Transcript Advanced Malware Cleaning

SEC 309
Advanced Malware Cleaning
Mark Russinovich
Technical Fellow, Platform and Services
Division
Microsoft Corporation
[email protected]
About Me
•
•
•
•
Technical Fellow, Microsoft
Co-founder and chief software architect
of Winternals Software
Co-author of Windows Internals, 4th edition
and Inside Windows 2000, 3rd Edition with
David Solomon
Author of tools on www.sysinternals.com
•
•
•
Home of blog and forums
Senior Contributing Editor, Windows IT Pro
Magazine
Ph.D. in Computer Engineering
Why Is Manual Cleaning Necessary?
•
How do users get malware?
•
•
•
•
•
They click on misleading popups or banners
They visit sites that use exploits to inject malware
Many users still don’t patch or don’t use antivirus or antispyware
Why doesn’t antivirus and antispyware stop malware?
•
•
•
They download apps that include adware and spyware
They are dependent on signatures
Malware directly attacks it
Always perform manual cleaning after you’ve run
available antivirus and antispyware
Malware Cleaning Steps
•
•
•
•
•
•
Disconnect from the network
Identify malicious processes and drivers
Terminate identified processes
Identify and delete malware autostarts
Delete malware files
Reboot and repeat
Identifying Malware Processes
What Are You Looking For?
Processes that…
•
•
•
•
•
•
•
•
…have no icon
…have no description or company name
…unsigned Microsoft images
…live in Windows directory
…are packed
…include strange URLs in their strings
…have open TCP/IP endpoints
…host suspicious DLLs or services
What About Task Manager?
•
Task Manager provides little information about images
that are running
Process Explorer
•
Process Explorer is “Super Task Manager”
•
•
•
Also supports 64-bit (x64) and Vista
Has lots of general troubleshooting capabilities:
•
•
•
•
•
Runs on Windows 95, 98, Me, NT, 2000, XP, Server 2003
DLL versioning problems
Handle leaks and locked files
Performance troubleshooting
Hung processes
We’re going to focus on its malware cleaning capabilities
The Process View
•
•
The process tree sort shows parent-child relationships
Icon, description, and company name are pulled from
image version information
•
•
Most malware doesn’t have version information
What about malware pretending to be from Microsoft?
•
•
•
We’ll deal with that shortly…
Use the Window Finder (in the toolbar) to associate a
window with its owning process
Use the Google menu entry to lookup unknown processes
•
But malware often uses totally random or pseudo-random names
Refresh Highlighting
•
Refresh highlighting highlights changes
•
•
•
•
•
Red: process exited
Green: new process
Change duration (default 1 second) in Options
Press space bar to pause and F5 to refresh
Cause display to scroll to make new processes visible
with Show New Processes option
Process-type Highlights
•
Blue processes are running in the same security context
as Process Explorer
•
Pink processes host Windows services (we’ll look at
services shortly)
•
Purple highlighting indicates an image is “packed”
•
•
•
•
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus
signature matching more difficult
Packing and encryption also hides strings from view
There are a few other colors, but they’re not important for
malware hunting
Tooltips
•
•
Process tooltips show the full path to the process image
Malware more often hides behind Svchost and Rundll32
•
•
Tooltip for Rundll32 processes shows hosted DLL
Tooltip for service processes shows hosted services
•
Services covered in detail shortly…
Detailed Process Information
Double-click on a
process to see detailed
information
Image tab:
•Description, company
name, version (from .EXE)
•Full image path
•Command line used to
start process
•Current directory
•Parent process
•User name
•Start time
Image Verification
•
All (well, most) Microsoft code is digitally signed
•
•
•
Signature is checked by decrypting signed hash with the public
key
You can selectively check for signatures with the Verify
button on the process image tab
•
•
•
Hash of file is signed with Microsoft’s private key
Select the Verify Image Signatures option to check all
Add the Verified Signer column to see all
Note that verification will connect to the Internet to check
Certificate Revocation List (CRL) servers
Windows Services
•
Services can start when the system boots and run
independently of the logged-on user
•
•
•
Examples include IIS, Themes, Server, Workstation, …
Can run as their own process or as a service DLL inside a
Svchost.exe
The services tab shows detailed service information:
•
•
•
•
Registry name (HKLM\System\CurrentControlSet\Services\...)
Display name
Description (optional)
DLL path (for Svchost DLLs)
Strings
•
On-disk and in-memory process strings are visible on the
Strings tab
•
•
Strings can help provide clues about unknown processes
•
•
There’s only a difference if the image is compressed or encrypted
Look for URLs, names and debug strings
You can also dump strings with the command-line Strings
utility from Sysinternals
The DLL View
•
Malware can hide as a DLL inside a legitimate process
•
•
•
•
•
We’ve already seen this with Rundll32 and Svchost
Typically loads via an autostart
Can load through “dll injection”
Packing highlight shows in DLL view as well
Open the DLL view by clicking on the DLL icon in the
toolbar
•
•
•
•
Shows more than just loaded DLLs
Includes .EXE and any “memory mapped files”
Can search for a DLL with the Find dialog
DLL strings are also viewable from the DLL menu`
Loaded Drivers
•
There are several tools for viewing configured drivers:
•
•
•
•
Builtin SC command: sc query type= driver
Device Manager with View->Show Hidden Devices
Process Explorer DLL view for the System process shows
loaded drivers
•
•
•
Start->Run->Msinfo32
Even drivers that delete their image files
Same path and version info as standard DLL view
Simply identify them now
•
•
Usually they’re not stoppable
Delete their files and autostart settings later
TCPView
•
Look for suspicious network endpoints with TCPView
•
•
•
You can do this by looking at the TCP/IP tab of each process, but
that’s slow
TCPView also uses refresh highlighting
TCPView includes a “close connection” capability
•
…but you should be disconnected from the network
Terminating Malicious Processes
•
•
•
Don’t kill the processes
•
Malware processes are often restarted by watchdogs
Instead, suspend them
•
•
Note that this might cause a system hang for Svchost processes
Record the full path to each malicious EXE and DLL
After they are all asleep then kill them
•
Watch for restarts with new names…
Cleaning Autostarts
Investigating Autostarts
•
Windows XP Msconfig (Start->Run->Msconfig) falls short
when it comes to identifying autostarting applications
•
•
It knows about few locations
It provides little information
Autoruns
•
Shows every place in the system that can be configured
to run something at boot & logon
•
•
•
•
•
•
•
•
Standard Run keys and Startup folders
Shell, userinit
Services and drivers
Tasks
Winlogon notifications
Explorer and IE addins (toolbars, Browser Helper Objects, …)
More and ever growing…
Each startup category has its own tab and all items
display on the Everything tab
•
Startup name, image description, company and path
Identifying Malware Autostarts
•
Zoom-in on add-ons (including malware) by selecting
these options:
•
•
•
Hide Microsoft Entries
Select an item to see more in the lower window
•
•
•
Verify Code Signatures
Google unknown images
Double-click on an item to look at where its configured in the
Registry or file system
Has other features:
•
•
•
•
Can display other profiles
Can also show empty locations (informational only)
Includes compare functionality
Includes equivalent command-line version, Autorunsc.exe
Deleting Autostarts
•
Delete suspicious autostarts
•
•
•
You can disable them if you’re not sure
After you’re done do a full refresh
If they come back, run Process Monitor (or Filemon and
Regmon) to see who’s putting them back
•
•
You might have misidentified a malware process
It might be a hidden, system, or legitimate process
Rootkits
What’s a Rootkit, Anyway?
•
•
•
Hoglund and Butler write in “Rootkits: Subverting the
Windows Kernel”:
A rootkit is a set of programs and code that allows a permanent or
consistent, undetectable presence on a computer.
My definition:
Software that hides itself or other objects, such as files,
processes, and Registry keys, from view of standard diagnostic,
administrative, and security software.
Hoglund’s revised definition from Rootkit.com on February
4:
A rootkit is a tool that is designed to hide itself and other
processes, data, and/or activity on a system.
The Evolution of Malware
•
•
Malware, including spyware, adware and viruses want to
be hard to detect and/or hard to remove
Rootkits are a fast evolving technology to achieve these
goals
•
•
•
•
Cloaking technology applied to malware
Not malware by itself
Example rootkit-based viruses: W32.Maslan.A@mm,
W32.Opasa@mm
Rootkit history
•
Appeared as stealth viruses
•
•
One of the first known PC viruses, Brain, was stealth
First “rootkit” appeared on SunOS in 1994
•
Replacement of core system utilities (ls, ps, etc.) to hide malware processes
Modern Rootkits
•
Rootkits can hide virtually anything:
•
•
•
•
•
Files, directories, Registry keys
Services, drivers
TCP/IP ports
There are several types of rootkit technology:
•
•
•
•
•
Processes
User-mode hooking
Kernel-mode hooking
Code patching
Hiding in other processes
www.rootkit.com is the primary rootkit forum
Example Rootkit Cloaking
•
Attack user-mode system query APIs
Taskmgr.exe
Explorer.exe,
Winlogon.exe
Ntdll.dll
Rootkit
user mode
kernel mode
•
Explorer.exe, Malware.exe, Winlogon.exe
Examples: HackerDefender, Afx
Rootkit Detection
•
All cloaks have holes
•
•
•
•
Leave some APIs unfiltered
Have detectable side effects
Can’t cloak when OS is offline
Rootkit detection attacks holes
•
Cat-and-mouse game
Rootkit Detection Types
•
Three classes of rootkit detection:
•
Signature based
•
•
Anomaly detection
•
•
•
•
•
Microsoft Malicious Software Removal Tool
System Virginity Verifier: http://www.invisiblethings.org/tools.html
GMER: http://www.gmer.net/index.php
IceSword: http://www.xfocus.net/tools/200509/IceSword_en1.12.rar
Cross-view comparison
•
F-Secure Blacklight:
http://www.f-secure.com/blacklight/
•
Sysinternals RootkitRevealer
Use more than one tool!
RootkitRevealer
•
•
RootkitRevealer (RKR) runs online
RKR tries to bypass rootkit to uncover cloaked objects
•
•
•
All cross-view detectors listed do the same
RKR scans HKLM\Software, HKLM\System and the file system
Performs Windows API scan and compares with raw data
structure scan
RootkitRevealer
Filtered Windows API
omits malware files and keys
Rootkit
Windows API
Raw file system,
Raw Registry hive
Malware files and keys
are visible in raw scan
RootkitRevealer Limitations
•
Rootkits have already attacked RKR directly by not
cloaking when scanned
•
•
•
Windows API scan looks like raw scan
We’ve modified RKR to be a harder to detect by rootkits
•
•
•
•
RKR is given true system view
RKR is adopting rootkit techniques itself
Rootkit authors will continue to find ways around RKR’s cloak
It’s a game nobody can win
All rootkit detectors suffer the same vulnerability
Local Kernel Debugging
•
Windbg supports “local kernel debugging” (LKD)
•
•
•
•
•
•
Works like standard kernel debugging which requires two
computers
Requires Microsoft Debugging Tools For Windows (free download
from Microsoft)
Can examine kernel structures of a live system
Supported on XP and higher including 64-bit
For NT 4 and Windows 2000 use Sysinternals’ Livekd
Both require matching kernel symbols
•
Use Microsoft’s symbol server (documented in help file)
LKD Rootkit Hunting
•
•
•
•
List running processes and compare with Process
Explorer:
!process 0 0
List loaded drivers and compare with Process Explorer:
.reload
lmkv
Look for kernel hot-patches:
!chkimg -d nt
Dump the system service table and interrupt dispatch
table (IDT):
dd kiservicetable
!idt -a
Finding and Deleting Malware Files
Sigcheck
•
Scan the system for suspicious executable images
sigcheck -e -u -s c:\
•
Look for same characteristics as suspicious processes
•
•
Be especially wary of items in the \Windows directory
Investigate all unsigned images
Deleting Hard-to-Delete Files
•
Files that are open or mapped can’t be deleted
•
•
•
Find owning process with Process Explorer search
Terminate the process and delete the file
If you still can’t delete it (it might be protected by a driver
or system process):
•
•
Try renaming it
If that fails, schedule it for deletion at the next reboot with
Sysinternals’ Movefile:
movefile malware.exe “”
•
If it still won’t go away, delete it from an off-line OS
Deleting Hard-to-Delete Registry Keys
•
Watch for key security
•
•
•
•
Some antispyware tools don’t report access-denied errors
Use Regmon to check for errors
Use Regedit to change security permissions
Some keys have embedded nulls
•
•
Can’t be open with standard tools like Regedit
Use Sysinternals’ Regdelnull:
regdelnull hklm\software
•
As a last resort use Regedit in ERD Commander
Summary and the Future
Malware Cleaning Steps
•
•
•
•
•
•
Disconnect from the network
Identify malicious processes
Terminate identified processes
Identify and delete malware autostarts
Delete malware files
Reboot and repeat
The Future of Malware
•
We’re already seeing trends:
•
•
•
•
Malware that pretends to be from Microsoft or other legitimate
companies
Malware protected by rootkits
Malware that can’t be cleaned on-line
Cleaning is going to get much harder
•
•
•
•
•
Targeted and polymorphic malware won’t get AV/AS signatures
Malware can directly manipulate Windows structures to cause
misdirection
All standard tools will be directly attacked by malware
There will be more un-cleanable malware
Malware will adapt to a limited-user environment
The Bottom Line
•
Be careful what you run!
References
•
Mark’s Sysinternals Blog: www.sysinternals.com
•
•
•
•
•
Sony, Rootkits and Digital Rights Management Gone Too Far
The Antispyware Conspiracy
www.spywarewarrior.com
www.rootkit.com
Windows Internals, by Mark Russinovich and David
Solomon, Microsoft Press
Summary
•
•
Thanks for coming!
Please fill out your evals
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.