Microsoft Subnet An independent Microsoft community View more

New malware bypasses Active Directory controller passwords

The malware has its limits, but is still dangerous and very hard to detect.

malware

Dell's SecureWorks Counter Threat Unit (CTU) has issued an alert for a new piece of malware it calls "Skeleton Key," which turns out to be an appropriate name. Skeleton Key provides access to any user account on an Active Directory controller while bypassing the password security.

Unlike most malware, which sits on the hard drive and can be found by a scan, Skeleton Key is a rare type of in-memory malware that makes it extremely difficult to detect and is totally invisible to the affected users. Its activity is not logged, further complicating the process of finding it.

It requires administrator access to get to the Active Directory controller to deploy, but once it does, the exploiter could do basically whatever it wants while making it look like the compromised user is actually doing the damage.

Thankfully, it has its weaknesses. Because it is in-memory, the malware does not survive a system reboot. But who wants to reboot all of their Windows servers? Also, the fact that it requires administrator rights to get into the system means your system administrators are the first line of defense, and the first line of suspicion.

Dell notes that the malware will not work in a two- or multi-factor authentication scenario, so if you have multi-factor security, you should be safe. It's also a good argument for using multi-factor security in the first place.

Dell provides instructions for removing the malware in its alert, and hopefully Microsoft and the malware cleaners out there like Kaspersky, Symantec, and the like will have a detection for it shortly.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.