Hidden

All posts tagged Hidden

The desktop.ini is a standard text file that can be placed in any Windows folder to customize certain aspects of the folders behaviour, i.e. what the folder icon should be, what folder name to display, etc. The desktop.ini file is normally a hidden file so to display existing ones in folders you’ll need to make it visible by opening the folder and clicking on the Tools menu . . . Folder Options and selecting View. Then select “Show hidden files and folders” radio button and also uncheck “Hide protected operating system files (Recommended)”. Below I have touched upon three customised folders and the ini files it contains.

For Favourites folder the folder has to have attributes of either readonly or system or both for the folder to change to “favourites” from the actual folder displayed in Explorer. The desktop.ini file can have any attribute and below is an example of the ini file.

[.ShellClassInfo]
IconFile=%SystemRoot%\system32\SHELL32.dll
IconIndex=-173
LocalizedResourceName=@shell32.dll,-12693

The LocalizedResourceName parameter can be used to change the folder name to something else when viewed in Windows Explorer.

Certain system folders use class ids to define the folder properties. Here again the folders attributes define the folder properties and the desktop.ini file can have any attribute set.

To create a recycle bin folder changing the folder attributes to system or readonly makes it change to the bin icon. The ini file settings should contain this class id below

[.ShellClassInfo]
CLSID={645ff040-5081-101b-9f08-00aa002f954e}

For the Scheduled tasks again changing the folder attributes to system or read only makes it change to the tasks icon.

[.ShellClassInfo]
CLSID={d6277990-4c6a-11cf-8d87-00aa0060f5bf}

So what does this mean from a malware point of view? Well these kind of system folder properties malware files can be easily hidden from view. i.e. having a job in Windows tasks (C:\WINDOWS\Tasks) with a hidden attribute set on the job file will be invisible even with all files and folders set to show. The same goes for the recycle bin where malware writers create a bogus recycle bin folder containing malware files which when browsed through Explorer remains invisible and only genuine deleted files are shown to the user.

A Browser Helper Object or BHO is a DLL module designed as an add-on for Microsoft’s Internet Explorer web browser to provide added functionality. When a BHO is installed on your system the add-on loads up automatically every time Internet Explorer is started. Hackers have been abusing this functionality by installing malicious BHOs stealing user’s online banking passwords and carrying out all sorts of other malicious activities.

While analysing a particular malware “convite.exe” which is detected by McAfee as “PWS-Banker!dtl” I noticed something quite interesting and therefore decided to post my findings. Among the various files being dropped by the malware one file was of particular interest called “flashcpx.dll” which gets installed as a BHO.

When a BHO gets registered onto the system it adds various keys in the registry. When Internet Explorer starts up it reads the registry location below telling Internet Explorer which BHOs it needs to load up. Let’s look at an example of Adobe’s BHO installed on my machine “AcroIEHelperShim.dll”.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}

In this key location lists 16-byte CLSID strings for the BHOs. Using this string it then points to another location in the registry telling Internet Explorer which DLL module to load up.
 
[HKLM\SOFTWARE\Classes\CLSID\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\InprocServer32]
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

Now when the malicious “flashcpx.dll” BHO gets installed it does something clever to hide its presence yet still manage to load up. As you can see below the CLSID string is longer than usual. The added characters cause most tools not to list out the BHO even though Internet Explorer loads it up.

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{399BFACE-3ADA-4DAE-80D8-E221812243A9}80D8-E221812243A9}

When Internet Explorer loads up the BHO the browser only reads 16-byte CLSID format {399BFACE-3ADA-4DAE-80D8-E221812243A9} and then loads up the BHO via the normal process. So any added characters are ignored by Internet Explorer.

[HKLM\SOFTWARE\Classes\CLSID\{399BFACE-3ADA-4DAE-80D8-E221812243A9}\InprocServer32]
C:\WINDOWS\system32\flashcpx.dll

For example, if we wanted to see what BHO are installed we can use Internet Explorer’s Manage Add-ons or use SysInternals Autoruns.exe. Both do not show the malicious BHO installed as these tools reads the entire string instead of the 16-byte CLSID format which Internet Explorer does do.

 

 

Since the string is longer than recommended when it goes to find the CLSID key in [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID] the key is not found and therefore the DLL module does not get listed. Quite odd that “manage add-ons” is part of Internet Explorer but does not list it yet happy to load up the BHO :).

Reference:

http://www.threatexpert.com/report.aspx?md5=3765371819c1195f3cdbb255f4442e1e

Making hidden files visible can sometimes be not as straight forward as expected and can be a bit confusing at times. Malicious files quite often have their file attributes modified making it harder to detect. You might encounter files with the system, read only and hidden attributes set. When system and hidden attributes has been set then these will need to be reset first otherwise resetting other attributes will fail. Windows Attrib command can be used to reset files as shown below. Using attrib with all the switches is the best way resetting a file and avoiding any errors.

C:\>attrib virus.exe
SHR C:\virus.exe

C:\>attrib -h -r virus.exe
Not resetting system file – C:\virus.exe

C:\>attrib -s -r virus.exe
Not resetting hidden file – C:\virus.exe

C:\>attrib -h -s -r virus.exe

C:\>attrib virus.exe
C:\virus.exe

Windows by default hides known file type extensions. For us to view all extensions we need to make a couple to changes to our system. In Windows 2000/XP, we need to open Windows Explorer and select “Tools”… “Folder Options”. Next click the “View” tab, select “Show hidden files and folders” and also untick “Hide file extensions for known file types”. Once applied all extensions will now be visible. There are still some extensions which will not be visible so changes will need to be made in the registry. For example the PIF file is one such extension. A PIF file is basically designed to hold information that will help an MS-DOS application know how to run in a Windows environment. Virus writers sometimes rename an executable file with a PIF extension. For example virus.exe could be renamed to virus.txt.pif. Since it ends in a PIF extension it will not be visible to the user and only virus.txt will be displayed fooling the user as being a text file.

In order to display the PIF extension we need to go into the registry and drill down to HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile and delete the “NeverShowExt” entry. Once deleted you will need the system to be rebooted to take effect.

The text below can also be saved as a reg file and imported by double-clicking on it without carrying out the above manual instructions.

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile]
“NeverShowExt”=-

Reference:

http://www.pctools.com/guides/registry/detail/627/