Service Pack 1 Windows 7 Chomikuj
Vanina Mazzillo
I've never created a windows service but have been reading everything I've found. All the articles or examples I've run across are very basic in implementation and limited in their scope. Haven't seen anything that goes beyond this or that address specific scenarios. So, I have all the theory I'm probably going to find, and now I'm ready to dive into this project. I like to layout my ideas and get some feedback on what people think. I'll describe what I need from the application and how I intend to build it. I'd appreciate comments from anyone who has experience building windows services and any advice they would care to share.
[SCENARIO]Right now I have an application (I'll call this UPDATEAPPLICATION) that provides updates to all our other applications. In order to run any of our applications you first have to run this UPDATEAPPLICATION program and pass it a parameter of the desired application. The UPDATEAPPLICATION calls a WebService that returns XML information as to whether the desired application has any updates.
If there is an update, the UPDATEAPPLICATION downloads the update in EXE or ZIP format, and replaces the appropriate files to update the targeted application. Afterwards the UPDATEAPPLICATION does a ShellExecute to start the desired application and then the UPDATEAPPLICATION closes.
[THE PROBLEM]With the move to Vista and Windows 7, the security has changed dramatically. Because of the nature of the UPDATEAPPLICATION UAC won't allow the application to run under without Admin acces or UAC completely turned off. We are in the process of upgrading many of our applications to .NET and during this process I'd like the applications as well as the UPDATEAPPLICATION be UAC compliant. From what I've researched the only way to do this is by creating the UPDATEAPPLICATION as Windows Service. So, essentially, I need to duplicate the functionality of the UPDATEAPPLICATION into a Windows Service architecture.
[MY DESIGN]I'm using DelphiXE2. My design will consist of 3 parts to form a single solution: a Windows Service, a small tray Application to interact with the Windows Service, and my redesigned applications that will send messages to the Windows Service.
[UPDATESERVICE]Will listen for messages. If it receives a message that a USERAPPLICATION has started will it will call the web service to see if there are updates. If there are, the user will be notified to close the application and allow the UPDATESERVICE to update the application. The UPDATESERVICE will download the appropriate files and update the application.
Now that I've explained the basics of what I'm trying to do, I can ask my specific questions I need answered. These all have to do with how I should build my Windows Service. I also plan on using OmniThread for my thread management.
This is all my questions. There probably isn't a right/wrong answer for this but simply a preference based on experience. If you've built services with Delphi you probably have some input that I would find useful. If you have a project that is more robust then a basic "start a service and sleep" and are willing to share it - even if I doesn't run or just psuedo code - I'm sure this would be invaluable. Thanks for reading my long-winded question. If you can think of a better way to go about this please share your thoughts. I'll add that several of our applications can be downloaded and run by the general public, so I don't have complete control over the expected environments. Any advice/comments/help would be appreciated.
1&3) Yes. As a rule of thumb do not implement the OnExecute service event. Spawn your own thread from the OnStart service event. The thread can be terminated when you receive the OnStop service event.
4) normally each client connection will live on it's own thread. (ie the TCP server spawns a new thread for each client). Use a well known stack like Indy or ICS. Concerning the HTTP update, you can do this in the spawned client connection thread.
There are at least 12 variants of PWOBot, and the malware has been observed in attacks dating back to late 2013. More recent attacks have been observed affecting organizations between mid-to-late 2015.
s6216.chomikuj[.]pl/File.aspx?e=Pdd9AAxFcKmWlkqPtbpUrzfDq5_SUJBOz
s6102.chomikuj[.]pl/File.aspx?e=Hc4mp1AqJcyitgKbZvYM4th0XwQiVsQDW
s8512.chomikuj[.]pl/File.aspx?e=h6v10uIP1Z1mX2szQLTMUIoAmU3RcW5tv
s6429.chomikuj[.]pl/File.aspx?e=LyhX9kLrkmkrrRDIf6vq7Vs8vFNhqHONt
s5983.chomikuj[.]pl/File.aspx?e=b5Xyy93_GHxrgApU8YJXJlOUXWxjXgW2w
s6539.chomikuj[.]pl/File.aspx?e=EH9Rj5SLl8fFxGU-I0VZ3FdOGBKSSUQhl
s6701.chomikuj[.]pl/File.aspx?e=tx0a8KUhx57K8u_LPZDAH18ib-ehvFlZl
s6539.chomikuj[.]pl/File.aspx?e=EH9Rj5SLl8fFxGU-I0VZ3ISlGKLuMnr9H
s6539.chomikuj[.]pl/File.aspx?e=EH9Rj5SLl8fFxGU-I0VZ3OFFAuDc0M9m0
s6179.chomikuj[.]pl/File.aspx?e=Want-FTh0vz6www2xalnT1Nk6O_Wc6huR
s6424.chomikuj[.]pl/File.aspx?e=o_4Gk0x3F9FWxSDo4JWYuvGXDCsbytZMY
As we can see from the filenames used, a number of the PWOBot samples purport to be various software utility programs. In some instances, the Polish language is used for what appears to be a more targeted filename.
As originally mentioned, PWOBot is written completely in Python. The attackers leverage PyInstaller to convert this Python code into a Microsoft Windows executable. However, as Python is being used, it can easily be ported to other operating systems, such as Linux or OSX.
After installation completes, PWOBot will hook various keyboard and mouse events, which will be used for subsequent keylogging activities. PWOBot is written in a modular fashion, allowing the attacker to include various modules during runtime. Based on the number of samples currently identified, the following services and their accompanying descriptions have been observed being included with PWOBot:
PWOBot also is equipped with two configuration files, one of which specifies various settings the malware should use, while another specifies what remote servers PWOBot should connect to during execution.
Enumerations are configured to represent the various number encountered in the previous example. Once replaced with their respective enumeration, we see a more complete picture of what data is being sent.
After notifications are sent, the attacker may opt to provide a command instructing PWOBot to perform one of the previously defined services. Results from said actions are then uploaded to the attacker using the same format.
In total, 12 variants of PWOBot appear to exist, based on the lastest versions identified by Palo Alto Networks Unit 42. Of the 12 versions, we have witnessed versions five, six, seven, nine, 10, and 12 in the wild. The most significant modification in variants occurs in version 12, where the attackers switched from mining Bitcoin to mining Ethereum.
PWOBot is interesting as a malware family because it is written entirely in Python. While it has historically been seen affecting Microsoft Windows platforms, since the underlying code is cross-platform, it can easily be ported over to the Linux and OSX operating systems. That fact, coupled with a modular design, makes PWOBot a potentially significant threat.
d3342ee215