We love learning new things and the latest revelation around how Lenovo was using a little known Microsoft feature, the Windows Platform Binary Table (WPBT), to silently inject software into Windows installations is a case in point.
Where Lenovo failed is not in its use of this technique, but in using it to install persistent (and unwanted) backdoors to enable further system changes. (The fact the backdoors had security holes is almost beside the point.)
When we learned of this technique, we wanted to see if we were affected. Using Carbon Black we went back in time to take the “what I know now” and change the “if only I knew then.”
The WPBT, it turns out, is a convenient dropper whose payload persists in the BIOS and whose agent is Windows itself. We didn’t find any affected Lenovo systems, but found other vendors using the WPBT to inject Absolute Software’s theft recovery in new Windows images, which (unlike Lenovo) is in accordance with Microsoft’s recommended use of the feature.
So, let’s take a quick look at that instead since it shares a similar activity profile.
A good place to start is a file modification or process search for c:\windows\system32\wpbbin.exe, the executable that is created from the BIOS-based image. If the creator or parent is smss.exe, as seen below, then the WPBT is being used in your environment.
The next step is to look at what that binary does. In our example below, you can see it extracts a 32- and 64-bit version of rpcnetp.exe and adds registry keys to define as service.
What isn’t seen here (but is something we should add) is that wpbbin starts the newly created service.
Armed with this information, we also can be on the lookout for future instances by creating a watchlist that fires an alert whenever we see either the file modification or execution for wpbbin, such as cb.q.process_name=smss.exe&cb.q.childproc_name=wppbin.exe.
The net is a bit of retrospective intelligence and future revelation. Not a bad lesson.