Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes The SolarWinds hackers triggered one of their Cobalt Strike implants in the firm's network through a cunning VBScript that was activated by a routine system process, Microsoft has said. Microsoft's deep dive, published yesterday following SolarWinds' own take on the malware, repeated earlier findings that the hackers went to …
"...Those techniques included editing the Windows registries of target machines to disable autostarting of security processes – and then waiting until the target machine was rebooted before moving in for the kill..."
Why the fuck is that possible, Microsoft? Other AV vendors etc don't allow the stopping of services or changing their registry startup state even by DA or EA so...
Having your PC behave as you wish is something Mickeysoft is going through great lengths to ensure is no longer possible with each iteration of its OS.
You can disable updates but they will be re-enabled against your will. This is due to the Windows Update Medic Service that monitors the status of Windows Update and will enable it if disabled. The Update Medic Service can't be disabled by ordinary means.
I had to use a third party tool (Windows Update Blocker) to disable Medic Service and now I am in control of updates, not Mickeysoft. No more "My PC was working fine until an update and now XXX doesn't work anymore" as one of the most common gripes on any Windows 10 support forum.
Not sure about that - if you install say McAfee (don't... but I've worked at places that still use that abomination) it's then locked down to the extent that removing it/stopping processes requires a specific account.
Mangling the registry can require elevated rights and I'd have assumed (perhaps incorrectly) that this should be the case and you shouldn't be able to take ownership of the keys without again providing elevated credentials.
Which suggests to me (again I could be wrong) that the core compromised processes that spawned the attack were being run with elevated rights.
This post has been deleted by its author
Ask the folk at Linux who also have shared libraries. Hell, to be honest just start writing efficient code and then we can get away with a hello world program that fits in a few hundred bytes instead of a few megabytes. I was looking at some code today, C++, the guy who wrote it clearly had no idea that he could add extra functions, use defines instead of magic numbers, indeed the program contains a nice memory leak of an object as to boot because he instantiated one then reassigned that to another instantiation instead of using a pointer. The pointer would also have meant he didnt need the flag variable. A little refactor and in fact neither was needed and all the duplicate code between the 10 cases that were identical bar one word and the then the (yet another flag) controlled aftermath from the 10 cases that happened 40 more lines down the file (yes more than 40 more lines of processing in a switch) ... oh well.
At this point I hold my hand up to having written a 120+line switch statement in the past but I defend that I did get round to cleaning it up before dumping it on a customer
The time frame and the extreme hiding measures make it unlikely that it was an ordinary criminal gang - waiting many months from initial penetration of SolarWinds until the first attack activated is not the sort of patience expected from a criminal organization - but is perfectly plausible for a state spying organization. Changing the names of all the attacker files etc on each individual machine to avoid detection is also indicates a well trained group.
I mean, the easiest way surely and at some point it must be said that if you dont know whats supposed to be running, you dont have a chance of checking what runs and you cant check the checksum of the object running is what you expect it is then you dont have a secure system.
If you go look at the tasks running in a windows machine today it numbers hundreds... what the hell most of them doing I doubt even Microsoft engineers have a clue. Why they are all consuming my CPU when I dont actually want to do more than browse some porn heaven only knows... but it probably goes a long way to explain the 10 minutes staring at a revoloving set of dots because I was stupid enough to lock the machine when I left it, or the 20 minutes it takes to shut down (what the hell is it doing... sending all my passwords to the NSA, Russia and GCHQ just in case?
If Visual BASIC is your threat, then dump BASIC! As for hiding something within another process, that's sort of old hat. Also, for naming their files to "blend in" with Windows, what did they expect? A file name of "EvilL33tCodzHere.dll"? That's another trick that's very old hat.
Really, the only part here that required effort was the attackers writing their own in-memory loader. The rest of it was just going through the motions.
This is why Microsoft windows updates need to be only set to manually approved by users. Automatic updates allows for millions of system to be hacked once you know the MS backdoor they use to send and auto-installed Windows updates. How do you think the NSA does it? Send updates via MS backdoors to a specific range of IP addresses (entire country) via MS-Windows updates.
MS has ADMIN access to every PC that has MS-Windows on it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
