what does malware do with explorer.exe?

[shmu26]

I recently saw a number of malware samples that try to run explorer.exe.
But I don't remember seeing a clean program that runs explorer.exe during installation.
what does that malware want to do with this process, and if I see this process when installing an app, should I consider it a sign of malware?

 

[_CyberGhosT_]

I know enough to know is a shell type exe, user shell to be exact.
its associated with ,your desktop, toolbar and most of your user interface type programs.
So it would be a popular target, as far as what Malware targets I am sure this varies widely.
Maybe @hjlbx or @Wave could enlighten us better than I.

 

[LabZero]

Many malware have a modular structure and many of the modules are downloaded via the internet only after infection by the core components.
The initial module is executed on the PC, it activates a dropper that will inject the core components of the malware at various points as, for example, the process explorer.exe that handles the taskbar, the file manager, etc.
Or the main malware injects code in the process but in both cases they get access to these resources.

 

[shmu26]

Many malware have a modular structure and many of the modules are downloaded via the internet only after infection by the core components.
The initial module is executed on the PC, it activates a dropper that will inject the core components of the malware at various points as, for example, the process explorer.exe that handles the taskbar, the file manager, etc.
Or the main malware injects code in the process but in both cases they get access to these resources.

so if I see this process during installation, is it a sign of malware, or not necessarily?

 

[_CyberGhosT_]

Depends on where you see it running from, the legit explorer.exe is located in C:\ windows
anywhere else and yes theres a good change of a malicious explorer.exe

 

[SHvFl]

Depends on where you see it running from, the legit explorer.exe is located in C:\ windows
anywhere else and yes theres a good change of a malicious explorer.exe

Malware actually hijack the real explorer so it will be from the normal location.

so if I see this process during installation, is it a sign of malware, or not necessarily?

Usually a program shouldn't want to run explorer.exe on install. If you see one that does it and not sure if it's a legit program block it and investigate.

 

[_CyberGhosT_]

Malware actually hijack the real explorer so it will be from the normal location.


Usually a program shouldn't want to run explorer.exe on install. If you see one that does it and not sure if it's a legit program block it and investigate.

You can verify this but many malware often impersonate explorer.exe and run from system32 / win32
And C:\ explorer

 

[SHvFl]

You can verify this but many malware often impersonate explorer.exe and run from system32

Probably. Don't see the point in doing that but they might do it to confuse users. Lot's of malware out there i am sure there is one at least for each scenario we can think of. Those malware coders are busy coding stuff. That's what happens when dollar value in some countries is very high.

 

[hjlbx]

I know enough to know is a shell type exe, user shell to be exact.
its associated with ,your desktop, toolbar and most of your user interface type programs.
So it would be a popular target, as far as what Malware targets I am sure this varies widely.
Maybe @hjlbx or @Wave could enlighten us better than I.

Windows explorer.exe is given trusted status by every security soft that I have used.

Hollow explorer.exe and the process has now gained full file system, registry and network access combined with obfuscation. It has a lot of access rights - which is bad news once a malicious process has "assumed its place on the system."

Some basics: http://blog.checkpoint.com/2016/04/...malware-use-microsoft-windows-known-binaries/

"Below we can see the injected explorer.exe executing some suspicious operations, such as reading registry keys related to encryption, changing to internet proxy settings in the registry and installing itself as a service so it would be launched on the next boot."

* * * * *

Malware in User Space can copy system files from System Space and then paste those system files to User Space - e.g. C:\Users\* - and then execute the "transplanted" system file in User Space; it is another obfuscation technique.

* * * * *

The issue with Windows explorer is that you have to know malware behaviors, but even when knowing them in-detail you can be fooled by a previously unknown sample.

If you practice with a good HIPS using malware you will learn -- but the best policy is not to allow any unknown\untrusted process to execute on a system in the first place. Following such a policy is not difficult...

 

[_CyberGhosT_]

Thank You hjlbx

 

[jamescv7]

Two possible scenarios:

A) The malware author created a same name only but different location in order to trick users that it is a legitimate process, however malicious codes already executing.

B) Some threats uses those legitimate process in order to hide on detection thus makes AV protection bypass.
Honestly it's alarming because your system will definitely infected for such circumstances of influencing some functions.

 

[shmu26]

I just installed "f.lux". It makes your monitor change incandescence level between day and night.
During installation, it accessed explorer.exe in memory, as reported by Comodo HIPS.
Sounds just like an attempt at memory hollowing.
But I downloaded the installer a month ago, it has digital sig, and a 0 detection rate on VT. So it must be clean.

Just proves you can't know from the HIPS what is really going on.

 

[LabZero]

I just installed "f.lux". It makes your monitor change incandescence level between day and night.
During installation, it accessed explorer.exe in memory, as reported by Comodo HIPS.
Sounds just like an attempt at memory hollowing.
But I downloaded the installer a month ago, it has digital sig, and a 0 detection rate on VT. So it must be clean.

Just proves you can't know from the HIPS what is really going on.

I don't know this app but, as you said, it is running under explorer.exe, but not in suspended mode such as malware (no malicious hollow).

 

[shmu26]

it is running under explorer.exe, but not in suspended mode such as malware (no malicious hollow).

could you explain that point?
what prompt would I see if it was in suspended mode?
the prompt I saw said that flux.exe is accessing explorer.exe in memory.

 

[hjlbx]

could you explain that point?
what prompt would I see if it was in suspended mode?
the prompt I saw said that flux.exe is accessing explorer.exe in memory.

If possible, please post an image of the COMODO HIPS alert; use WIN + R snippingtool.

It is almost certain that COMODO HIPS does not use language within the HIPS alert itself that identifies code injection, hollow process, etc - unless they have changed it within the past 8 months. Perhaps @yigido might know if there have been any changes in this regard.

 

[shmu26]

If possible, please post an image of the COMODO HIPS alert; use WIN + R snippingtool.

It is almost certain that COMODO HIPS does not use language within the HIPS alert itself that identifies code injection, hollow process, etc - unless they have changed it within the past 8 months. Perhaps @yigido might know if there have been any changes in this regard.

 

[Wave]

@_CyberGhosT_ Sorry! I missed the tag in your post (or maybe I forgot about it?)... I just saw it as I viewed your post on this thread so now I will do my best to shine some enlightenment if I can.

I recently saw a number of malware samples that try to run explorer.exe.

what does that malware want to do with this process

There are many different types of malicious software and depending on the goal behind the malware (e.g. the threat type - it's main purpose) will depend on what it will try to use a Windows process (many Windows processes are targeted, explorer.exe is just one of the common ones... Amongst others, such as: SvcHost.exe, winlogon.exe, csrss.exe, even smss.exe (which is trickier for an attacker to target since its an Native Windows application and thus cannot execute any Win32 APIs)) for.

Explorer.exe itself is a shell program which is responsible for presenting Graphical User Interface related things (such as the icons on your desktop, GUI access to the file-system via the Explorer, the task-bar being shown and whilst making it intractable, even the Start Menu). All in all, think of Explorer.exe as the heart of the Windows GUI components.

Two examples of what malware may use Explorer.exe for:
- Performing modifications to the actual shell GUI (e.g. adding extra button controls to the menu in the Explorer window).
- Staying hidden and concealing evidence of malicious software on the system by executing the main payload from within Explorer.exe itself (and to help prevent the activity tracing back to the real malicious process, thus helping the malware hidden on the system).

Explorer.exe usage can be genuine (even if it involves injection) sometimes since a safe program may just be trying to add some additional functionality to the Windows Explorer GUI itself (and thus a working solution to do this would be to inject a DLL and then have this DLL execute Win32 APIs to create additional controls onto these windows, etc). However, this can be used with malicious intent also, such as adding unwanted things to the Explorer GUI, or the Task bar/Start Menu.

I will continue by talking about Ransomware:
As we already know, Ransomware has a main purpose of encrypting the files on your system and then demanding a ransom for the decryption key. However, the last thing the malware author wants is for the user to open up Task Manager (or any other process monitoring tool) during the encryption process, notice the suspicious malicious process and then terminate it (followed up by cleaning of the actual malicious files itself to prevent further execution).

The solution to this problem which malware authors may be worried of (or in this case, ransomware developers) would be to inject code into a Windows process and have this injected code carry out the encryption process - one of the last things an inexperienced user would be able to do would be identifying a compromised Windows process, and therefore the malware author will probably become successful with compromising the system with encrypted documents, which then increases his/her chances of getting paid the ransom and making some money... Of course if an experienced user was under the impression that he had become infected and a Windows process may have become compromised, they would deal with the situation if it wasn't already too late and they had the skill to do so.

DLL injection is a common method used against Windows processes however as mentioned by @hjlbx, Process Hollowing (also known as Dynamic Forking) can also occur. It's essentially the practise of forcing an application to become executed within the address space of another process, therefore you have one progress with multiple programs running within it... It's a stealth technique used by some malicious software and it's more complicated than simple DLL injection attacks. However in terms of Ransomware injection attacks, I would imagine it'd go for the standard code injection attempts which is neither DLL injection or Process Hollowing/Dynamic Forking, but just the practise of code injection into another program without worrying about any additional dependencies (no need to drop anything to disk, etc).

Without that being said, any malware can inject into a Windows process should it be given the correct privileges to do so, for whatever purpose it has. One of the most common purposes would be to intercept function calls and redirect execution flow to control what a specific program can do (e.g. a user-mode rootkit may do this to hide detection of specific processes, registry keys, files (and also protect them from attacks)) and hiding code execution by separating it from processes directly linked and associated to the malware itself (to prevent failure should the main processes be discovered and then terminated from memory).

In fact, some malware won't even bother attacking Explorer.exe (or hijacking it statically via PE infection attacks) but will just try to make a program appear as Explorer.exe (and this happens to many other Windows processes also, another common two processes where these tactics are used would be SvcHost.exe or Winlogon.exe) by setting it's process name to "explorer.exe", re-setting the icon to the same one which the genuine copy of Explorer.exe has and making it lightweight in size (also can be done via packing techniques). However, the real and genuine location of Explorer.exe is in "C:\\Windows" ("C:" being the current active System Drive - where Windows is installed onto) and it is possible for it to be replaced with rogue copies (although a lot of the time you will just find the process attacked as opposed to the static Portable Executable).

I should also note that many installers will terminate Explorer.exe from memory and then re-execute it, and therefore if you see this occur then it does not automatically mean that the program being installed is doing something with malicious intent. *Edit: However if you do see other processes claiming to be explorer.exe when they are obviously not (e.g. check the file path) then this is an obvious flag of suspicious activity which will most likely lead down to malicious intent...

Hopefully this post had sufficient information to teach something to anyone (or help anyone reading this in one way or another) and gave an overall useful summary about Explorer.exe and malware uses.

Stay Safe,
Wave.

 

[shmu26]

very enlightening, thanks @Wave

 

[askmark]

Hopefully this post had sufficient information to teach something to anyone (or help anyone reading this in one way or another) and gave an overall useful summary about Explorer.exe and malware uses.

Stay Safe,
Wave.

Thanks @Wave for the education. As awesomely detailed an explanation as always

 

[_CyberGhosT_]

Very good, Thank you @Wave
Better late than never