Malware uses Windows product IDs to mix mutex

Malware writers are using Windows unique product numbers to generate mutex values to evade researchers, SANS security boffin Lenny Zeltser says.

Mutex values are used as an accurate reference to determine if multiple identical processes are running. Malware including the infamous BackOff credit card stealer has used mutex for the last few years, providing researchers with a means of determining system infection.

Now a new trojan called "TreasureHunter" has emerged and uses dynamic rather than static mutex values to prevent security bods using the numbers as indicators of compromise.

Zeltser says the use of Windows product IDs to generate the values is unique.

"Malware authors who wish to employ mutex objects need a predictable way of naming those objects, so that multiple instances of malicious code running on the infected host can refer to the same mutex," Zeltser says in a SANs diary post.

"A typical way to accomplish this has been to hardcode the name of the mutex. The author of TreasureHunter decided to use a more sophisticated approach of deriving the name of the mutex based on the system's Product ID.

"This helped the specimen evade detection in situations where incident responders or anti-malware tools attempted to use a static object name as the indicator of compromise."

Zeltser says TreasureHunter uses code to read registry locations including HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId to find the Windows ID.

It reworked the ID into a format it uses to generate a mutex name using a deterministic algorithm which Zeltser says he had "neither the patience, nor reason to reverse-engineer".

The researcher points out that most malware does not use static hardcoded mutex values which limited its use as a marker for infection.

"Attempting to immunise systems [using mutex] is overly simplistic for most situations. Many malware samples don’t use infection markers at all or generate their values dynamically, instead of hardcoding them into the malicious program," he says.

Mutex could however be useful as an additional tier in malware detection, notably in assigning generated markers to programs before execution. Those markers could be checked against a database in the event that antivirus could not determine if a program is malicious. ®