Cyber criminals are using developer mode of MS Windows which is called ‘God Mode’ to conceal their malware. God mode is basically shortcut to access different control settings in Windows Vista and later operating systems.

Hackers Are Using ‘God Mode’ in Microsoft Windows To Hide Their Malware

‘God Mode’ is actually derived from Windows Master Control Panel shortcut, it is an undocumented feature which is present in Windows Vista and later versions. Actually, it lets user to make a special folder which provides them quick access to all Windows control panels and settings such as My Computer, Printers folder.

However, research architect from McAfee, Craig Schmugar on April 26 said “Attackers are now using this undocumented feature for evil ends”.

McAfee has discovered a case of the Dynamer Trojan hidden inside a shortcut folder. Notably, the malware is designed to cope up with reboots and when the users who are unaware about this malware try to open the folder where malware is hidden, they see a window with no files.

“To make matters worse,” Schmugar says, “the malware author has attempted to give this directory eternal life, by pre-pending the name ‘com4′. Such device names are forbidden by normal Windows Explorer and cmd.exe commands and Windows treats the folder as a device – thus preventing users from otherwise easily deleting the folder with Explorer or typical console commands.”

McAfee didn’t mentioned further details of the person who wrote this malware. However, it gave a solution to the users, the users are recommended to kill the malware by using Task Manager or simply run this command by using command prompt [cmd.exe] :

> rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q

McAfee has also discovered new “macro” malware that exploits advanced obfuscation and various layers of evasion to elude detection.

‘Macro’ malware which was common in the 1990’s, it normally drops malicious MS Office files through macros containing Visual Basic Scripts. McAfee Lab’s, Devendra Singh said the latest variant discovered in the wild uses virtual machines awareness to elude analysis by security researchers and sandbox to elude honeypot traps.

Singh said, “These actors have compromised a legitimate website to deploy their payload. During our analysis, this hard-coded link served a file which indicated that the attackers were still preparing the environment and had not yet uploaded a malicious payload. Intel Security has contacted the site owner.”


Please enter your comment!
Please enter your name here