Miscreant hiding techniques: Would the real explorer.exe please stand up? And the relevance of 1979 when doing searches . . .
At long last - a blog post about Incident Response in the self-proclaimed 'Incident Response' blog!
Before I finally crash for the night there are two things I wanted to bring to the attention of folks interested in Windows IR that my team has come across in recent weeks.
Below I'm going to discuss two hiding / obfuscation techniques that are surprisingly easy to implement and alarmingly effective at meeting their objective of hiding from administrators in plain site.
First - let's talk about wierd file names. We got a security related escalation last week where a customer had a file like this on their drive:
dir C:\winnt\system32\??plorer.exe /A:h
Volume in drive C is XXXXX
Volume Serial Number is 9013-XXXX
Directory of c:\winnt\system32
12/22/2004 02:21p 389,120
??plorer.exe
Notice the strange question marks showing up in the CMD shell when doing the DIR command? In Explorer a file with this name could not be found. We investigated further and used a tool called 'renamer' to get some more information on this file - here's the output:
Found file: p l o r e r . e x e
0435 0445 0070 006c 006f 0072 0065 0072 002e 0065 0078 0065
Initial rename attempt failed.
Access is denied. Result = 0
Notice the unicode character codes highlighted in orange above?
So 0435 is this character: https://www.fileformat.info/info/unicode/char/0435/index.htm
And 0445 is this one: https://www.fileformat.info/info/unicode/char/0445/index.htm
So these are Cyrillic characters and 0435 is a Cyrillic (?) that looks like a Latin 'e' and 0445 is a Cyrillic (?) that looks like a Latin 'x' . . . interesting no?
Why is this so clever? Several reasons:
- Despite appearances this file is not the traditional 'explorer.exe' the 'e' and the 'x' are technically different characters even though visually they look the same when rendered inside of the shell (Explorer). Since they are different characters this is a completely different file name on the file system and this malicious 'explorer.exe' can co-exist in the same directory as the real 'explorer.exe' (even though in this case the miscreants put it in system32 they could have easily placed it in winnt and it would have coexisted side by side with the real explorer.exe without triggering SFP).
- This process will show up as 'explorer.exe' in Task Manager just like the real explorer . . .
The only clue in this case that something was strange was the fact that in a command shell - the unicode characters were represented with question marks.
A quick look through the Cyrillic letters in the Charmap.exe utility shows that other letters just ripe for the 'spoofing' are: ????????????????
A behavior I observed here is that in Explorer when you have the directory open and the files are sorted alphabetically by name (the default) - this malicious 'explorer' always shows up last after files starting with 'z'. This makes sense given that these characters are wwwwaaayyy down the character map from the good old Latin letters we use.
Similairly in a CMD shell when doing a DIR this file shows up last as well in the default DIR mode (which is sorting alphabetically as well) AND the unicode characters are represented with ??'s.
I'm not sure whether we'll see this method rise in popularity any time soon - a quick search on "??plorer.exe" on Google yields a number of hits from a couple of months ago so apparently this is not a new trend per se and its hard to guage whether we'll see more of this going forward given how easy it is to create files with unicode characters in their names. I'm actually always amazed at how few cases we get involving another easy file hiding technique - alternate data streams - but I'm not complaining . . .
Moving right along, we also recently stumbled across something else interesting that we see from time to time but recently we discovered why we see this. From time to time we've seen cases where files have a creation date of: 12/31/1979. Why is this interesting? It's not interesting that this is a clearly spoofed creation date - it should be a surprise to no incident response specialists that miscreants can alter the MAC times of files on the file system after they've been created with freely available tools built for this task.
The interesting thing here is that this date is 1 day before the oldest date you can do a search on in the Windows search GUI. Try hitting 'F3' right now or going to Start-->Search - you can't specify a date earlier than 1/1/1980 when performing searches . . . again, you'd have to do your search from a command shell to find files created on this date.
Both of these tricks / techniques exploit limitations of the Windows GUI - both of these techniques can be detected by using the built-in command shell - good 'ole CMD.EXE.
And now you know - and knowing is half the battle. :)
I'd like to give thanks to Matthew and Kenny from the PSS Security team for sharing this information . . . we hope you find it useful. Happy hunting!
Comments
- Anonymous
January 19, 2005
We have about 5 systems with the explorer.exe (along with some other files) that have the pre-1980 date. It appears that it may be causing our backup problems, but I'm even more concerned about the systems having been comprimised. Any suggestions on how to proceed in fixing this or tracking down the cause? All the systems in question are W2K3 server. - Anonymous
January 26, 2005
This is the adware PurityScan/NRnd, controlled by clickspring.net. You should also find a BHO in a randomly-named DLL in System32.
It doesn't always go for explorer.exe/??plorer.exe, though that name does seem to be quite common. Others I've seen are logonui.exe/l?gonui.exe and svchost.exe/??chost.exe. I suspect it picks a .exe name with one of the spoofable characters out of System32 at random. - Anonymous
February 07, 2005
Do you have link for this "renamer" tool ? I've seen plenty of spyware using this technique for awhile now. I guess the kiddies have picked up on it. Thanks. - Anonymous
February 07, 2005
It's not a public tool that is available for download - but I believe if you open up a support case for a problem that requires its use you can get a copy from the support professional. If you referrence these articles you will probably get it. I'll see if there is a reason we can't get this posted on download.microsoft.com and see if we can make that happen.
315226 How to Remove Files with Reserved Names in Windows XP
http://support.microsoft.com/?id=315226
315688 How to Locate and Correct Disk Space Problems on NTFS Volumes in Windows
http://support.microsoft.com/?id=315688
303079 How to Locate and Correct Disk Space Problems on NTFS Volumes
http://support.microsoft.com/?id=303079 - Anonymous
February 07, 2005
That's what I figured. I'll keep a eye out to see if it's ever posted. Thanks for the links. I didn't know you could remove the ??filename files the same way as dos devices. That's good, makes remove easy.