Hijacking AutoRun Programs for Improved Stealth
by Forgotten247
One of the biggest problems with stealth programs such as keyloggers, data collection agents, or any other type of application that you may want running undetected on a system is that they are easily visible to people who know what to look for.
Checking the running processes list is a common way to see what may be watching you. There are also plenty of utilities that will monitor changes to the system start-up and alert you if any new programs are installed, and in the Windows world a quick check of a few registry keys will show everything that launches on start-up.
Based on this there are a few things that are critical to keeping a program hidden, two of which I will cover here.
They will prevent detection even by the cautiously paranoid. In the interests of space and familiarity, everything in this article will be written to apply to the Windows operating systems, although the techniques would work just as well on other platforms.
The first item we need to address is that the program should not easily stand out in the list of running processes. Names like KEYSTROKESPY.EXE should be out of the question. It should also not be running under an account that looks suspicious, such as GUEST. The second thing to be careful of is that the installation of the program should not alter the system settings which could trigger an alert or detection through the Add/Remove Programs or System Restore.
This installation should also be persistent so the program will launch each time the system is started.
Faced with these challenges and an understanding of the Windows OS, a program could be installed to run at system start-up and hidden as a valid application without making registry or system changes that would be detectable. To do this we will hide this stealth program under the name of an application that is already installed and configured to launch at start-up.
Doing this will accomplish all of the items of concern above. It will not stand out in the process list because it will be running with a name of a process that was already installed. It will also be running under the SYSTEM account which will not seem uncommon, and no changes to the registry, Add/Remove Programs, or System Restore will be visible.
In order to do this, two changes to your application need to be made, a hijacking function needs to be added to disguise the program and make sure it will reload after each reboot, and an initialization function needs to be added to launch the program which was hijacked to mask the installation.
For example, if we hide our keylogger using an already existing AutoRun installation of a mouse utility which has an icon on the taskbar it would raise suspicion if the mouse utilities icon stopped loading. By loading the mouse utilities after our keylogger is loaded there is no visible difference to the system's users.
Below is high-level pseudocode which can be implemented in any language for these two functions:
As you can see the initialization function from lines 16 to 35 check to see if the program is already in a hijacked state by comparing all the keys in the Windows AutoRun location in the registry to where the program itself was launched from.
The call on line 21 would determine if the launch of the utility was due to it already being installed in which case it doesn't try to install itself again, but if it is not running from that location it will start the hijacking.
Then on line 30 we see it calling the process SVCHOST.EXE in the current directory. This is the program that was supposed to be launched which our program is hidden as.
The name SVCHOST.EXE was chosen because this is a common Windows process which typically has multiple instances in the process list and one more won't stand out.
This name can be changed to anything as long as it is the same on line 6 and 30.
The call on line 33 to mainProgram should point to the body of your program.
The hijacking function, lines 1 through 14, is where the program assumes the identity of one of the programs that Windows automatically launches when it loads.
The if clause on line 5 is not mandatory, but it will bypass attempting to hide as any programs launched from standard OS install directories. This check is a safety measure because these processes are most likely going to be locked and renaming the file would not be successful and may be harmful to the system in the long run.
The list of directories should be expanded to any other OS install locations or system paths you would not want to attempt the install in.
The rename check on line 7 is critical to success because if the file is locked and the rename is unsuccessful the copy attempt on line 8 will not work and the utility will not successfully be installed.
Beyond this implementation there is a lot of potential for expansion.
For instance, the hijacking function should be expanded to detect if the Data segment of the registry key has any arguments, and if so you need to decide if you want to ignore hijacking that command and move to the next one.
It could also be changed so that the initialization function will pass those arguments to the call in line 30.
This can also be expanded so that if it is unsuccessful in hijacking anything from the system AutoRun keys it would check the AutoRun keys for the current user by applying the same logic to HKEY_CURRENT_USER rather than HKEY_LOCAL_MACHINE.
This type of hijacking is typically very successful and it is easy to implement in most languages.
It would take less than ten minutes to code in C++, Visual Basic, or Perl based on the above logic, and the enhancements are also quick to plug in to the framework.
Those ten minutes may make or break the success of your stealthy application.
Good luck, and happy hijacking.