Malware uses Windows Product IDs

Monday, March 16, 2015 @ 05:03 PM gHale

Malware developers leverage Windows unique product numbers to generate mutex values to evade researchers, a researcher said.

Mutex values are an accurate reference to determine if multiple identical processes are running. Malware including the BackOff credit card stealer used mutex for the last few years, providing researchers with a means of determining system infection.

Microsoft Repatches Stuxnet-Related Flaw
Difficult to Detect Exploit Kit
FREAK Affects All Windows Versions
IE Hole Allows Attackers to Phish

Now a new Trojan called “TreasureHunter” uses dynamic rather than static mutex values to prevent researchers to view the numbers as indicators of compromise, said SANS security researcher Lenny Zeltser.

Zeltser said the use of Windows product IDs to generate the values is unique.

“Malware authors who wish to employ mutex objects need a predictable way of naming those objects, so that multiple instances of malicious code running on the infected host can refer to the same mutex,” Zeltser said in a blog.

“A typical way to accomplish this has been to hardcode the name of the mutex. Zeltser decided to use a more sophisticated approach of deriving the name of the mutex based on the system’s Product ID.

“This helped the specimen evade detection in situations where incident responders or anti-malware tools attempted to use a static object name as the indicator of compromise,” he said.

Zeltser said TreasureHunter uses code to read registry locations including HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId to find the Windows ID.

It reworked the ID into a format it uses to generate a mutex name using a deterministic algorithm which Zeltser said he had “neither the patience, nor reason to reverse-engineer.”

The researcher said most malware does not use static hardcoded mutex values which limited its use as a marker for infection.

“Attempting to immunize systems [using mutex] is overly simplistic for most situations. Many malware samples don’t use infection markers at all or generate their values dynamically, instead of hardcoding them into the malicious program,” he said.

Mutex could however be useful as an additional tier in malware detection, notably in assigning generated markers to programs before execution. Those markers could end up checked against a database in the event that antivirus could not determine if a program is malicious.

Leave a Reply

You must be logged in to post a comment.