Archives

All posts for the month March, 2010

Microsoft Windows operating systems come installed with a Windows Installer engine which is used by MSI packages for installation. One of the powerful features is that MSI packages can be installed with elevated privileges for non-admin users. For a package to use elevated privileges the a registry name “AlwaysInstallElevated” must exist in both keys with a dword value of 1.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer]
“AlwaysInstallElevated”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer]
“AlwaysInstallElevated”=dword:00000001

These settings normally do not exist so must be present to begin with in order to be abused. AD administrators may have enabled these settings allowing users the ability to manually install packages requiring higher privileges while keeping the user rights as non-admin. MSI packages deployed via group policy do not depend on these local registry settings to be present as these packages get deployed with elevated privileges. If manual installation is not required by users then it is safe to change these registry values to 0.

If you do find your corporate pc with these values enabled and do not have local admin rights then it’s just a matter of building your own MSI package and telling it what to do. In the screenshot below I developed a proof of concept tool which shows checking the key values, installing the MSI package which installs a Windows service spawning a local system command shell and finally removing the package.

If you are thinking of building an MSI package or any MSI package for that matter I would recommend purchasing “Advanced Installer” by Caphyon. It is a well designed professional software and has all the features you need.

References:

http://www.advancedinstaller.com
http://msdn.microsoft.com/en-us/library/aa367561(VS.85).aspx

Another fake antivirus software calling itself “XP Guardian 2010” is doing its rounds displaying bogus pop-ups and fake scans enticing you to buy its product. What is interesting about this malware is that this one changes the machine exe associations in the Windows registry. When any executable with an exe extension is manually or automatically run this malware is loaded first which then calls the original executable.

When an executable is first run it checks various entries in the registry before loading the program. Once a machine has been infected by this malware the call is hijacked to first load the fake antivirus set in the registry

C:\Documents and Settings\{username}\Local Settings\Application Data\av.exe” /START “%1″ %*”

Here the malware av.exe is run followed by the actual executable. The malware has been developed to call the real program after its own program has loaded.

Another interesting entry in the registry made by the malware is when an executable is called Windows checks another location in the registry. This entry is not available in HKEY_CURRENT_USER but even if it was the value would have been exefile and not secfile. So what happens is Windows now checks the .exe key and sees secfile value, this points to the secfile key where is sees Application value which finally points to the exefile key in HKEY_LOCAL_MACHINE.

[HKEY_CURRENT_USER\Software\Classes\.exe]
@=”secfile”

points to . . .
           
[HKEY_CURRENT_USER\Software\Classes\secfile]
@=”Application”

which points to . . .

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile]
@=”Application”

So in the future if you think your exe association has been hijacked first area to check the .exe key in the registry and go from there. On a Windows XP machine by default HKEY_CURRENT_USER will not have an .exe key and only the values below in the HKEY_LOCAL_MACHINE .exe key.

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\PersistentHandler]
@=”{098f2470-bae0-11cd-b579-08002b30bfeb}”

If you want to test exe hijacking you can save the following lines below in reg file and import it. From their on any executable run will load up Windows Calculator. Once testing is finished you can simply delete the .exe key in HKEY_CURRENT_USER. The same applies in the HKEY_LOCAL_MACHINE but here you cannot delete the .exe key. So if you want to test using HKEY_LOCAL_MACHINE I recommend you backup the .exe key first.

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Classes\.exe]
@=”anything”
[HKEY_CURRENT_USER\Software\Classes\.exe\shell]
[HKEY_CURRENT_USER\Software\Classes\.exe\shell\open]
[HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
@=”\”C:\\windows\\system32\\calc.exe\””

Reference:

http://www.threatexpert.com/report.aspx?md5=6472e446c64a34edf7fe4ae8270e6faf