Win32/Poweliks

Forum for analysis and discussion about malware.
User avatar
Intimacygel
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm

Re: Win32/Poweliks

Post by Intimacygel » Wed Nov 05, 2014 3:31 pm

Anyone have any more dropper samples of this?

They're really hard to find because they delete themselves. My only luck so far was restoring from Norton quarantine on a customers computer.

rbezio
Posts: 1
Joined: Wed Sep 11, 2013 3:38 pm

Re: Win32/Poweliks

Post by rbezio » Thu Nov 13, 2014 11:06 pm

A colleague of mine had an idea, one which I cannot seem to figure out how to implement. I figure this might be a possible stopgap solution to this infection seeing as it relies on Power Shell do to all it's malicious actives.

His idea - Great a group policy that disables Power Shell. This would in theory prevent the infection from performing its higher level functions. As I understand it the whole point of the program up until Power Shell is getting Power Shell downloaded/to run and that the heavy lifting is done via Power Shell.

I don't know if you can do group policy changes via a batch file, but assuming you could, this would make it easy to push this change to every computer on your network so that Power Shell is disabled (even when installed).

Thoughts?

ithurricane
Posts: 17
Joined: Thu Mar 25, 2010 1:00 am
Contact:

Re: Win32/Poweliks

Post by ithurricane » Wed Nov 19, 2014 2:59 am

POWELIKS Levels Up With New Autostart Mechanism

http://blog.trendmicro.com/trendlabs-se ... mechanism/

rinn
Posts: 91
Joined: Thu Nov 15, 2012 6:14 am
Location: Japan

Re: Win32/Poweliks

Post by rinn » Wed Nov 19, 2014 4:48 am

ithurricane wrote:POWELIKS Levels Up With New Autostart Mechanism

http://blog.trendmicro.com/trendlabs-se ... mechanism/
Hello,

It levels Up in July 2014 just as second post in this thread mention about. This script-kiddie from TrendMicro Randall Santos did nothing but again plagiarism.

Best Regards,
-rin

User avatar
rnd.usr
Posts: 27
Joined: Tue Apr 15, 2014 6:14 pm

Re: Win32/Poweliks

Post by rnd.usr » Wed Nov 19, 2014 3:58 pm

Anyone have a sample that is detected as "Poweliks.B"?

Thanks

Cody Johnston
Posts: 157
Joined: Sun May 01, 2011 4:33 pm
Location: Los Angeles, CA
Contact:

Re: Win32/Poweliks

Post by Cody Johnston » Fri Nov 21, 2014 1:38 am

rnd.usr wrote:Anyone have a sample that is detected as "Poweliks.B"?

Thanks
Do you have a hash or any more info? Names do not help for searching. Example:

https://www.virustotal.com/en/file/da2d ... /analysis/

2 vendors have "B" in their detection while all others call it "A". Also lol @ that AVG name for it, not useful in any way, and just furthers my point.

User avatar
Tigzy
Posts: 384
Joined: Mon Feb 07, 2011 5:03 pm

Re: Win32/Poweliks

Post by Tigzy » Fri Nov 21, 2014 7:31 am

It levels Up in July 2014 just as second post in this thread mention about. This script-kiddie from TrendMicro Randall Santos did nothing but again plagiarism.
Exactly, that behavior is here since they removed the RUN key to keep only CLSID hijack.
Months ago.

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Win32/Poweliks

Post by PX5 » Wed Jun 10, 2015 11:01 pm

Has anyone seen a newer run of Poweliks droppers?

Seems we have a rash of this crap running about.

Any help, pointers are much appreciated.

--MJ
Arrogance led me to my Ignorance

User avatar
EP_X0FF
Global Moderator
Posts: 4860
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Poweliks

Post by EP_X0FF » Sun Jun 14, 2015 6:51 am

PX5 wrote:Has anyone seen a newer run of Poweliks droppers?

Seems we have a rash of this crap running about.

Any help, pointers are much appreciated.

--MJ
If you mean latest Symantec hype about this they investigated variant from july 2014 yet again (slowpoke mode). Just look at GUID's in their article. There is nothing new in Poweliks and clones (Gootkit/Sednit/Phase/Bedep) surpassed it completely.
Ring0 - the source of inspiration

Ta!0n
Posts: 4
Joined: Sat Jan 18, 2014 8:29 pm

Re: Win32/Poweliks

Post by Ta!0n » Fri Jun 19, 2015 9:17 pm

Attached sample

Post Reply