Poweliks 2015, it's baaaak

[shamrin]

Remember how much fun we had fixing all the instances of the Poweliks virus last autumn? Well, it looks like it's coming back in a new form.

We brought in a customer's computer today that had all the trappings of Poweliks, runaway processes (PresentationHost.exe, Explorer, Notepad, Conhost) that respawn when you kill them even in Safe Mode. All the antivirus scans were clean but it was still hanging around. Alas, the ESET Poweliks remover did not even work for us so we had to figure it out ourselves. Fortunately the hours and hours we spent last year trying to figure it out finally paid off.

The quick version of the fix is that we found the culprit here:

C:\ProgramData\{CA2FACF7-9029-4A21-892B-E7F60B39FF1A}\zipfldr.dll

If you get that folder deleted (and it doesn't' mutate too much) you should be good. That should be enough to get you started, if you want to see a few more details they are here:

 

[gadgetfixup]

We've been seeing Poweliks infections pretty regularly in the shop.

Did you run that file through Virusscan? I'm curious if you found the infected file or you just broke the process. That file is a normal Windows file but of course not found in that directory. It's used to unzip files. Did it pass a signature test? I suspect the culprit is on the system compressed and that file was loaded to decompress it so it could keep spawning.

 

[OaksLabs]

If you still have the sample on hand, upload it to https://www.virustotal.com/, and link the results back. ORT detects some of the registry keys in the first generation of Poweliks, and I'm interested in adding support for the latest generations.

 

[nlinecomputers]

I hope you sent a copy to ESET. Virus companies can't fight this stuff if they don't get samples.

 

[shamrin]

All very good points. I suspect inbargains is correct that we broke the process somehow. AFAIK, Poweliks is a "fileless" virus, that essentially resides in the registry so I doubt that zipfldr.dll would come up as a bad file. Unfortunately we won't know that for sure because I didn't get a sample. This was a production machine that the customer needed back to close his books for the day so we were under some serious time pressure...wait...we took an image backup of that machine, I still have it here. Will try to do some good deeds and send it off today.

 

[nlinecomputers]

There is no such thing as a fileless virus. The registry isn't magic items stored there can command windows to perform actions, load drivers or run files but nothing can be run from the registry. Some external file must be called up. And something external had to exist to plant items into the registry.

 

[shamrin]

https://www.virustotal.com/pt/file/...0ce930ddf61a148ff2a2448322eb1a7269a/analysis/

(Can't get VirusTotal to show up in anything other than Portuguese for some reason)

 

[nlinecomputers]

https://www.virustotal.com/en/file/...0ce930ddf61a148ff2a2448322eb1a7269a/analysis/

English version.

 

[OaksLabs]

There is no such thing as a fileless virus. The registry isn't magic items stored there can command windows to perform actions, load drivers or run files but nothing can be run from the registry. Some external file must be called up. And something external had to exist to plant items into the registry.

Well lets be technical -- Poweliks isn't an honest to goodness virus. It is not a file infector. It is very close to a rootkit in fact. You are correct that malware normally needs files, but with rootkits, the tracks can be covered and make it appear to the average malware cleaner that nothing is wrong.

An example of file-less malware could be a bootkit (which only modify the boot sector / MBR).

I'll agree that the malware did not magically appear, but it is possible that the malware was loaded into RAM from an infected web page and then modified the file system and the registry from RAM -- leaving no evidence in the file system. Without artifacts, it's hard to tell how the system was infected, and a number of sandboxes and malware tools aren't the best at logging rootkits. It's a challenge to find them.

 

[nlinecomputers]

You are correct that malware normally needs files, but with rootkits, the tracks can be covered and make it appear to the average malware cleaner that nothing is wrong.

Yes but files are still there they just inject themselves into processes to attempt to mask themselves. You do a dir command and they don't list because the DLL that controls that has been changed. And so it "lies" to you. There is always something on the disk running and performing the actions.

 

[shamrin]

http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-5614-99

It's fileless. It's like one of those zombie movies where the thing gets inside a normal person and turns them evil or something. This is my technical understanding.

 

[gadgetfixup]

Mousing over those Windows processes in process explorer will typically show what is running behind the normal looking Windows process.

 

[OaksLabs]

Yes but files are still there they just inject themselves into processes to attempt to mask themselves. You do a dir command and they don't list because the DLL that controls that has been changed. And so it "lies" to you. There is always something on the disk running and performing the actions.

It's not always DLL hooking. Have you ever encountered ADS in NTFS? Up until Windows 7 you could hide an EXE in ADS. Now nothing executable can be hidden in ADS, but work-arounds exist for this.

While I hope I can convince you of this without programming it for you, if a venerable version of Java was installed, a java applet running only in the memory space of a web browser could open up a file reader and writer and modify the registry. A quick edit to open a connection to a C&C server could be added without any resident program being installed, and then on start up the connection would open (think browser instance) and the infection could work from that point. Only a registry modification is required.

 

[Dave 1973]

Poweliks sounds like a hybrid. Starts as a file , infects the registry and then deletes itself ( the original file)

From Bleeping Computer:

The Poweliks infection is a Trojan downloader for the Windows operating system that downloads and executes other malware on your computer. This infection is typically installed via exploit kits found on hacked web sites that exploit vulnerabilities on your computer when you visit them. Once the initial installer is executed, the actual Poweliks infection is stored in the Windows registry rather than as a file on your hard drive. The installer then deletes itself. This method of storing the malware files in the Registry rather than the hard drive makes it more difficult for antivirus programs to properly detect it.


http://www.bleepingcomputer.com/virus-removal/remove-poweliks-trojan

 

[NYJimbo]

This method of storing the malware files in the Registry rather than the hard drive makes it more difficult for antivirus programs to properly detect it.

I think Poweliks methodology is somewhat interesting, but it's nothing alarming. If you consider the fact that most advanced virus tools already scan the registry using "heuristic" methods that don't rely purely on the existence of files or known viruses, that are checked against some fingerprint, this is just another aspect of virus removal to be considered and not something to really worry about. Sure, it's more work for the virus software people and a different way at looking at the possibilities, but not something new that can cripple us and leave us helpless. Think of how many times some article came out scaring us about a new virus that would doom us all and yet here we are today, no worse for wear and tear.

I hope that made sense....

 

[shamrin]

I think Poweliks methodology is somewhat interesting, but it's nothing alarming. If you consider the fact that most advanced virus tools already scan the registry using "heuristic" methods that don't rely purely on the existence of files or known viruses, that are checked against some fingerprint, this is just another aspect of virus removal to be considered and not something to really worry about. Sure, it's more work for the virus software people and a different way at looking at the possibilities, but not something new that can cripple us and leave us helpless. Think of how many times some article came out scaring us about a new virus that would doom us all and yet here we are today, no worse for wear and tear.

I hope that made sense....

I agree it's not alarming, not like say, another Bush v. Clinton election cycle, but it's an innovation that the antivirus companies seem to have no real answer to. Both the 2014 version and this new mutation came out undetectable by any of the key players or tools that we use. AFAIK, the 2014 version is undetectable to this day except for the ESET Poweliks tool. In both cases MWB, Hitman and Combofix all failed to recognise that the machine was infected.

 

[gadgetfixup]

Ken Dwight's registry investigator will find many of these

I'm not sure if it's available as stand alone but he worked with TechWARU and it's integrated with their product. Couple that with ESET Poweliks and you'll knock out most of these poweliks infections although I still like a challenge once in a while to a new variant they miss.

 

[TimM]

Alas, the ESET Poweliks remover did not even work for us ...

Was it the new 1.0.0.5 (30th June 2015 release) version of the Eset Poweliks Cleaner that you tried?

 

[NYJimbo]

Just got one in this morning. latest Eset poweliks 1.0.0.5 (30th June 2015 release) remover does not see it. All the usual suspects are running (conhosts, presentation manager, notepad, etc). Trying to kill it now.

EDIT: Ok, found a few folders that had weird filenames, could not be renamed or deleted:

I was able to fire up taskmanager, kill explorer and then using "File..New Task" in taskmanager
go to the folder and rename them and then restart the computer and now poweliks is not running. I sent the files "esent.dll" and "order.html" to virustotal and came back with nothing. In each of the folders I see this type of file structure:

Basically a file with no extension and then either a .dll or some other file. Submitting any
of them to virustotal came up with nothing.

I have to do more checking and then update the whole system (no updates for almost a year) and then see what else I can do to remove remnants of this thing or prevent it from happening again.

 

[NYJimbo]

You know what really pisses me off, having to know all these little problems and fixes that you have to keep in the back of your mind at all times when working on a machine or you will waste lots of time and maybe never fix a machine.

So as my previous post says I killed poweliks (at least what's active) and I did a few more tweaks and cleanups and then decided to check for new windows updates. I start the check and walk away. 15 minutes later I walk by and see its still checking for updates. So I walk away and about 5 minutes later some tiny thing in the back of my head says "Wasn't there some memory leak on Windows 7 svchost or something on windows update ?". So I go back to that machine, fire up task manager and sure enough svchost is something like 1.7gigs of ram and 100 percent cpu.

I kill the update check, reboot, install KB3050265 , reboot and do the check for updates and now its staying nicely under 220k. If I didn't know about this fix I would be banging my head against the wall trying to figure out what was wrong, probably thinking that poweliks was still active.