Andy: You can't defend what you can't scan. GootKit malware bypasses user access control (UAC).
Mike: So, Andy, I guess we're going to continue with the malware theme today with your story, right?
Andy: Yes, we're going to be talking about GootKit a little bit. G-O-O-T, Kit - it's kind of hard to say. But for those who don't know, GootKit is a banking Trojan whose goal is to steal your banking credentials, and it does that by recording your screen or by redirecting you to fake banking login pages. That's how it works.
A security researcher by the name of Vitali Kremez found that GootKit actually attacks Windows Defender by adding itself, by adding the directory that the malware lives in. It avoids detection by adding it to the scan exclusion list. So, it basically tells Windows Defender, "Don't scan this directory that my malware's in." And the key to doing that is through the use of the good old fodhelper.exe.
For those who don't know, fodhelper.exe is a Windows 10 management tool. It was found to allow UAC bypass in 2017 by a researcher by the name of Christian B. That's all that's known about him. Essentially, what happens is when an application wants to perform a task, because that requires administrative purposes, it brings up a prompt on your screen and it asks you for that permission. It says, "Hey, I want to do something as Admin." And you say yes or you say no. Bypassing that means that you can run things in the background as Admin without the user knowing. So that's kind of a big problem.
What Christian B. found was that fodhelper.exe actually runs with the auto-elevate attributes set to true, which means it can run itself with a higher privilege on its own when it deems it's necessary. Which means it can do things without bringing up that control prompt, letting the user know that something is happening in the background. What Christian B. was able to figure out was that the fodhelper.exe works by first checking for a few registry keys that strangely enough don't exist by default in Windows 10.
Stan: That's actually kind of normal.
Andy: Is it really?
Stan: Yes. That's how they do a lot of GPO policies later. They like to produce certain registry keys. And if you have them, then whatever, you can apply that setting.
Andy: Okay. So it checks for some registry keys that don't exist by default in Windows 10. When it finds those, then it does other things. What Christian B. was able to figure out is if you create the keys that it's looking for, one of the keys actually lets you dictate it and enter in furth |
| Envoyé | Oui |
| Condensat | say 2017 able abnormally about access across acting actions actually add adding admin administrative all allow andy andy: anti antivirus any application apply architect are asks at&t attacker attacks attention attributes auto avoid avoids back background banking basically because become beddies on unsplash being benavides best better big bit blogs bringing brings but by christopher bypass bypasses bypassing called can can't can subscribe certain certainly checking checks chief christian cleanup click come commentary configuration continue control could create credentials cybersecurity date days deems default defend defender defense definitely deletes detection dialog dictate directory does doesn't doing don't down elevate else enabled endpoint enforces enjoy enough enter environment escalation essentially every exactly exclusion exe exist exists expect fake feature features figure file find finds first fodhelper folks found further general get goal going good gootkit gpo guess happening happens hard has have help helper helpful helping helps here hey higher him how i'm icon information infosec initial inject instructions interesting issues it'll it's it’s items its itself just key keys kind kit klepper know knowing known kremez last later lead least let’s lets letting like list little lives login long look looking lookout lot machine machines make malware malware's management mean means mechanism member method mike mike: more name necessary need needs news normal not noting now nurilov office okay old one open operate order other out own pages particular past penetration perform periodically permission photo playbook points policies practice practitioners prevent principal principle privilege privileges problem process produce produces product professional prompt purposes really recent recording redirecting registry remember reporting requires researcher researchers review right risk root run running runs say says scan scanned screen security see seeing series services set setting several showing shut sidestep sitting software some something staff stan stan: start stay steal story strangely successful supposed sure surprise surprised surprising system take talk talking task technical techniques technology tell tells tend testing than thanks that's the youtube channel to them them; theme then these they've thing things those threattraq through today tomitigate tool totally transcript trojan true trying types uac updated use used user users using video virus vitali want wants warning way we're week what whatever when whether which white who whose windows without wmic work works worth would written years you're your |
| Tags | Malware Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.