Category Archives: Windows desktop malware

Locky, Cerber ransomware still expecting, targeting UAC

Today was a heavy spam day, with the bad guys installing Locky and Cerber crypto-ransomware (among other things) where they could. Ransomware like Locky and Cerber are novelties again after dropping off the mainstream news radar long enough, but they never left the stage. Today’s Locky and Cerber samples show they are still defeating the “Admin Culture” of Windows, even while they are targeting the minority of users that don’t run as full admins.

Locky and Cerber are still targeting User Account Control (UAC), but their success lies with users that are still running Windows XP or have turned off … Read more

Microsoft patches AppCompat UAC bypass vulnerability

As an addendum to two previous posts, Microsoft recently issued an optional patch for Windows 7 Service Pack 1, Windows 8, and related Windows Server versions to address the User Account Control (UAC) bypass vulnerability that downloader and installer malware have been using for the past several months. Microsoft KB article 3045645, “Update to force a UAC prompt when a customized .sdb file is created in Windows,” was released last week as a part of a set of optional Windows updates and can be installed via Windows Update in the Control Panel or by manual download and … Read more

More Upatre privilege escalation

It looks like the Upatre downloader malware has added a new tool that takes advantage of PCs that are missing Windows Update patches from last fall (well, last Northern Hemisphere fall).  In the past few weeks, newer versions of the Upatre malware can silently elevate their payload (the closely-coupled Dyre/Dyreza banking malware) to run as full admin.  These newer versions are using a vulnerability that Microsoft patched in October; however if a PC is not patched, even non-admin users tricked into running Upatre can have the malware elevated to SYSTEM.

Upatre continues to incorporate the AppCompat UAC bypass technique … Read more

Malware using AppCompat for automatic UAC elevation, continued

As noted last time, a blog from last month already documented how the dropper for the Dridex banking trojan uses the UAC auto-elevation feature introduced with Windows 7 along with an Application Compatibility (AppCompat) “shim” to invisibly elevate to full admin on the local machine:
http://www.confer.net/kill-chain-the-confer-blog/80-firewall-rule-changes-and-compatibility-trickery

Dridex is currently being delivered via a separate “wave” of workday/weekday spam emails that attach Office files with VB macros. (Those macros then go off and download the Dridex dropper/installer.) The Dynamoo blog analyzes a lot of these; for example, here’s one from today:
http://blog.dynamoo.com/2015/02/malware-spam-minuteman-press-west-loop.html

The Dridex dropper uses the same auto-elevate bypass … Read more

Upatre downloader malware using AppCompat for automatic UAC elevation

Upatre is a trojan downloader that accompanies work-day/weekday spam email (often via the Cutwail spam botnet).  Sometimes it is delivered by persuading us to click on a link to malicious website; sometimes it is attached to the email, with the message persuading us to open the attached document.  Once started, Upatre’s primary downloads (if not its primary download) are banking trojans — originally Gameover Zeus, now Dyreza.  Over its life Upatre has evolved in several areas, including how it installs the downloaded payload; its usage of a recent technique to automatically gain full admin rights for itself and its delivered … Read more