PROPagate Code Injection Seen in the Wild

Last year, researchers wrote about a new Windows code injection technique called PROPagate. Last week, it was first seen in malware:

This technique abuses the SetWindowsSubclass function -- a process used to install or update subclass windows running on the system -- and can be used to modify the properties of windows running in the same session. This can be used to inject code and drop files while also hiding the fact it has happened, making it a useful, stealthy attack.

It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.

Posted on July 9, 2018 at 6:13 AM • 14 Comments

Comments

The fix is inJuly 9, 2018 7:16 AM

Welp, that's it. Windows is hosed even more completely. I guess they'll give it up now.

albertJuly 9, 2018 9:59 AM

MS is waiting for the day when 'all' Windows processing is done in the MS cloud, using bespoke thin clients on the users computers. Then they'll stop selling the OS.
. .. . .. --- ....

meJuly 9, 2018 10:11 AM

i think i'll dig deeper on how does it works.
i know that exists also "SetWindowLong" code injection against explorer, which is uncommon.

echoJuly 9, 2018 11:07 AM

From my hazy recollection of Win32 windows classes they are security swiss cheese. I have never perceived any interest by Microsoft in polishing the Win32 API to get rid of some of illogical design decisions or security issues buried within. .NET is yet another walled garden I have zero interest in.

@albert

I do not see why an OS cannot be local or remote hosted agnostic. This would give a lot of flexibility to users but of course instead of pursuing this Microsoft is monitizing the underlying concepts to hold its domestic and foreign user base to hostage.

If Veracrypt stopped being so dogmatic about using TPM this would remove one more barrier to my shifting to Linux by default. I don't care one little bit about "evil maid" attacks just securing "data at rest".

albertJuly 9, 2018 1:22 PM

@echo,

MS plan is s/w rental. You pay for the 'cloud' and the s/w 'cost' is 'factored in'. A simple client UI handles the cloud IF. Technically, I suppose you could run any OS, but knowing MS, they'd insist on a Win OS. You wouldn't really need Office either.


I gave up on Windows many years ago. Libre Office works fine for i/f with Windows users, and Wine runs my old programs. I don't have to deal with it at work, 'cause I'm retired.

Last job I had, the boss hated Windows. When Vista came out, some of our customers were using Home versions, which our software wouldn't work with. He sent out a memo saying we don't support Vista. My development was done on XP with Visual Basic. Lightning fast development, and custom error handling. I wish Linux had something like that:) Our UI software ran on XP as well. Those industrial applications were shut down by pulling the panel disconnect. Never had a crash. Ever. They always restarted. Of course, we used SOTA hardened PCs with touch screens.

Security was not an issue, way back then. The plant LANS were -supposed- to be independent of the Internet.

How times have changed...
. .. . .. --- ....

echoJuly 9, 2018 2:31 PM

@albert

RAD Studio now comes with Delphi for Linux. How much? How times have changed indeed! I miss Borland.

RusstopiaJuly 9, 2018 3:30 PM

@albert, @echo

There's also freePascal (fpc) and Lazarus, on Linux if you liked the Borland style IDE.

Clive RobinsonJuly 9, 2018 5:21 PM

@ Bruce,

From thr quote you give,

It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.

This goes to the heart of "responsible disclosure" which is historically a very thorny issue.

As older readers of this blog will remember one tactic used by corporates was to set lawyers onto those who reported potential attack vectors.

Some will remember the last "big name" company senior to espouse this "let loose the dogs of war" attitude publically, worked for Oracle. She posted it on her blog and it was just hours before the word went out at large on the Internet and I assume a suitable counter preasure from within Oracle seniors made her remove it fairly promptly.

The industry looked like it had moved on, but the question is "Has it?" To which the answer would appear to be no. Those involved in "embeded software" in consumer devices from Games Consoles (Sony) to automobile manufacturers (VW) and even tractor manufacturers (John Deer) and the likes of "walled garden" consumer device suppliers like Apple and Google appear to take a quite restricted view on "system ownership" with the likes of Sony installing malware on PVs from audio CDs anf bricking games consoles to force removal of functionality they decided long long after hundreds of thousands had been sold. One particularly bad entity is Amazon with a trail of orphaned and non functional hardware just months after they put them on sale.

With "embedded" now becoming standard in all household electronics including cloths / steam irons, responsible disclosure in it's various forms is becoming a hot button item yet again. Brcause with IoT and similar device manufacturers just appearing and disappearing almost over night leaving the question of just who the copyright holder is and do they actually supply support any longer. Thus leaving the question of who to disclose to responsibly or otherwise effectively "unknown" thus raising quite a few legal qiestions and potential minefields.

echoJuly 9, 2018 6:11 PM

@Clive

A little known item of UK copyright law is it is possible to ask permission of the Minister (I forget which one) to grant permission for bypassing DRM. I'm not sure how wide the waiver is but this may be an avenue to explore.

@Russtopia

My coding days are behind me but, WOW, cool.

Baalmer, lord of chairsJuly 9, 2018 7:13 PM

A siren wails outside. It's Monday. He'll have to wait another 10 or 20 minutes until he can work again.
Best case. Active hours must be some sort of sick joke. The chair springs groan as he hunches over.

Just what was this random out-of-bounds update on a Monday? Who authorized this, he wondered.

Tomorrow, a whole new cycle of redundant telemetry updates, churn. Tuesday. The second one.

Melting cubes in the tumbler shift, clinking twice softly in the amber crystal glass.
Instinctively driven to drink he obliges, eyeing the level on its way back to the desk.

His third since the involuntary updates began, he realized matter of factly. Fsck.

The mad clicking of the hard drives implies work being done. Work. Ironic. How long had it been?

Rubbed his eyes for several dozen seconds, he slowly glances up. No change on the progress bar.

14% downloaded. Jesus. Windows 10 was killing him.

A cloud hovering outside moves imperceptibly onward with the prevailing wind, an unexplored metaphor.

Sancho_PJuly 10, 2018 2:42 AM

@Bruce,
I‘m having troubles with your:

„It's likely that the attackers have observed publically available posts on PROPagate in order to recreate the technique for their own malicious ends.“

Shouldn‘t it read:
It's likely that Nazzional Security have observed publically available posts on PROPagate but didn’t react in order to recreate the technique for their own malicious ends?

A ESL, in this context I tend to grasp „recreate“ as being part of recreational ...

WeatherJuly 10, 2018 2:46 AM

The thing just relies on a 4btye 4bit number, you can use normal functions to modify data in a normal process, but the teb /seh or some kenernal32 data part, there isn't to many injection points that the program does not crash to, try the stack, you will need to go down the stack to program start up or exit, and then that might not get called, knowing the entry point is still not a signature

russlingsJuly 10, 2018 7:15 AM

@Baalmer, lord of chairs,
I'm assuming that Netflix have already optioned this novella for adaptation?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.