1(630)802-8605 Ravi.das@bn-inc.net

Aargh have I mentioned that I hate Windows 10?  Well I even hate it now more than I ever did before.  Last night, I was working on an article for client when all of a sudden, my computer stopped and decided to a Windows update.  Luckily, I had saved my work, so it was just a matter of lost time. But still, irritating none the less.

So, it is with this mind that I bring you today’s blog.  Apparently, a Cyber security researcher from Colombia has found sort of a backdoor method in which almost anybody (assuming that you have some advanced knowledge of Windows 10 and how to manipulate its registries) can execute in order to gain administrative level privileges.

Of course, this is the ultimate dream for any Cyber attacker . . . a quick and covert way to get in, and to have the ability to stay inside an IT system for a long period of time while going undetected.  What is even more shocking is that this particular vulnerability was discovered way back in December 2017, almost a year ago.

This kind of hack involves what is known is as the “Relative Identifier”, or the “RID” for short.  This is a series of numbers that is added in order to describe and end user’s permissions group. There are several RID number sequences that are available, but the most common ones are 501 for the standard guest account, and 500 for admin accounts.  This is illustrated below:

(SOURCE:  https://www.zdnet.com/article/researcher-finds-simple-way-of-backdooring-windows-pcs-and-nobody-notices-for-ten-months/)

With the help from the Cyber security organization that he works for, Sebastián Castro, the researcher, was able to reconfigure and modify the registry keys in such a way that he could alter the RID number that was associated with a specific end user group, and give it a different RID number, for another account group.

Although a Cyber attacker cannot launch any malware directly through this method, what they can do is gain access to a computer slowly over time . . . all the way from starting out to being an end user to ultimately being a full administrator on that PC, or even many others if they all are interlinked with one another.

But what is very scary about this potential backdoor opening is that since registry keys are “boot persistent”, any modifications or edits that are made to them will reside in the “infected” PC permanently until if and when they are noticed.  So, what this simply means is that you may have a backdoor in your Windows 10 PC that you will never know about until you actually access the registry keys.

For the average user, like me, this never happens.  All I know is that the registry keys are the heart and soul of any Windows OS, and I dare not touch it unless it is somebody from the Geek Squad.  Even more frightening is the fact that this backdoor technique can be used on pretty much all of the Windows OS’s going back to XP (more specifically, XP to 10 and from Server 2003 to Server 2016).

Even when the registry keys and the RID numbers have been altered, there is no alert that is provided to the end user.  Once again, the only of knowing that this covert backdoor has been opened is through the careful examination of the registry keys.  So, in this instance, a blatant clue of this would be is if an end user’s group ended in a “500” series number, which would clearly indicate that the guest account was tampered with and now has full admin level rights.  This is illustrated below:

Castro even released even created a Penetration Testing module that illustrates how this covert backdoor can be opened and maliciously exploited.  Further details on this can be seen at this link:

https://www.rapid7.com/db/modules/post/windows/manage/rid_hijack

My thoughts on this?

Apparently, Castro reported his findings to Microsoft, but he has yet to await a response from them (it takes them almost a year to respond!?!?!?!).  It has also even gone unreported in the press and other related media, and for that matter, even the Cyber attackers whom create the most notorious pieces of malware did not even notice this.

I guess the specific term for this kind of attack is called RID Hijacking, and it is “simple, stealthy, and persistent.  So, who knows, maybe your Windows 10 PC has this kind of backdoor as well?  Since this has gone relatively unnoticed and no types of malware attacks seem to have been launched from it, I wouldn’t get too excited about it yet.

But, it is something to store in the back of your mind – for example if your PC starts acting weird all of a sudden, then it might be time to take it into the Geek Squad for a full and complete checkout. And of course, I will keep my eye on this and write about any future developments.

The moral of the story:  Don’t get a false sense of security just because your Windows 10 OS does its software updates on a regular basis.  There are many issues that they don’t address, and apparently the RID Hacking is clearly one of them.