Improving Stealth With Autoruns
by BrothaReWT
This article explores further what Forgotten247 wrote in 21:4. This article is intended to invoke thought and awareness, not cause damage or malicious activity. Anything you do with this information is your own fault.
I work day to day as a computer repair tech.
In my normal day I work on five to eight Windows XP/2000 machines. One tool that I use every single day is "Autoruns" which is available at www.sysinternals.com.
This tool will show you every single program that runs as soon as the computer boots. Compared to Autoruns, MSCONFIG.EXE is a child's toy. Autoruns has been an invaluable tool in the day to day battle with spyware and viruses.
One of the great features of Autoruns is that it will show you all the DLLs that get loaded into EXPLORER.EXE.
This list will range from about 25 to 60 DLLs on some machines. But one thing you can count on is that Microsoft adds in a few that the average user will never notice if they are modified.
A slick way to hide whatever tool you are trying to hide and keep running at every boot would be to rename then replace one of these DLLs with one that will point to your program or, hell, you could drop the payload from inside the DLL if you want.
Some of the DLLs in the aforementioned list will even run in "Safe Mode"!
An example of one of these DLLs would be: %WINDIR%\System32\CABVIEW.DLL
This DLL will most likely not be missed or even noticed by the user. One thing to keep in mind is that Autoruns will show the publisher of a DLL (for example, Microsoft or Grisoft for AVG Anti-virus and Qualcomm for Eudora).
So when you are coding the DLL to use for this, be sure to drop an official name in the publisher field. This idea came to me when I was removing a VX2 variant that used random DLL names and ran a file called GUARD.TMP from the EXPLORER.EXE DLL add-ons.
But one mistake made by the creator of this VX2 variant was not using an official looking name in the publisher field so it stood out like a sore thumb in the Autoruns list.
So now you have a very effective way of hiding your program from the user and keeping it running at all times.
But let's say you want to have a backup in case your hijacked DLL gets replaced by the latest Windows update.
So now you have a very effective way of hiding your program from the user and keeping it running at all times. But let's say you want to have a backup in case your hijacked DLL gets replaced by the latest Windows update.
Another great feature of Autoruns is that it will show you empty locations as well as the ones that contain programs to run at startup.
Examples include: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load and HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
These locations are not shown in MSCONFIG.EXE and will get past the average user with no problem.
It will also evade the less experienced techs who are trying to remove the bugs in a machine.
Now let's say that you run both methods. With the DLL and the little known Windows Registry entries, chances are your program will never be detected or fully removed.
Of course, as Forgotten247 mentioned, there are programs that will monitor for Windows Registry changes so keep that in mind.
Another method of running a DLL at startup would be to drop it into the Winlogon notifications section of the registry located at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify, although this location is checked by many of the spyware removal tools such as Option Explicit's great tool called VX2Finder (VX2Finder.exe).
It is an effective way to run a DLL at every startup.
Chances are if you use any or all of the methods described here your payload will be running every time the user starts their machine. Also from experience most repair shops (in my town anyway) will not try to fix the problem outright when a person brings their machine in to be fixed.
Most of the time they will simply format and start over so chances are the user will never know that you had control of their machine.
Shoutz to [Isepic], Cratchet, J Ruz, Hippy Baley, Petey Pablo, and Zulupapa.