UAC Bypass Method: Application Compatibility a/k/a Dridex Method

Source: http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html 

This UAC bypass method encompasses manipulating application compatibility databases.

Method of Operation:

1. Dridex creates an application compatibility database ($$$.sdb), a batch file ($$$.bat) and a copy of itself (edg3FAC.exe)
2. Dridex uses the sdbinst command to install/uninstall application compatibility databases to install $$$.sdb.
3. Dridex launches the iscsicli command, which is a command line tool for iSCSI initiator. However, the configuration in the installed application compatibility database ($$$.sdb) causes iscsicli.exe to execute $$$.bat with administrative privileges.
4. $$$.bat executes edg3FAC.exe with administrative privileges.

• Auto-elevation programs such as sdbinst.exe and iscsicli.exe automatically elevate privileges to administrative privileges when launched without a UAC warning being displayed.
• The sdbinst command, which can change the behavior of other programs, is an auto-elevation program.

1. ucmInitAppHelp
* Purpose:
*Initialize AppHelp routines.

2. ucmRegisterAndRunTarget
* Purpose:
* Register shim database and execute target app.

3. ucmShimRedirectEXE
* Purpose:
* Build, register shim database and execute target app.
* Initially used in BlackEnergy2 and Gootkit by mzH (alive-green).
* Currently used in number of trojans (Win32/Dyre, WinNT/Cridex)

tidShim = SdbBeginWriteListTag(hShimDb, TAG_SHIM_REF);
if (tidShim != TAGID_NULL) {
SdbWriteStringTag(hShimDb, TAG_NAME, L“RedirectEXE”);
SdbWriteStringTag(hShimDb, TAG_COMMAND_LINE, lpszPayloadEXE);
SdbEndWriteListTag(hShimDb, tidShim);
}
SdbEndWriteListTag(hShimDb, tidEXE);

4. ucmAppcompatElevation
* Purpose:
* AutoElevation using Application Compatibility engine.