March 19, 2012
Realization of manipulate ‘execution chain’ concept.

When I was investigate a compromised server that was installed windows 2003 server, I could see some weird registry key at log2timeline result.

There were so many added keys on ‘Image File Execution Options’.

most of all, these keys’ value were set ‘debugger=c:\windows\system32\svchost.exe’.

I didn’t know this value’s purpose at that time. but I could got effectiveness of this key on this page. by googled this key.

I had test it, cause of I wanna see that key works.

after I added registry key for run ‘calc.exe’ instead of ‘notepad.exe’, confirm the key’s value were working.

It is so simply attack vector on manipulate execution chain, and that was came out at MAR.21.2005!.

Someone did implement this old-fashion idea, make real attack.

As registered key value, It’s purpose was block up running vaccine s/w and other competition malware. and also replace some of OS initial program(something like netstat.exe) with rootkit. You can find example that red strings on first image.

Blocked vaccine s/w execution image’s name were include korean major vaccine s/w, I’m sure that malware was designed targeted korea servers.(but I cannot verify it)

Unless many same keys had added, I was almost passed this artifact.

vaccine company and forensicators, We need to careful this!

Blog comments powered by Disqus