Friday, November 7, 2014

Exposing Malware In Hidden Desktops Using CmdDesktopSwitcher

This content has moved to

Have you ever come across malware that has opened a window that you just can’t see? You suspect it is a case of the malware setting the window as hidden. You fire up WinLister to enumerate the windows in the hopes of finding the hidden window but nothing shows up. If you have ever found yourself in this situation you may be dealing with malware that is hiding in a second desktop. In this article we will walk through the process of identifying extra desktops and switching between them with a new tool called CmdDesktopSwitch.exe. 

Forget this article just let me download the tool!

What is a Desktop
We are all familiar with the term “desktop” as the main graphical window in Windows however the term isn’t just a concept it is actually an object that can be programatically manipulated. Basically a desktop is an object used to create and manage windows. Microsoft actually does a much better job of describing it than me which you can read here. The name of the default desktop that everyone is familiar with is Default. Windows also creates a desktop called Winlogon that is used for the logon screen.

The important thing to remember is that you can programatically create more than one desktop. This is a bit strange since Windows does not provide any native tools for desktop manipulation; all desktop creation and management must be implemented in third-party code. As a result not many people are aware that more than one desktop can exist per user. This makes desktops a perfect hiding place for malware. The Volatility folks have a nice post explaining the malicious uses of desktops

Malware Hiding in a Desktop
Before we get into hidden desktops let's illustrate the difference between a hidden window and a window opened in another desktop. A hidden window is simply a window that has been initialized as hidden using the SW_HIDE flag (note there are other ways to hide a window after initialization but this is the method I have seem most commonly used by malware). 

As shown in the example above the hidden window belonging to process HiddenWindow.exe is correctly enumerated by WinLister. WinLister can be used to then change the visibility of the window and make it visible. This is a useful tool that can be used to show you what the malware is doing visually. 

However, if the malware creates a new desktop and opens a window in the new desktop the window will not be enumerated by WinLister and will remain invisible. 

In the above example the process DesktopWindow.exe has created a new desktop and opened a window in it. As we can see this window is not enumerated by WinLister and remains hidden. 

Using CmdDesktopSwitch to Display Hidden Desktops
I have developed a small tool that can be used to enumerate all desktops and provides the ability to switch between desktops. The tool will first print a list of desktops it has enumerated.

As seen in the example above the process VirutalDesktopWindow.exe has created another desktop called hidden_desktop. The CmdDesktopSwitch tool has listed this desktop along with the other default desktops. We can now enter the selection number for the hidden_desktop and the tool will switch to that desktop.

As shown above the tool has switched the view to the hidden_desktop desktop and we can see the previously hidden window belonging to the VirtualDesktipWindow.exe process. We also see a popup box that the CmdDesktopSwitch tool inserts into the desktop allowing us to switch back to our default desktop (and exit tool).

How Robust Is This Tool?
This tool was mainly developed to be used in the lab not during live response. The tool operates in user land and calls the windows API so it is vulnerable to all the usual hooking techniques used to hide malware. It also only enumerates desktops on the window station that the default desktop is assigned to. The tool can certainly be used during live response but due to these limitations it should only be used to prove a positive (ie. there is malware) and never relied on to prove a negative (ie. there is no malware). 

During live response I highly recommend using the Volatility deskscan plugin and a memory dump to enumerate all desktops. Below is the output from the Volatility deskscan plugin run on a memory dump from our above example with the VirutalDesktopWindow.exe  process.

As you can see Volatility has identified the hidden_desktop and listed the VirutalDesktopWindow.exe window that is a descendent of that desktop.

Why Use This Tool?
As mentioned above Volatility does a much more thorough job of enumerating desktops however if a memory dump is not available and live response is required the tool could be used. Where it really excels though is during malware analysis. You can use the tool to visually watch malware operate. This is especially useful in the case of ad-fraud malware where the malware has opened a browser on a hidden desktop and is using the browser to defraud advertisers. By using this tool you can actually see what the malware is doing, what ads it is loading, etc.

What To Look For In Your Sandbox - IOCs
If you are analyzing a malware sample and you see the following windows API calls in your sandbox it might be time to give this tool a try.
  • GetProcessWindowStation
  • CreateDesktop
  • CreateDesktopW
  • GetThreadDesktop
  • SetThreadDesktop
  • CloseDesktop
  • CloseWindowStation

You can download the tool and the source code from github

No comments:

Post a Comment