Who Are The Living Ghosts?

A living ghost is a 'disgusting' but perhaps accurate term applied to a person who has come to the UK to claim asylum and been unsuccessful http://www.church-poverty.org.uk/campaigns/li..

Once this happens, and if his/her appeal fails then there is an expectation that the individual will return voluntarily to his/her country of origin, and if this does not happen he or she will lose all access to public support i.e. no rights to accommodation, no rights to seek employment, no rights to claim government benefits, no rights to social care and the most basic rights to medical care.

In this situation, a person becomes virtually invisible hence the term 'Living Ghost'. Nobody really sees the living ghost except when crime is committed or when the housing shortage hits an all time high. This is the time when the living ghost is most noticed.

I have always found this to be particularly odd as the living ghost has no entitlement to housing and if he/she has no access to employment or benefits how is he/she meant to survive?

I have to say however, that the people I know in this situation have never been involved with the criminal justice system, in fact they are terrified of the police. In their countries, if you get arrested, you are usually out cold by the time you reach the patrol car or dead.

Now you might wonder how the hell a person in this situation actually manages to survive? How do they eat? Where do they sleep? Do they sleep? What happens if they become ill? and please don't forget that many people seeking asylum in the UK have often fled their own countries in fear for their lives, they may have been detained & tortured, raped or lost family members as a result of war, the list is endless.

It shouldn't be so difficult to survive though should it? I mean, they take our jobs (err sorry! no permission to work!) our houses (oops! no permission to access housing) Oh yes!! lets not forget our women because we really have no independent thought processes do we?

Taking into account the atrocities that some of these people have endured in their lives, is it not suprising that people do not return 'voluntarily'?

Now in many cases, the Home Office http://www.ukba.homeoffice.gov.uk/ do not deport people back home, why? because their countries are known to be unsafe, it's just their accounts of what happened that weren't believed.
So when this happens they are left destitute and are living on our streets, in our democratic country in the 21st century how disgusting is that?

Welcome To The United Kingdom!



Where's my vote?

Where's my vote?
People just want the right to choose their own government

Man holds a picture of his murdered friend

Man holds a picture of his murdered friend
Killed for speaking out against the corrupt Ahmadinejad regime
STOP EXECUTIONS IN IRAN!

According to the United Nations Convention Against Torture 1984, Article I, the term "torture" means any act by which severe pain or suffering, whether physical or mental, is intentionally inflicted on a person for such purposes as obtaining from him or a third person information or a confession, punishing him for an act he or a third person has committed or is suspected of having committed, or intimidating or coercing him or a third person, or for any reason based on discrimination of any kind, when such pain or suffering is inflicted by or at the instigation of or with the consent or acquiescence of a public official or other person acting in an official capacity. It does not include pain or suffering arising only from, inherent in or incidental to lawful sanctions.Iran is not signatory of Convention Against Torture but it doesn't give Iranian government any right to torture Iranians.

Surely Things Aren't Really That Bad Are They? Come on, What's for Tea?

Now before you sit down and eat, I'd like you to try a little exercise, anyone can join in and it will only take about 10 minutes maximum. It doesn't matter who you are, whether you are a council worker, a politician, the Prime Minister, homeless, destitute it really does not matter.
Just close your eyes for a moment and imagine this.......

You live in a beautiful country, lets say Iran to keep it simple. Things are hard but your country is amazing, beautiful buildings, warmth, the smell of home cooking and incense wafting by as you relax after a day's hard work. You have always struggled, never really fitted in because your father is Iranian and your Mother Kurdish but nevertheless that's part of life and there are mixed race people everywhere.
Suddenly you are jolted from your relaxation by banging on your door so you rush to see what the problem is.
It must have only taken a few seconds to reach the door but when you get there you see your elderly father being taken by military police handcuffed with a gun to his head.
You stare in horror and then being the eldest son you need to make sure your mum & sister are ok.
In your mum's room you see her crying on the bed and just as you are walking over to her your sister screams so you rush to her room but one soldier is still there so you can't do a thing except witness her rape and torture that seems to last a lifetime. Your mum knows whats happened and she is praying that she will die. Imagine that!
Imagine this is the 5th, 6th 7th or 8th time this has happened?
Your father, well you never saw him again after the first time, your sister could face execution for having sex before marriage and now who will marry her anyway?
Your Mother well she still wants to die but can't quite get there & you! are meant to protect them but you know the interrogators will be back for you because your're half Kurdish and you support independence for Kurdish people and they really don't like that.
Imagine that!! so you flee to protect your own life and also you feel that it may be easier on your family if you aren't there.
You don't know where you will end up when you smuggle yourself onto lorries, boats e.t.c or even if you will get to the other end alive but you do it....you are amazing imagine that!

This exercise wasn't made up, it was based upon real life history. A close friend of mine who I will call S experienced this and more on a regular basis. S is a man who was detained, raped and tortured systematically by the Iranian regime. Other examples include.......

Thousands face mass eviction from homes and market stalls in Zimbabwe
Up to 200 people from an informal settlement in the Harare suburb of Gunhill in Zimbabwe face being forcibly evicted without being given adequate notice or any consultation or due process. Thousands of vendors across Harare also face forcible removal from their market stalls. The majority of those to be affected are poor women whose principal source of livelihood is selling fruits, vegetables and other wares at market stalls like Mbare Musika and Mupedzanhamo in Harare.The Deputy Mayor of the Harare City Council stated in July 2009 that the city authorities are considering evicting people from "illegal settlements and market places to restore order." He claimed that the targeted people pose a health hazard and violate the city's by-laws.
www.hrw.org/ (Human Rights Watch 2009)


Iranian girl prisoners systematically raped before execution
The Iranian practice of raping girl prisoners before execution has been reported previously, but perhaps never with such clear documentation. "Progressives" who support this regime should keep it in mind. It is unlikely that there will be any investigation by the UN or a human rights group.

Ami Isseroff

'I wed Iranian girls before execution'
Jul. 19, 2009SABINA AMIDI, Special to The Jerusalem Post , THE JERUSALEM POST
In a shocking and unprecedented interview, directly exposing the inhumanity of Supreme Leader Ali Khamenei's religious regime in Iran, a serving member of the paramilitary Basiji militia has told this reporter of his role in suppressing opposition street protests in recent weeks.
He has also detailed aspects of his earlier service in the force, including his enforced participation in the rape of young Iranian girls prior to their execution.
He said he had been a highly regarded member of the force, and had so "impressed my superiors" that, at 18, "I was given the 'honor' to temporarily marry young girls before they were sentenced to death."
In the Islamic Republic it is illegal to execute a young woman, regardless of her crime, if she is a virgin, he explained. Therefore a "wedding" ceremony is conducted the night before the execution: The young girl is forced to have sexual intercourse with a prison guard - essentially raped by her "husband."
"I regret that, even though the marriages were legal," he said.
Why the regret, if the marriages were "legal?"
"Because," he went on, "I could tell that the girls were more afraid of their 'wedding' night than of the execution that awaited them in the morning. And they would always fight back, so we would have to put sleeping pills in their food. By morning the girls would have an empty expression; it seemed like they were ready or wanted to die.
"I remember hearing them cry and scream after [the rape] was over," he said. "I will never forget how this one girl clawed at her own face and neck with her finger nails afterwards. She had deep scratches all over her."

Still hungry?

Oh Mr. Brown! (Gordon) you are an exception enjoy your tea!

(THIS IS THE UNITED KINGDOM)

The United Kingdom is a Country of Democracy, Equality and Values the Protection of Human Rights.

So you have arrived in the United Kingdom tired, hungry, traumatised and dehydrated but nevertheless grateful to be in a country where you know you will not be executed..(there's a good start).

Despite your frail state however you manage with the help of an interpreter to complete a lengthy document stating your claim for asylum and why you were forced to flee your beautiful country with the wonderful history and the smell of home cooking e.t.c. for a country you know absolutely nothing about....You are amazing!

Asylum is given under the 1951 United Nations Convention Relating to the Status of Refugees http://www.asylumrights.org.uk/convention.htm.

To be recognised as a refugee, you must have left your country and be unable to go back because you have a well-founded fear of persecution because of your:
.race;
.religion;
.nationality;
.political opinion; or
.membership of a particular social group.

In 2007, 19 out of every 100 people who applied for asylum were recognised as refugees and given asylum.

Eventually you are offered accommodation with the support of NASS National Asylum Support Service (NASS) just until a decision is made about whether you will be granted leave to remain in the United Kingdom. You are also provided with vouchers so that you can eat.
www.asylumsupport.info/nass.htm

Things seem to be a little easier now and you can relax and recover from your ordeal in the knowledge that you will be safe but you can't look for a job to support yourself or access a house independently not yet! not until you become a British Citizen so you'll just have to hope for the best for now and wait until you get your UK leave to remain.

This means that it will be almost impossible to learn English Language at the moment because you don't really have the chance to mix in with British people as most of them congregate in places like 'Workplaces' or 'Housing Communities' all the places you can't go.

I guess you could go to social places like clubs or pubs but you don't have any money to do that and they don't accept vouchers sorry! but I guess you have freedom of choice don't you?




Beyond What is Visible

You were once a stranger to me but now I know you,
Not all of you, that could never be
Always a part of you that no one will ever see, not even me.

Once a stranger with beautiful brown eyes, the most beautiful eyes I have ever seen,
Eyes that felt nothing, no emotion nothing in between, this life and beyond.

We were once strangers but then we touched,
Not in the way some might think, not too much.
The touch we shared was deep and true,
Not physical but you did touch me and I did touch you.

You were once a stranger to me but now I know you,
Not all of you, that could never be.
Sometimes there's a moment when your eyes melt me,
So warm and compassionate, oh such a change in time, or is it?
Maybe I was blind.

We dont have words but thats fine,
I don't speak your language and you don't speak mine
But when you touched me I understood what you needed to say, it just needed time.




The Decision.........Dont worry!! Help is at hand. This is the United Kingdom.

So today is the day! the letter has arrived and with anticipation you open it.
You don't understand.............
You told the truth, explained why you had to flee your country, about the rape the torture why have they refused your application?
Why?
Quickly you must try and lodge an appeal against this decision.
The Home Office have stated that certain things are untrue or overstated but you know you told the truth.

You admit and acknowledge that when you lodged your claim, you were traumatised, tired, hungry and dehydrated and had travelled for thousands of miles in appalling conditions but you told the truth.
So you lodge your appeal and this fails too so what now?

Another letter arrives... you breath a sigh of relief as this could be to say that they made a mistake, they were wrong but no, its from NASS to say that in 28 days you must leave your home and return voluntarily to your country as you are now not permitted to remain in the UK. In 28 days time your vouchers will cease also.

So far you have managed alone with your memories of what happened to you and your family, tormented and unable to sleep you have paced the floor, even turned to alcohol which in your country is prohibited but you coped now its different. Who can you turn to? where can you get help when you don't even speak English?
Maybe the nurse in the hospital will understand as you wake up with both your wrists bandaged.

Relax! This is the United Kingdom there is always a way forward.

In the UK there is something called Section 4 support

Section 4 support

Applying for support

This page explains how you may qualify for short-term support if your application for asylum was unsuccessful, you are unable to return to the country you came from and would otherwise be homeless or without the money to buy food (we call this 'destitute').
If your asylum application has been rejected, you must return to your country of origin as soon as possible. However, you may be able to receive short-term support while you are waiting to return to your country. This is known as section 4 support because it is given under the terms of section 4 of the Immigration and Asylum Act 1999.
There are strict requirements you must meet in order to qualify for section 4 support. You must be destitute and satisfy one of the following requirements:
you are taking all reasonable steps to leave the United Kingdom or placing yourself in a position where you can do so;
you are unable to leave the United Kingdom because of a physical barrier to travel or for some other medical reason;
you are unable to leave the United Kingdom because the UK Border Agency believes there is no safe route available;
you have either applied for a judicial review of your asylum application in Scotland or applied for a judicial review of your asylum application in England, Wales or Northern Ireland and been given permission to proceed with it; or
accommodation is necessary to prevent a breach of your rights, within the meaning of the Human Rights Act 1998.

http://www.ukba.homeoffice.gov.uk/asylum/support/apply/section4/

So What is Section 4 all about?

Now Section 4 of The Asylum and Immigration Act 1999 is a magical piece of legislation put in place by the Home Office to help you so please trust them and do not listen to anyone who tells you otherwise.

Yes thats right! The Home Office were the people who looked at your asylum claim and refused it.

Lets take a closer look at Section 4 and what you must do to get it....

1- You must be willing to leave the UK and you must be putting yourself in a position to do so.

Oh but wait! you came to the UK fleeing for your life so this wont work.

2-You cannot leave the UK because you are unable to travel due to physical barriers.

Hmmm at the moment you are not registered as having these kinds of problems and even if you had, who would be aware of it? You have no access to anything and in any case you can't speak English.

3- you are unable to leave the United Kingdom because the UK Border Agency believes there is no safe route available;

Well your asylum claim was refused so the Home Office obviously believe it is safe.

4-
you have either applied for a judicial review of your asylum application in Scotland or applied for a judicial review of your asylum application in England, Wales or Northern Ireland and been given permission to proceed

Your asylum claim and appeal was refused (Not doing too well here)

5-
accommodation is necessary to prevent a breach of your rights, within the meaning of the Human Rights Act 1998.

Damn!! They just took your accommodation.

On a positive note, your local authority (The city where you live) know about this so they should help shouldn't they?
Let's hear what they have to say,and what they are planning to do about it..............

Home
About MCC Manchester
MCC Manchester News
News, events and activities in the life of the Metropolitan Community Church, Manchester (UK).
May 30, 2009
Support for refused asylum seekersPosted by Steve Gray under Social action Tags: , , , , Leave a Comment

Refused asylum seekers left destitute in the UK
Background information

No doubt you will have heard or read reports about how the UK is meant to be a “soft touch” for asylum seekers. Yet, in reality, the level of support provided to asylum seekers is far lower than that of income support and is usually withdrawn altogether if a claim is refused.

Many refused asylum seekers are, in fact, unable to return to their home countries due to the risks they would face because of, for example, armed conflicts, generalised violence and repressive regimes. As a result, many refused asylum seekers from countries where such problems are rife (including Zimbabwe, Iran, Iraq, Sudan, Afghanistan, Somalia, the Democratic Republic of Congo and Eritrea) are being forced into destitution, as they are not permitted to work here.

To make matters worse, it appears as though this could be part of a deliberate strategy on the part of the UK Government. Certainly, this is the view of the Joint Committee on Human Rights, which recently reviewed the treatment of asylum seekers in the UK and reached the following conclusion:

“We have been persuaded by the evidence that the Government has indeed been practising a deliberate policy of destitution of this highly vulnerable group.

We believe that the deliberate use of inhumane treatment is unacceptable. We have seen instances in all cases where the Government’s treatment of asylum seekers and refused asylum seekers falls below the requirements of the common law of humanity and of international human rights law”.
In light of this, we are calling on you to support the Still Human Still Here Campaign, which is fully endorsed by Amnesty International and many other reputable organisations (http://stillhumanstillhere.wordpress.com/).

The Still Human Still Here Campaign is dedicated to highlighting the plight of tens of thousands of refused asylum seekers who are destitute in the UK.

Supporters of the campaign believe that the denial of any means of subsistence to refused asylum seekers as a matter of government policy is both inhumane and ineffective.
Its supporters are calling on the Government to:
End the threat and use of destitution as a tool of Government policy against refused asylum seekers

Continue financial support and accommodation to refused asylum seekers as provided during the asylum process and grant permission to work until such a time as they have left the UK or have been granted leave to remain

Continue to provide full access to health care and education throughout the same period

What can I do?

We are asking you to write to your local MP in order to highlight the issue and ask for his or her support. Please feel free to use the model letter below (preferably adapting it, where possible) for this purpose. If you don’t know who your

MP is, you can find out at http://www.theyworkforyou.com/.

Then, all you need to do is send your letter (addressed to your own MP) to:
House of CommonsLondonSW1 0AA
If you receive a reply from your MP, please send a copy to The Human Rights Action Centre, 17-25 New Inn Yard, London, EC2A 3EA

Well, they have been persuaded so theres a good thing, but it looks like they are going to do absolutely nothing!



Please Don't Be The Next Living Ghost

The inspiration for this blog has been given to me by some truly amazing people who I have been fortunate to meet along life's journey. Unfortunately, although it would be an honour to use their full titles I am only able to identify them by initials.
Some of the mentioned people have fled their countries in fear of their lives, and some sadly did not make it.

I would like to take this opportunity to thank these people from the bottom of my heart for allowing me to be a part of their journey and for being courageous enough to come forward with their stories.

I hope that after visiting my blog you will share some of your own experiences and be proactive in writing letters and doing whatever it takes to make changes to the current asylum laws.

This can be done, it just takes time and determination and most of all a willingness to stand in unity.

S.M -A courageous and amazing man of Kurdish-Iranian origin. Having experienced torture & detention for political reasons he fled to the UK in fear for his life. This man has diagnosed Post Traumatic Stress Disorder and needs close monitoring due to five previous and serious suicide attempts. Initial asylum claim failed and now in the process of appeal. If returned to Iran he faces definite execution.
This man lives in Manchester England.

S.G.T- A courageous and amazing man of Kurdish Iranian origin, having fled his country for political reasons he still awaiting the outcome of his asylum claim to remain in the UK. A member of the PKK (Kurdish Independence Party) he will definitely face execution by hanging if returned.
This man lives in Manchester England.

S.H - A courageous and amazing Iranian man who fled Iran following his relationship with a girl of Jewish origin. The Basij police cut her throat in front of him and beat him so badly that he sustained a 7" scar on his head from a machete type blade (His father was one of Basij). In the UK he became a 'living ghost' and eventually returned to Iran as he could take no more pain and hopelessness from his destitute situation. He was subsequently executed by hanging, accused of espionage.

A.A -An amazing and couragious man who fled his home country of Iran because of political reasons. He is currently destitute on the streets of Manchester UK having failed his asylum application and appeal. He is now a living ghost.

F.A -Also a courageous and amazing man from Iran who was picked up and detained following a protest in the UK against the Ahmadinejad regime in his home country in which his family are stuck. This man faces deportation back to Iran where he is likely to be executed as an opposer of the Ahmadinejad government.
This man lives in Manchester England

A.R.Z -A courageous and amazing man from Afghanistan currently in the UK.
This man has his leave to remain in the United Kingdom but is so mentally affected by the atrocities and torture he endured in his country, he is unable to ever feel safe. He is dependent upon opium and living in Manchester England

M.M- A courageous and amazing young man of Iranian origin. Having fled his country because of sexuality reasons he came to the UK.
Homosexuality in Iran is punishable by the death penalty and his partner was hung at the age of just 23yrs.
This man failed in his application for asylum and in his appeal against the decision. He is now a living ghost in Manchester England.

M. An amazing and courageous young man from Eritrea who fled to the UK in fear for his life after all his family, mother, father, 2 brothers and his baby sister were slaughtered in front of his eyes by militia.
He escaped by hiding in a cupboard. He is awaiting the outcome of his appeal for asylum in the UK. He currently resides in accommodation provided by NASS due to his young age.

A.S An amazing and courageous man from Iran who has been deeply affected by the aftermath of the Iran Iraq war in which he served as a soldier. This man has serious mental health problems and the need for counselling but cannot access it having no access to support after his asylum claim and appeal were refused in the UK. Recently he stitched his own mouth and went on hunger strike just so someone would listen. He lives in Manchester.

MB, An amazing and Courageous Angolan man who was detained in Yarl's Wood with his 13-year-old son, was found hanged in a stairwell on the morning of his 35th birthday.
M's last words to his son were 'be brave, work hard, do well at school'

EN, An amazing and Courageous 26-year-old Zimbabwean man who was found drowned after his asylum claim and appeal to remain in the UK had failed.

HN-An amazing and Courageous man from Iran who was found with a gunshot wound two weeks after his asylum claim was refused.
H, was homosexual and fled Iran in March 2000 after being imprisoned for three months for his sexuality and sought sanctuary in the UK. He feared being executed if he was returned to Iran - where homosexuality is a 'crime' punishable by death.


Please Check out the following links and make a difference: Additionally, please contact me at:
morgana.1@hotmail.co.uk


http://stllhumanstillhere.wordpress.com/
http://www.church-poverty.org.uk/campaigns/li..
http://www.irr.org.uk/2005/september/ha000021.html
http://www.redcross.org.uk/.
http://www.torturecare.org.uk./
http://www.refugee-action.org.uk/manchester.
http://www.sareli.org.uk./
http://www.samaritans.org./
http://www.woodstreetmission.org.uk./

http://www.qva.org.uk/

http://www.immigrationboards.com


Monday, 20 April 2020

Many Ways Of Malware Persistence (That You Were Always Afraid To Ask)

TL;DR: Are you into red teaming? Need persistence? This post is not that long, read it ;)
Are you into blue teaming? Have to find those pesky backdoors? This post is not that long, read it ;)

In the previous post, I listed different ways how a Windows domain/forest can be backdoored. In this new post, I am digging a bit deeper, and list the most common/known ways malware can survive a reboot, just using local resources of the infected Windows system. The list is far from complete, and I would like to encourage everyone to comment on new methods, not yet listed here.

From an incident response point of view, one of the best strategies to find malware on a suspicious system is to search for suspicious entries that start with the system. In the good old days, you had to check for 2-3 locations to cover 99% of the infections. Nowadays, there are a thousand ways malware can start. The common ones automatically start whenever Windows starts (or the user logs in), but some tricky ones are triggered by other events.

Autoruns

My favorite choice when it comes to malware persistence is Sysinternals tools, Autoruns. In this paragraph, I mainly quote the official built-in help, but bear with me, it is still interesting.

On a side note, there are some problems with the Autoruns tool: it can only run on a live system. (EDIT: This is not true, Autoruns can analyze offline systems as well! Thanks to a comment from Justin.) And usually, this is not the case - I usually have dd images. And although VBoxManage can convert the dd images to VirtualBox disk image format, usually I don't have the time and storage to do that. This is where xmount awesomeness is here to rescue the day. It can convert dd and Encase images on-the-fly in-memory to Virtualbox format. Just attach the disk image to a new Virtualbox machine as the main boot HDD, modify the CPU/disk/controller settings until Windows starts instead of crashing, and voila, you can boot your forensic image - without modifying a single bit on the original evidence dd file. Another problem with malware analysis on a live system is that a good rootkit can fool the analyst easily. 

For quick wins, I usually filter out Microsoft entries, look for per-user locations only and check for unverified (missing or invalid Authenticode) executables. This usually helps to find 90% of malware easily. Especially if it has a color like purple or pink, it is highly suspicious. To find the rest, well, one has to dig deeper.
Zeus "hiding" in the usual random directory - check the faked timestamp
To implement "poor-mans monitoring", regularly save the output of Autoruns, and during incident response, it will be highly valuable. Howto guide here.

Logon

"This entry results in scans of standard autostart locations such as the Startup folder for the current user and all users, the Run Registry keys, and standard application launch locations." 
There are 42 registry keys/folders at the moment in Autoruns, which can be used to autostart a malware. The most common ways are the HKCU\Software\Microsoft\Windows\CurrentVersion\Run and the C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup folder.
One of my favorite regarding this topic is the file-less Poweliks malware, 100% pure awesomeness. Typical ring 3 code execution.

Explorer

"Select this entry to see Explorer shell extensions, browser helper objects, explorer toolbars, active setup executions, and shell execute hooks". 71 registry keys, OMG. Usually, this is not about auto-malware execution, but some of them might be a good place to hide malware.

Internet explorer

"This entry shows Browser Helper Objects (BHO's), Internet Explorer toolbars and extensions". 13 registry key here. If a malicious BHO is installed into your browser, you are pretty much screwed.

Scheduled tasks

"Task scheduler tasks configured to start at boot or logon." Not commonly used, but it is important to look at this.
I always thought this part of the autostart entries is quite boring, but nowadays, I think it is one of the best ways to hide your malware. There are so many entries here by default, and some of them can use quite good tricks to trigger the start.
Did you know that you can create custom events that trigger on Windows event logs?
Did you know you can create malware persistence just by using Windows tools like bitsadmin and Scheduled tasks?
Scheduler in the old days
Scheduler in the new days

Services

HKLM\System\CurrentControlSet\Services is a very commonplace to hide malware, especially rootkits. Check all entries with special care.

Drivers

Same as services. Very commonplace for rootkits. Unfortunately, signing a driver for 64-bit systems is not fun anymore, as it has to be signed by certificates that can be chained back to "Software Publisher Certificates". Typical startup place for Ring 0 rootkits. 
Starting from Windows 10, even this will change and all drivers have to be signed by "Windows Hardware Developer Center Dashboard portal" and EV certificates.

Codecs

22 registry keys. Not very common, but possible code execution.

Boot execute

"Native images (as opposed to Windows images) that run early during the boot process."
5 registry keys here. Good place to hide a rootkit here.

Image hijacks

"Image file execution options and command prompt autostarts." 13 registry key here. I believe this was supposed for debugging purposes originally.
This is where the good-old sticky keys trick is hiding. It is a bit different from the others, as it provides a backdoor access, but you can only use this from the local network (usually). The trick is to execute your code whenever someone presses the SHIFT key multiple times before logging into RDP. The old way was to replace the sethc.exe, the new fun is to set a debug program on sethc.
If you see this, you are in trouble

AppInit

"This has Autoruns shows DLLs registered as application initialization DLLs." Only 3 registry keys here. This is the good old way to inject a malicious DLL into Explorer, browsers, etc. Luckily it is going to be deprecated soon.

Known DLLs

"This reports the location of DLLs that Windows loads into applications that reference them." Only 1 registry key. This might be used to hijack some system DLLs.

Winlogon

"Shows DLLs that register for Winlogon notification of logon events." 7 registry keys. Sometimes used by malware.

Winsock providers

"Shows registered Winsock protocols, including Winsock service providers. Malware often installs itself as a Winsock service provider because there are few tools that can remove them. Autoruns can disable them, but cannot delete them." 4 registry keys. AFAIK this was trendy a while ago. But still, a good place to hide malware.

Print monitors

"Displays DLLs that load into the print spooling service. Malware has used this support to autostart itself." 1 registry key. Some malware writers are quite creative when it comes to hiding their persistence module.

LSA providers

"Shows registers Local Security Authority (LSA) authentication, notification and security packages." 5 registry keys. A good place to hide your password stealer.

Network providers

"Missing documentation". If you have a good 1 sentence documentation, please comment.

WMI filters

"Missing documentation". Check Mandiant for details.

Sidebar gadgets

Thank god MS disabled this a while ago :)
We all miss you, you crappy resource gobble nightmares

Common ways - not in autoruns

Now, let's see other possibilities to start your malware, which won't be listed in Sysinternals Autoruns.

Backdoor an executable/DLL

Just change the code of an executable which is either auto-starting or commonly started by the user. To avoid lame mistakes, disable the update of the file ... The backdoor factory is a good source for this task. But if you backdoor an executable/DLL which is already in Autoruns listed, you will break the Digital Signature on the file. It is recommended to sign your executable, and if you can't afford to steal a trusted certificate, you can still import your own CA into the user's trusted certificate store (with user privileges), and it will look like a trusted one. Protip: Use "Microsoft Windows" as the codesigner CA, and your executable will blend in.
See, rootkit.exe totally looks legit, and it is filtered out when someone filters for "Hide Windows entries".


Hijack DLL load order

Just place your DLL into a directory which is searched before the original DLL is found, and PROFIT! But again, to avoid lame detection, be sure to proxy the legitimate function calls to the original DLL. A good source on this topic from Mandiant and DLL hijack detector.


Here you can see how PlugX works in action, by dropping a legitimate Kaspersky executable, and hijacking the DLL calls with their DLL. 

Hijack a shortcut from the desktop/start menu

Never underestimate the power of lame tricks. Just create an executable which calls the original executable, and meanwhile starts your backdoor. Replace the link, PROFIT! And don't be a skiddie, check the icon ;) I have seen this trick in adware hijacking browsers a lot of times.

IE hijacked to start with http://tinyurl.com/2fcpre6

File association hijack

Choose the user's favorite file type, replace the program which handles the opening with a similar one described in the previous section, and voila!

COM object hijack

The main idea is that some COM objects are scanned for whether they are on the system or not, and when it is registered, it is automatically loaded. See COMpfun for details.

Windows Application Compatibility - SHIM

Not many people are familiar with Windows Application Compatibility and how it works. Think about it as an added layer between applications and the OS. If the application matches a certain condition (e.g. filename), certain actions will take place. E.g. emulation of directories, registry entries, DLL injection, etc. In my installation, there are 367 different compatibility fixes (type of compatibility "simulation"), and some of those can be customized.
Every time IE starts, inject a DLL into IE

Bootkits 

Although bootkits shown here can end up in Autoruns in the drivers section (as they might need a driver at the end of the day), I still think it deserves a different section.

MBR - Master boot record

Malware can overwrite the Master boot record, start the boot process with its own code, and continue the boot process with the original one. It is common for rootkits to fake the content of the MBR record, and show the original contents. Which means one just have attached the infected HDD to a clean system, and compare the first 512 bytes (or more in some cases) with a known, clean state, or compare it to the contents shown from the infected OS. SecureBoot can be used to prevent malware infections like this.
There is a slight difference when MBR is viewed from infected OS vs clean OS

VBR - Volume boot record

This is the next logical step where malware can start it's process, and some malware/rootkit prefers to hide it's startup code here. Check GrayFish for details. SecureBoot can be used to prevent malware infections like this.

BIOS/UEFI malware

Both the old BIOS and the new UEFI can be modified in a way that malware starts even before the OS had a chance to run. Although UEFI was meant to be more secure than BIOS, implementation and design errors happens. Check the Computrace anti-theft rootkit for details.

Hypervisor - Ring -1 rootkit

This is somewhat special, because I believe although rootkit can run in this layer but it can't persist only in this layer on an average, physical machine, because it won't survive a reboot See Rutkowska's presentation from 2006 But because the hypervisor can intercept the restart event, it can write itself into one of the other layers (e.g. install a common kernel driver), and simply delete it after it is fully functional after reboot. Update: There is a good paper from Igor Korkin about hypervisor detection here.

SMM (System Management Mode) malware - Ring -2 rootkit

Somehow related to the previous type of attacks, but not many people know that System Management Mode can be used to inject code into the OS. Check the DEITYBOUNCE malware for more details ;) Also, abusing Intel Dual Monitor Mode (DMM) can lead to untrusted code execution, which basically monitors the SMM mode.

Intel® Active Management Technology - Ring -3 rootkit

According to Wikipedia, "Intel Active Management Technology (AMT) is hardware and firmware technology for remote out-of-band management of personal computers, in order to monitor, maintain, update, upgrade, and repair them". You can ask, what could possibly go wrong? See Alexander Tereshkin's and Rafal Wojtczuk's great research on this, or Vassilios Ververis thesis about AMT
As not many people click on links, let me quote the scary stuff about AMT:
  • Independent of the main CPU
  • Can access host memory via DMA (with restrictions)
  • Dedicated link to NIC, and its filtering capabilities
  • Can force host OS to reboot at any time (and boot the system from the emulated CDROM)
  • Active even in S3 sleep!

Other stuff

Create new user, update existing user, hidden admins

Sometimes one does not even have to add malicious code to the system, as valid user credentials are more than enough. Either existing users can be used for this purpose, or new ones can be created. E.g. a good trick is to use the Support account with a 500 RID - see here, Metasploit tool here.

Esoteric firmware malware

Almost any component in the computer runs with firmware, and by replacing the firmware with a malicious one, it is possible to start the malware. E.g. HDD firmware (see GrayFish again), graphic card, etc.

Hidden boot device

Malware can hide in one of the boot devices which are checked before the average OS is loaded, and after the malware is loaded, it can load the victim OS.

Network-level backdoor

Think about the following scenario: every time the OS boots, it loads additional data from the network. It can check for new software updates, configuration updates, etc. Whenever a vulnerable software/configuration update, the malware injects itself into the response, and get's executed. I know, this level of persistence is not foolproof, but still, possible. Think about the recently discovered GPO MiTM attack, the Evilgrade tool, or even the Xensploit tool when we are talking about VM migration.

Software vulnerability

Almost any kind of software vulnerability can be used as a persistent backdoor. Especially, if the vulnerability can be accessed remotely via the network, without any user interaction. Good old MS08-067...

Hardware malware, built into the chipset

I am not sure what to write here. Ask your local spy agency for further information. Good luck finding those!

More links

Tools I highly recommend:
For more information, check this blog post, part 1, part 2

Update 2017-04-29: A very nice list of Office persistence: https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/

Update 2017-10-23: Persistence via Security Descriptors and ACLs: https://www.youtube.com/watch?v=SeR4QJbaNRg

Update 2018-07-25: Backdooring LAPS https://rastamouse.me/2018/03/laps---part-1/
https://rastamouse.me/2018/03/laps---part-2/ 

I would like to thank to Gabor Pek from CrySyS Lab for reviewing and completing this post.

Related articles


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)