back to article Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes

The SolarWinds hackers triggered one of their Cobalt Strike implants in the firm's network through a cunning VBScript that was activated by a routine system process, Microsoft has said. Microsoft's deep dive, published yesterday following SolarWinds' own take on the malware, repeated earlier findings that the hackers went to …

  1. TonyJ Silver badge


    "...Those techniques included editing the Windows registries of target machines to disable autostarting of security processes – and then waiting until the target machine was rebooted before moving in for the kill..."

    Why the fuck is that possible, Microsoft? Other AV vendors etc don't allow the stopping of services or changing their registry startup state even by DA or EA so...

    1. Pascal Monett Silver badge

      Re: What?


      Since the last Windows Update of my machine, I can no longer disable Windows Update.

      I'd really like to know what to jiggle in that abomination of an excuse that is the Registry to be able to lock that shit down and have my PC behave as I wish.

      1. Doctor Syntax Silver badge

        Re: What?

        If you want your machine to do as you wish why run anything more recent than, say W2K?

      2. Joe Drunk

        Re: What?

        Having your PC behave as you wish is something Mickeysoft is going through great lengths to ensure is no longer possible with each iteration of its OS.

        You can disable updates but they will be re-enabled against your will. This is due to the Windows Update Medic Service that monitors the status of Windows Update and will enable it if disabled. The Update Medic Service can't be disabled by ordinary means.

        I had to use a third party tool (Windows Update Blocker) to disable Medic Service and now I am in control of updates, not Mickeysoft. No more "My PC was working fine until an update and now XXX doesn't work anymore" as one of the most common gripes on any Windows 10 support forum.

    2. MattPi

      Re: What?

      My guess is because Microsoft has to allow for security processes to be stopped by something on the system, otherwise you couldn't replace Windows Defender pieces with 3rd party tools.

      1. TonyJ Silver badge

        Re: What?

        Not sure about that - if you install say McAfee (don't... but I've worked at places that still use that abomination) it's then locked down to the extent that removing it/stopping processes requires a specific account.

        Mangling the registry can require elevated rights and I'd have assumed (perhaps incorrectly) that this should be the case and you shouldn't be able to take ownership of the keys without again providing elevated credentials.

        Which suggests to me (again I could be wrong) that the core compromised processes that spawned the attack were being run with elevated rights.

    3. This post has been deleted by its author

    4. LDS Silver badge

      Re: What?

      That only depends on the privileges you're using to achieve it.

  2. Pascal Monett Silver badge

    "and does so from memory"

    Fascinating. And how does the malware get stuff into memory ?

    Does it download it directly there ? If so, how does it download it past the security barriers ?

    1. Natalie Gritpants Jr Silver badge

      Re: "and does so from memory"

      how does it download it past the security barriers ?


  3. Claptrap314 Silver badge

    Will this be the final end

    of DLLs?

    I've not dug hard into the issue of DLLs, but are all the hassles even worth it any more? Especially if you're deploying to a (proper) single-app container, what's the win anymore?

    1. Dave 15 Silver badge

      Re: Will this be the final end

      Ask the folk at Linux who also have shared libraries. Hell, to be honest just start writing efficient code and then we can get away with a hello world program that fits in a few hundred bytes instead of a few megabytes. I was looking at some code today, C++, the guy who wrote it clearly had no idea that he could add extra functions, use defines instead of magic numbers, indeed the program contains a nice memory leak of an object as to boot because he instantiated one then reassigned that to another instantiation instead of using a pointer. The pointer would also have meant he didnt need the flag variable. A little refactor and in fact neither was needed and all the duplicate code between the 10 cases that were identical bar one word and the then the (yet another flag) controlled aftermath from the 10 cases that happened 40 more lines down the file (yes more than 40 more lines of processing in a switch) ... oh well.

      At this point I hold my hand up to having written a 120+line switch statement in the past but I defend that I did get round to cleaning it up before dumping it on a customer

      1. Claptrap314 Silver badge

        Re: Will this be the final end

        So far as I know, Linux also has DLLs. And the associate problems.

  4. Duncan Macdonald Silver badge

    Probably was a state sponsered attack

    The time frame and the extreme hiding measures make it unlikely that it was an ordinary criminal gang - waiting many months from initial penetration of SolarWinds until the first attack activated is not the sort of patience expected from a criminal organization - but is perfectly plausible for a state spying organization. Changing the names of all the attacker files etc on each individual machine to avoid detection is also indicates a well trained group.

    1. Version 1.0 Silver badge

      Re: Probably was a state sponsered attack

      Hackers are much better coders than the average app writer.

    2. arthoss

      Re: Probably was a state sponsered attack

      they probably used a code generator/compiler to generate unique packaging for each criminal DLL. I'm not even mad! Beautiful work, I must say.

  5. Dave 15 Silver badge

    No shit sherlock

    I mean, the easiest way surely and at some point it must be said that if you dont know whats supposed to be running, you dont have a chance of checking what runs and you cant check the checksum of the object running is what you expect it is then you dont have a secure system.

    If you go look at the tasks running in a windows machine today it numbers hundreds... what the hell most of them doing I doubt even Microsoft engineers have a clue. Why they are all consuming my CPU when I dont actually want to do more than browse some porn heaven only knows... but it probably goes a long way to explain the 10 minutes staring at a revoloving set of dots because I was stupid enough to lock the machine when I left it, or the 20 minutes it takes to shut down (what the hell is it doing... sending all my passwords to the NSA, Russia and GCHQ just in case?

    1. StrangerHereMyself Bronze badge

      Re: No shit sherlock

      This is one of the reasons I switched most of my workloads to Linux Mint.

      I still use Windows for work stuff (I need to make a living too) but whenever I can I switch to Linux.

  6. Brian Miller

    "cunning VBScript"

    If Visual BASIC is your threat, then dump BASIC! As for hiding something within another process, that's sort of old hat. Also, for naming their files to "blend in" with Windows, what did they expect? A file name of "EvilL33tCodzHere.dll"? That's another trick that's very old hat.

    Really, the only part here that required effort was the attackers writing their own in-memory loader. The rest of it was just going through the motions.

  7. ST Silver badge

    Dump Microsoft

    There are better alternatives.

    DOD just gave their secure cloud contract to Azure.

    Ooh, no worries. They're running the secure version of Windows. Yeah, the one written by Jarlsberg.

  8. Danny 2 Silver badge

    Ted talk perp walk

    Dear SolarWinds hackers,

    We were very impressed by your brilliant techniques and professional ethic. Would you please give a TED talk on it next month in Langley, Virginia? Feel free to wear a mask for anonymity, accommodation and food will be provided.

  9. EyeOpener

    This is why Microsoft windows updates need to be only set to manually approved by users. Automatic updates allows for millions of system to be hacked once you know the MS backdoor they use to send and auto-installed Windows updates. How do you think the NSA does it? Send updates via MS backdoors to a specific range of IP addresses (entire country) via MS-Windows updates.

    MS has ADMIN access to every PC that has MS-Windows on it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021