Hackers can hide malware in Windows event logs

Daniel Sims

Posts: 453   +18
Staff
In brief: The Windows event log and Event Viewer are supposed to help users diagnose security issues and other problems in PCs. However, Kaspersky researchers encountered one hacker who used the event log itself against their target.

Last week, Kaspersky published a detailed analysis of a complex attack that began last fall. It involved a combination of various techniques and pieces of software, but Kaspersky's security researchers highlighted the use of Windows event logs as something completely new.

At one stage of the hacking campaign, the attacker inserted shellcode into the target's Windows event logs. This method of storing malware is particularly stealthy because it leaves no files for antivirus to detect.

The campaign also involved a large suite of both commercial and home-brewed software. It involved DLL hijacking, a trojan, anti-detection wrappers, web domain mimicking, and more. The attacker even personally signed some of their custom software to make it look more legitimate.

The scale and uniqueness of the attack indicate it was tailored toward a specific target system. The first step involved social engineering, in which the attacker convinced the victim to download and run a .rar file from the legitimate file-sharing site file.io in September. If nothing else, this should be a reminder against clicking on links from strangers, much less downloading and running files from them.

Kaspersky couldn't link the attack to any known suspects, or determine its ultimate purpose. However, the researchers told BleepingComputer that similar attacks usually aim to grab valuable data from their targets.

Permalink to story.

 

ZedRM

Posts: 1,027   +724
If nothing else, this should be a reminder against clicking on links from strangers, much less downloading and running files from them.
This. If people would stop clicking on every link they're sent, 90% of the security problems we have in the world would instantly go away. People need to use their heads for something more than a seat cushion..
 

BigRedPDX

Posts: 271   +191
Clearing logs is general maintenance. I've even created a script that'll run once a quarter to clear event logs. The employees are the front line for these types of attacks, so it's good to send out reminders to them to let them know they need to be vigilant about phishing scams and random links.
 

TheBigT42

Posts: 653   +672
Clearing logs is general maintenance. I've even created a script that'll run once a quarter to clear event logs. The employees are the front line for these types of attacks, so it's good to send out reminders to them to let them know they need to be vigilant about phishing scams and random links.

We offload all logs to blumira.com and over right the logs. Blumira makes searching Event Logs and other logs easy and FAST.
 

bviktor

Posts: 847   +1,264
This. If people would stop clicking on every link they're sent, 90% of the security problems we have in the world would instantly go away. People need to use their heads for something more than a seat cushion..
If people would stop clicking on every link, hackers would prioritize other methods. There's no silver bullet.

It's like saying Linux is more secure because 90% of hackers target Windows machines.

... well yeah, Dingus, because 90% of people use Windows.
 

ZedRM

Posts: 1,027   +724
If people would stop clicking on every link, hackers would prioritize other methods. There's no silver bullet.
Sure there is, it's called education. Instead of attempting to battle scammers and thieves directly, we balance things by spreading information to everyone, on every type of platform, how to avoid being scammed over the internet, on the phone and through the mail. We teach people how to protect themselves so no one else has to.

... well yeah, Dingus, because 90% of people use Windows.
OS platform has nothing to do with it. Scams and fraud happen just as frequently on mobile platforms as they do desktop. The only reasons scams don't happen as much on Linux is because A, much fewer people run Linux as a primary OS and B, Linux users are vastly more tech-smart and wise enough to see scams coming. MacOS and Windows? Not so much.