5/5 - (1 votes)

.

IFEO (Image File Execution Options) hijacking

Module O50 deals with the IFEO (Image File Execution Options). It allows you to list all the IFEO key registry subkeys.

 

The Registry key “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” is often used by malware processes. The reason is simple, it is possible to redirect the execution of any of the processes to a process of your choice.

In practice a new key with the name of a process, generally legitimate and belonging to a known antivirus such as “GUARD.exe” or a legitimate Windows process such as “regedit.exe" or "svchost.exe“. Then we give it the value 'Debugger' and as given the name of the malware process with its full path like for example “c:\windows\System32\regeedit.exe".

Is :
[HKLM\…\IFEO\regedit.exe]
Debugger=”c:\windows\System32\regeedit.exe”

– So when the Registry Editor “regedit” is requested under debugger, it is the malware process “regeedit.exe” which will be executed in a completely transparent manner for the infected user.

– Alongside value “Debugger“, there are other values ​​that could cause a malfunction. This is particularly the case for the value “BreakOnDllLoad” with the data '1' which causes a “break” of the dynamic resource being loaded. More recently the creation of value “CheckDlls“with the dynamic resource as data”DoubleAgentDll.dll” which allows you to bypass antiviruses.

– Of course, it is not only files with .exe or .dll extensions that are the target of such processes.

– Some people warn against using the IFEO key for locking purposes like “Strip My Rights“. I am not too much in favor of such an action, because unless you are an expert, in the long term it is no longer possible to know whether you are the source of such a modification or whether you is infected.

– As by default under XP/Vista there are no processes under the IFEO key (except DllNXOptions, IEInstall.exe & MovieMaker.exe), it is safer to delete all the rest under this key. An exception, however, is if you are on Windows Server which uses the IEFO key for the management of its legitimate processes such as STORE.EXE, MAD.EXE, INETINFO.EXE or EMSMTA.EXE. For the latter case it will be necessary to carefully study the value of the “PageHeapFlags” entry.

 ZHPDiag Overview

—\\ Image File Execution Options (4) – 1s
O50 – IFEO:C:\WINDOWS\System32\MRT.exe – (.Microsoft Corporation – Malware Removal Tool.) [1\\CFGOptions]
O50 – IFEO:C:\WINDOWS\System32\NS.exe – (…) [DoubleAgentDll.dll\\VerifierDlls] {}
O50 – IFEO:C:\Windows\System32\msfeedssync.exe – (.Microsoft Corporation – Microsoft Feeds Synchronization.) [256\\MitigationOptions]
O50 – IFEO:C:\Windows\System32\mshta.exe – (.Microsoft Corporation – Host of Microsoft(R) HTML applications.) [256\\MitigationOptions]

 ZHPCleaner Overview

—\\ Registry Base (Keys, Values, Data). (2)
FOUND given: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe\\VerifierDlls [Bad: DoubleAgentDll.dll]
DELETED data: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe\\VerifierDlls [Bad: DoubleAgentDll.dll]

About the Author

Leave comments

Back to top