Malware takes advantage of Windows' God Mode hack to slip past security
The so-called God Mode hack for Windows is rather less grand than it might first sound. Rather than granting users deity-like abilities, it simply provides one-folder access to an absolute butt-load of Control Panel options and settings. But security researchers have discovered that the technique used to create this special folder can also be exploited by malware.
McAfee says that while the Easter Egg is great for power users, it is also being used by attackers for "evil ends". By placing files within the God Mode shortcut folder, malware such as Dynamer is able to run undetected on a victim's computer.
McAfee researchers explain: "It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do not open like other folders, but rather redirect the user".
In the case of Dynamer, a registry key is created that runs automatically when Windows starts, and it persists through reboots:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe
This command not only allows the malware to run, but also opens the RemoteApp and Desktop Connections control panel entry as cover. In using the name 'com4' the malware writers have made life for victims a little trickier. As this is detected as a Windows command, deletion of the file is blocked.
McAfee advises using the following technique to kill the problem:
- First, the malware must be terminated (via Task Manager or other standard tools).
- Next, run this specially crafted command from the command prompt (cmd.exe):
rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q
Photo Credit: Stocksnapper/Shutterstock