lolloj - Fotolia

WMI tools make the perfect crime 'malware-free'

Security researchers claim that attackers are abusing a longstanding administrative tool in the Windows operating system. With no telltale signs of malware, how can you stop it?

If you were a hacker and you wanted to take control of systems within a target organization, you might deploy traditional malware. But malicious code can be detected and, as it turns out, you might not need that messy, tell-tale technique after all. Malware-free attacks are on the rise.

Dell’s SecureWorks Counter Threat Unit research team issued a warning about these malware-free attacks in September, saying that organizations should “be on alert for threat actors trying to breach their computer systems, using little or no malware in their attacks.” The Counter Threat Unit dubs this “living off the land.” In what’s actually an astonishing claim if you think about it, the advisory states:

In nearly all of the intrusions in the past year responded to by the Dell SecureWorks’ Incident Response Team, cyber criminals utilized the target’s own system credentials and legitimate software administration tools to move freely throughout the company’s networks infecting and collecting valuable data.

stolen credentials are nothing new, but the use of software administration tools to carry out the dirty work is a technique that’s gone largely unnoticed (and relatively unused) until recently. When Stuxnet was making headlines back in 2010, a few researchers charged with teasing out how the complex, multi-component attack worked, made note of its use of a Microsoft Windows function called Windows Management Instrumentation (WMI). Whether security teams today have misuse of WMI tools on their radar or not, the “malware-free” approach is gaining steam.

WMI’s appeal to hackers is exactly the same thing that makes these tools useful to system administrators. “It allows you to remotely manage and basically do anything you want on a Windows machine,” says Amit Serper, senior security researcher at Cybereason, a Tel Aviv startup now headquartered in Boston that offers an endpoint and response platform.

When Remote Control Goes Rogue

What makes WMI tools so beneficial to attackers? The instrumentation collects data on Windows operating systems, and WMI scripting can be used to automate administrative tasks. WMI also stores its commands and settings in a consolidated repository, so there are no individual files to check for malicious content. “You can talk to all the machines on a network and tell all those machines ‘OK, load and execute that file’ or ‘OK, once a new file is written to this certain directory execute a command, execute a program, delete the file,’ ” says Serber. “Any action can trigger any other action.”

Not only is it possible to create the equivalent of a virus and a remote access toolkit with WMI tools, but all this can be done without adding any files or Windows Registry entries.

Not only is it possible to create the equivalent of a virus and a remote access toolkit with WMI tools, but all this can be done without adding any files or Windows Registry entries. A proof of concept of a WMI attack and persistence was shown by Matt Graeber, a reverse engineer at FireEye and Microsoft MVP for the Windows PowerShell scripting language, at the Black Hat USA 2015 conference in August. As Graeber noted in the paper that accompanied his talk, WMI tools offer an attacker great options like lists of installed antivirus software, sandbox and virtual machine detection, and covert data storage.

Malware-free Means Hard to Catch

So here’s a default service that’s pre-installed or available for download on all Windows systems back to Windows 98. It doesn’t need new files to be written to disk or cause suspicious processes to run on a compromised system, and it isn’t widely seen as a threat.

Mitigation isn’t as easy as disabling WMI, according to Serber, who says you can get strange, unpredictable system behavior if you turn these tools off. “The problem with it is that a lot of things are dependent on it—like when you’re installing Windows updates, they’re heavily using WMI to do their thing, so if you disable it, you’ll probably break Windows update.”

It’s also hard to detect malicious WMI use as it’s occurring,  he says. “The fact that it’s built so deep in the OS makes it very stealthy and hard to detect in real time.”

Cybereason claims it can do it, but they don’t talk about how. Lockheed Martin and SoftBank are among the investors—and technology partners—in the cybersecurity firm, which to date has raised $88.6 million for its early threat detection.

If you want to explore what’s going on within a specific system’s WMI repository, there are at least two tools you should be aware of. First, there’s a still-functional, but no longer maintained, Microsoft utility called CIM Studio. There’s also a commercial tool, Sapien’s WMI Explorer.

Even if you’ve got WMI figured out and are confident you’ve got attacks (which could be malware-free) successfully blocked, it’s important to note that WMI is not the only default tooling that could let a hacker roost on your systems while “living off the land.” For the time being, attackers may find a rich bounty of software tools—that doesn’t necessarily involve malicious code—laid out before them.

Robert Richardson is the editorial director of TechTarget’s Security Media Group. Follow him on Twitter @cryptorobert.

Next Steps

Find out how to detect malware that leaves no file on disk

Do Windows 8.1 users need third-party anti-malware tools?

Advanced malware detection is getting harder 

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing