Sunday, February 24, 2008

Malwares Containment: Level II



Once we monitored the network traffic and observed anything suspicious, you should follow some recommendations to keep your analysis organized and fruity. See here my favorite procedures when it comes to malicious traffic analysis:

· Use the sniffer to see the top-senders vs. destination host/destination port: here everything starts by knowing who is talking to whom and using which protocols. It’s easy to observe infected hosts by watching the “changed” behavior of them. From higher number of random generated ARP requests “ARP Storm” to DNS resolutions requests. And high SMTP traffic is another story.
see the ARP broadcast using a sniffer:



· Use the sniffer to see the full session data and take a look for any clues of what’s being sent between hosts. For example, HTTP packet could show you the requests to download files / upload files / bot-to-mothership traffic …etc. Every captured packet will be valuable to the analysis. This is like collecting the pieces of a crashed plane.


· If you got any unique pattern that keeps repeating whenever compromised hosts generate traffic, use this pattern as a “Sniffing filter” to make sniffer more specific and faster.

· Sniffers can send notifications: e-mail, page, snmp, or sms for anything shows up on the radar. For instance, if any host makes this specific http request, e-mail me!

· Getting a unique pattern will be the first step to write an IDS rule, or even a firewall rule. IDS rules writers depend on sniffers to get patterns and let the IDS look for them in a specific location in the packet and fire an alarm once it triggers.

· Save the sniffed packets and keep them for offline analysis, or even to share with other analysts on the Internet. Use “.cap”, “.tcpdump” as they are supported by most sniffers nowadays.

Here is a list of my recommended sniffers to be used:

Ok, enough talking about sniffers here. I will move on to another important player in the game, the IDS. It’s good to keep a running IDS all the time to detect what sniffers can’t see and observe. Because IDS’s have analysis engines, correlation engines, signatures, ability to reassemble packets and sessions. When I say this, I mean the IDS should be deployed in a way that can watch the IN/OUT of every network point (gatway, wifi, lans). IDS deployment should be done properly to make the IDS able to sniff and inspect every single packet in your network. Because IDS’s are basically sniffers, with additional engines and use signatures to detect attacks. So if your network contains switches, you should configure them to allow the SPAN/Monitoring port that will allow your IDS to sniff all of the traffic in your switch.

Using IDS to detect “in-the-wild” malwares depends on many factors:

- Are the signatures up-to-date to detect the latest malwares?
- Are they “generic” or “specific” signatures?
- Is the IDS deployed at the critical IN/OUT points inside your network?

To mention an example here, using Snort IDS (If you are in Kuwait – visit the Kuwait-sug) is a good start, since it’s free, sophisticated, and community supported. Installation & Deployment of Snort is out of the scope, and it has its own tutorial later.

Snort depends on signatures to detect attacks/malwares, for example see the following signature to detect one variant of the latest dominating botnet worm Storm (Later I’ll talk about it):

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (with_love.exe)"; flow:established,to_server; uricontent:"/with_love.exe"; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/; sid:2007761; rev:2;)

From the signature, it’s clear that (with_love.exe) is the Storm variant executable file, and usually will be downloaded using HTTP protocol.

I received another Storm variant in my e-mail, using the name (Valentine.exe). So we can modify the previous signature to detect it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (Valentine.exe)"; flow:established,to_server; uricontent:"/valentine.exe"; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/; sid:2007761; rev:2;)

Another example is detecting bots outbound communication to the Command & Control server:

alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Trojan.Win32.Qhost C&C Traffic Outbound (case1)”; flow:established; dsize:>1000; content:”00 00 00 28 0a 00 00 02 0fService Pack 100”; classtype:trojan-activity; reference:url,/www.viruslist.com/en/viruses/encyclopedia?virusid=142254; sid:2007578; rev:1;)

Watch the hex data after content; it is the traffic pattern which we get it while we sniff the bot traffic to the “Mother-ship – a.k.a C&C”

Anyway, these are just few examples to show you the great detection and visibility of malwares in your network.

To install the IDS, you should deploy it here:

- Between the Internet router and your network: Installing the IDS at this point will give “Full Visibility” of the inbound/outbound traffic of the network. To achieve this point you should use a “Network TAP”.
- Inside the DMZ: to watch the attacks those target your critical servers in the DMZ. Also, any compromised server will be detected faster than manual inspection.
- Inside the LAN: the main battlefield between malwares and system admins. You should use the SPAN port in your switches to make IDS visibility better, because switches by design don’t broadcast traffic, it depends on unicast communications. SPAN Port duplicates the traffic from the Lan ports to the port which the IDS is connected to.
see the way a sniffer/IDS is connected to a SPAN port:

To be continued ...


Thursday, February 21, 2008

The War is still on ...


You know I'm not talking about wars against terrorism, aids, or drugs. It's between Antivirus vendors vs. Virus writers. The latest in-the-wild malwares use sophisticated techniques to stay under-the-radar, and you as the end user will feel safe when your AV software shows the misleading pop-ups “No Virus Found” or “System is clean”. While the truth is, your system is damn infected with some “packed virus” or a “rootkit”. Why I say this, because today it happened with me, that one computer was infected with the “Trojan.PWS.Onlinegames.BS” virus and the AV was totally fooling me. What we should learn is don’t believe the “Silver Bullet” concept. It’s all about marketing people who always try to inject these ideas to convince customers about buying their stupid softwares. What we need is keeping a far distance between the end-user and malware, by enforcing the written policy and reviewing the results. Don’t depend on the desktop AV software alone, replace your old firewall with a good UTM appliance that got an AV module and make sure viruses stop there. Using different AV’s to protect your network and the desktops are recommended because vendors get the viruses samples from multiple places, and the faster is the better. Also, use Internet filtering solutions that can put an end for users who visit malicious sites, or even to prevent already infected machines from updating their virus files from the main servers. In the end, make sure installing more defense lines, to keep the security balance in your network. Getting a book talking about defense-in-depth will be a good start.

Monday, February 18, 2008

Malwares Containment - the basics




We talked about malware analysis on a single infected box, but suppose you got a huge number of infectecd ones, or even many vlans in your network .... I know what you are thinking, the previous tutorials were focusing on a small problem that will get bigger soon if you don't follow the basics of malware containment.


As a system admin, you should depend on many tools and techniques to fight malwares. But as malwares getting more sophisticated, and hard to detect using normal antivirus softwares, we have to build better virus resistant networks.

It's not a rocket-science if you want to understand malwares behaviour, it'll take a little of your time to discover any infection in the network by using handy monitoring tools that keep an eye on every odd event that may occure anytime.

To make it simple i'll use keywords that will be covered here: (Network Sniffer, SNMP, MRTG, Vlan ACLs, Firewall ACLs, Honeybots, Nepenthes, Snort IDS, Gateway Antivirus, Windows Domain Policy, Windows Firewall (ICS), SRP, Netwrok TAP, Host Antivirus, Antispam virus engine, Antispam attachment policy, Switch Broadcast Rules, Switch ACLs, Switch IDS Modules)

I'll mention some famous worms that got their names remembered everytime you reach a discussion about worms and thier ways to move fast and infect huge networks in hours.

  • Nimda: uses files infection, mass mailer, and lan propagation techniques.
  • Blaster: uses direct vulnerable hosts exploitation
  • Netsky: uses mass mailer
  • Storm: uses mass mailer (Social Engineering)

So to clear from where we should start monitoring to inspect infections and contain them, we have to list the points of connections:

  • Internet-to-Lans: the main gate of our network and the first point to monitor.
  • Lan-to-Internet: every host which is able to access the outside world, could be infected and trying to infect other machines, or it could be a "Bot" and trying to "call-home"; a.k.a calling the "Mother Ship".
  • Lan-to-Lan: here where we should be careful, any high rise of broadcast traffic means we got infected machines, and to contain them we can use alot of ways that I'll talk about.
  • Wireless-to-Internet: employees or guests connected to this zone are higly suspected to be infected and trying to reach other machines in the internet.
  • Wireless-to-LAN: infected wireless machines can reach the internal LAN if there are firewall/switch ACLs to deny them.
  • VPN-to-LAN: VPN users are far away to controll thier home environment, but alteast we can inspect thier machines at the gateway.
  • Branch-to-Lan: Gateway-to-Gateway VPNs are encrypted so, it's a hard task to monitor these links, and it's a considered a secure channel for viruses to move through. But we can inspect the clear traffic after the decryption process.
  • Dialup-to-Hosts: If you allow modems to be used inside your networks, you have to stop it. Because this will open a hole in your wall bybassing all your multi-thousands dollars firewalls and lets viruses in.





Ok amigo if you want to flex your muscles in front of your management claiming that your network is secure and malwares-proof ... you have to reconsider it. The latest blogs posts are showing how the current security systems are not able to defend against the latest generations of malwares and bots. So we have to use additional techniques to detect the hidden threats in our networks.

I'll list the risks that you may face in case of internal malware propagation:

  1. Computer infections: this is the first thing to think about, once any computer got infected, it'll start scanning and propagating. Due to infections, computers became unavailable, untrustful, and less productive if not productive at all.


  2. Rise of traffic utilization: this will definitely slow down network-based applications, and services. And makes networking devices busy and not responsive due to the high level of packets processing. Some old devices will start crashing and disconnecting links.


  3. Internal Denial of Service: once any server became unreachable, this is a DoS. because routers & switches will drop new packets if the memory buffer is totally full. Or even the servers themselves will get busy for example DNS, SMTP,Proxy.


  4. MX record blacklisting: If you don't control which authorised hosts are allowed to send e-mails outside, consider this point as a "knock-knock on your door". Always use ACLs to allow mail servers ONLY to generate SMTP to the internet. Leaving the door open for any compromised hosts to send Spams, will make your days of sending-and-receiving e-mails numbered. And this is against your business aims to provide 24/7 service to your users and customers.


  5. User Productivity: we know that a healthy computer will make your user happy, and productive. It's always wise to have spare machines / virtual machines to replace the infected ones. Or even in case of a complete system crash or failure, a fast recovery solution is highly recommended. For example, Symantec Backup Exec for Windows Servers / Desktops.

After listing these terrible risks, we should draw a vision on how to start putting the defenses and monitoring points.

Monitoring Points as in Military

You have to treat your network as a battlefield, install radars at the gatway, inside the internal lans, at the critical servers zone. If you want to contain a malware propagation, you have to see it, and to see it, you must sniff and monitor. Sniffers are your eyes on the wire, and it's advisable to start learning about them if you don't know. From my experience, out of ten system admins, one of them uses a sniffer!




What is the main benefit of sniffing? Is giving you the ability to spot zero-day attacks behavior in details at the network layer. But if you want to get deeper you should get a sample, run in a computer and watch. You can create filters to sniff a specific patteren on the wire, this will save time and processing. This is possible in two ways: either you get the packets patteren from the web, or you create it while the malware is in action.

For example, W32.Blackmal worm once it infected a machine, it'll contact an online statistics counter, to capture this either create a DNS request pattern filter or HTTP web request filter to this domain: webstats.web.rcn.net. Here is the capture filter used in the WildPacket OmniPeek sniffer:





Beside Sniffing, we should monitor traffic utilization 24/7 using hand tools like MRTG (Free) or PRTG ($$$) that will use SNMP to contact networking/security devices and get the interfaces current in/out bandwidth. This is very important task, because propagation means generating thousands of packets to reach all of the hosts inside and outside your network, and due to this massive number of traffic you can spot easily on the screen. Faster and more readable than sniffing, because this is the high level monitoring, next step will be the sniffing to see the details of the traffic.

See ths MRTG screen shot of the witty worm activity:



To be continued ....

Saturday, February 16, 2008

Blog Readers Statistics


Wow, today i got nice statistics from the counter, thanks for all who came and visited the blog.

Friday, February 15, 2008

Happy Valentine's day


"When Love Comes Knocking" lovely title for a message. I'm a single guy, so there is no way on earth that i could receive this from a real lover.

Well, Since there are hundereds of single guys who are recieving this every Valentine day, they well get curious about the identity of the sender, so they will definitely open the message and drink the poison slowly.


This is one of the best Spam/phishing techniques to convince people to open the mails. Because we are human beings and we like to discover new things. Discover the unkown.


This was the subject of one of the many spam mails i got everyday to my Gmail account. What was the interesting part is that the mail details was the following:


Subject: When Love Comes Knocking

Sender: clariflas@ncprecisionfitness.com <<<--- First Rule: Unknown to me

Body:

Love Remains http://75.132.xxx.xxx/ <<<<----- Oh man, wait here we got an IP-based URL. So this is not an offical registered domain name. It should be another compromised host in the Internet. So i said to myself, this cool ... let's hunt.

Tools of the trade:



Malzilla: The night-hunters tool to discover malicous domains/IPs URLs in a safe way. You can parse links / IFrames. Decode Javascripts that hides executables behind it. No need for Vmware images anymore, unless you want to execute the real malware sample to see what will happen.


Let's get back to the mail, and see the screenshots of the analyzis (Click on the image):







after getting the suspicious, we will inspect it using Malzilla (Click on the image):








Let's discover the URL (Click on the image) :






So, after getting the malware name as "Valentine.exe" let's see what we can get from the antivirus vendor pages.



Malware type: Worm

Aliases: Email-Worm.Win32.Mydoom.al (Kaspersky), W32/Kipis.h@MM (McAfee), W32.Kipis.J@mm (Symantec), Worm/Mydoom.AR (Avira), W32/Kipis-H (Sophos),

In the wild: Yes



So be careful guys, follow these rules for a secure e-mail reading:


  1. Don't ever open URL's from people you don't trust.

  2. Don't ever open URL's in the form of IP like: http://23.444.xxx.xxx/, because this will be a compromised (malware infected) host.

  3. Install McAfee SiteAdvisor to protect against open malicious URLs / Sites

  4. Get a good Antispam software / appliance to filter unwanted e-mails.

  5. Educate your users / customers to follow the basics of secure e-mail reading.

And Happy Safe Valentines Day ... ;)

Sunday, February 10, 2008

Analyze Malware-infections on your own - part 2

Today we will continue our talk about malwares, let's go one step forward to see how exciting is once you got the malware busted in your machine, then clean it. I always call this process "CSI - Malwares Analysis" -- Not yet broadcasted folks -- . Why?, your antivirus is clueless, because either it's not up-to-date, or there are no signatures yet for that malware. You have to come to the rescue, or format the system and loss your data, configurations, forgetten files...etc. So, your job start when the antivirus stops.

Once we started inspecting processess, it dosen't mean that we have the full picture, in other words malwares have skills to hide themselves inside your machine's corners. I will give some examples:

  • The malware usually save itself inside system folders, and mostly (Windows, System32) because all of Windows system files are in this folder, so it's a tricky move thinking that savvy users will not reach those areas in thier computers unless you are a techie guy.

  • Another trick, is using Windows system files names, yes the same names. For example, svchost.exe, lsass.exe, cmd.exe, iexplore.exe, smss.exe, winlogon.exe, services.exe, csrss.exe, winlogon.exe, inetinfo.exe, ...etc. But using the same system files names dosn't mean that is't a hard job to figure it out. Take this hint, fake system files don't exist inside the orginal folders. For example, %home%\Local Settings\Application Data\smss.exe.

  • malwares can take advantage of the registry to create/modify/delete keys there to add itself to the startup process, or disabling a protection software/service, hijack explorer shell.

  • malwares can use rootkit functionalities, which will help in hiding process from the taskmanager, files from windows explorer, connections from netstat, and so on.

  • malwares can use "Polymorphism", which is basically a smart way to evade detection by encrypting the virus body and use a "Decryptor" component to decrypt the payload while the execution of the file. To go deeper, an encrypted virus consists of a virus decryption routine (VDR) and an encrypted virus body (EVB). Execution of an infected application enables the VDR to decrypt the EVB, which in turn causes the virus to perform its intended function. In the propagation phase, the virus is re-encrypted and appended onto another host application. A new key is randomly generated with each copy, thus altering the appearance of the code. However, the VDR remains constant and this is its inherent weakness, resulting in detection via signature recognition.

  • Metamorphic malwares use Mutation Engine (ME) to mutate the whole virus body to get a new shape with the same function, so it's basiclly re-alter the code and changes it's signature pattern.

  • malwares can use "Armouring", is the use of programming tricks that make disassembling, debugging and understanding of the code difficult.

After passing by these nasty ways that malwares use to hide/evade itself, i'll show you how to do advanced inspection at the machine/network level.

Starting from the machine level, using a systematic approach will make your job, more organised, professional, and error-free. This approach depends on creating a "Malware Activity log" using a text file, you can write down your findings and connect them to get the full picture and start putting the countermeasures locally and at the gateway.

To start the inspection process, you should consider the following:

  1. The infected machine may be is busy sending spams outside your network, so if you don't enforce the allowed machines which are the allowed ones to send mails outside at the firewall, this will get your MX record blacklisted and get your mails rejected by mail servers. So be aware that at least one infected machine is a big trouble maker for you. Make sure that your mail server is the only one which is allowed through the firewall.

  2. The infected machine is scanning the local subnets for other preys, so you can enable windows firewall and block "Windows File sharing" to prevent the virus from reaching the others.

  3. The infected machine may be is a Bot, and participating in a big "Botnet" as a slave that does the dirty job on behalf of the Botnet's master from DoS'ing other networks, generating spams, open proxy/mail relays, scanning machines, ... etc.

From my experiance, most of the infection cases that i've seen before, I found the malware was one of the previous cases.


Your Arsenal of tools

We talked about "Process Explorer" before, but you need more tools for your forensics-arsenal. I'll categorize this toolkit to make sure we cover all Windows compnonets:

  1. Portable Process managers: these managers will help you dig deeper and catch running viruses and collection information about (image path / strings / tcp/ip / ..etc)

  2. Portable File managers: these managers will help exploring windows files system, and find files because malwares usually disable alot of Windows Explorer settings.

  3. Portable Registry managers: these managers will help accessing the registry, read, add, delete, and modify keys.

  4. Portable Anti-rootkits: discover and expose hidden processes/files/tcp/ip connections/services/registry keys/kernel modules/ and alot that "Task Manager" and "Process Explorer" will not.

  5. Portable Antivirus: Don't always trust the running AV, because it could be corrupted, deleted, uninstalled, stopped, disabled.

  6. Portable Hashers: hashers will help when you want to verify files hashes for modifications.
    Portable Compressors: to compress files incase you want to backup files /submit a virus sample.

  7. Portable Sniffers: malwares do alot of traffic that may help you to discover what it's trying to do (ex. SMTP "SPAM" / DNS queries / Netbios-SMB "Access other computers shares / IRC "Botnet" / P2P "Botnet" / HTTP "Botnet - download other codes - register online").

  8. Portable Browsers: IE may be got currpoted, insecure, or unaccessible.

  9. Portable AutoRun monitors: these will reveal alot of viruses that try to run next time your reboot the system. 30% of your analysis depends on these monitors.

  10. VirusTotal Uploader: this nifty tool will help you upload any file to VirusTotal.com and scan it agains 25 AV engine.

After listing our toolskit, let's see the "Analysis Path" that usuall you should consider to recover your system back:

click on the figure to see the large one


From the figure, it's obvious that analysis should take place from left-to-right starting from :

  • discovering processes
  • check for registry modification
  • check tcp/ip listening ports / initiated connections
  • taking process discovery to the next level by using sophisticated anti-rootkits that will usually reveal hidden objects from the OS
  • inspecting system services for modifications (new services, stopped services)
  • Virus scan is a primary task here because our main purpose is to clean the system but sometimes the antivirus will not be ready if the virus is hidden perfectly, so killing the main virus process that hides the child processes /files will clear out the dust and make it easier for cleaning
  • VirusTotal.com provides a free services to upload sample files to scan it against 25 engines that will give the virus name
  • Threatexpert provides online virus-sandbox services in which you submit a sample, and it'll get executed inside a controlled environment then reporting what Windows API calls it makes
  • After building a full picture of what's going on in your system, it's the time for complete cleaning (delete malwares files, deleting registry keys, restting registry keys to the orginial state, fixing windows shell keys, fixing windows explorer folder options, gaining access to system tools (registry/cmd.exe/taskmanager/...etc), restting IE security settings, full scan under safe-mode, full boot scan, monitor system activity for any malicious behavior.
  • If your antivirus was not able to catch the virus in the begining this means that it lacks the full signatures to detect it. Or this is a new variant that employs new techniques to hide itself from AV. Most Vendor have online submissions forms or by e-mail to send them these samples and they should update their definitions to detect this virus next time.


The Hunting Begins

To protect our tools-kit from infections, we should use a flash disk - with "Write-protection lock." To keep it as a read-only media only. From many cases, I noticed that malwares try to copy itself to the flash drive, by getting Windows access denied errors - because the disk is protected - so your flash will be shielded against infection.

Incase you can't use a flash-disk, you can burn out the toolkit to RW-CD, so it'll will be easy to add more tools in the future, or update the current versions. You have to be always up-to-date with the latest security tools to fight malwares.

I'm talking about normal situations when Windows is in operation and you can access it. But to expect the worse, we should be ready to access it offline. Yes offline, means accessing using a bootable Windows CD that also contains the previous tools. What this will help us is:

  • Highly sophisticated rootkits will be in Sleeping-mode, means it's not executed and we can detect it normally, delete it, then go back to Windows and complete the job.
  • Malwares some times destroy Windows boot files, registry that makes windows unaccessible and we have to fix it by copying the system files again, and start the analysis process.
  • Human mistakes, when you modify the registry you have to be careful from harming the system, a single mistake could make Windows unbootable next time. Always take back up, I recommend "ERUNT".

Too be continued ....

Friday, February 8, 2008

Analyze Malware-infections on your own – Part I

People are depending more and more on ready technology and outsourcing to solve security problems, and getting damn lazy to do a single task or to look for the solution themselves. I can see this in their eyes whenever I visit anyone who has a virus-outbreak in his network, or the antivirus is not cleaning the infection, and I got mad when I hear this stupid answer: “oH! I’ve formatted the machine …!” Why…why... keep doing the same mistake again and again. Move your ass and search in Google about the virus name and see how it’s working, then craft your own recovery-plan till your lovely vendor release a signature for that. Since I’m supporting many customers, out of 10, you can get only 1 has done at least checked the vendor’s site.
To start working on malware analysis there are two ways: the hard way and the easy way, the hard way depends on advanced level of knowledge about assembly language, operating systems, programming languages (c, c++, vbscript, javascript, perl, python..Etc), and reverse-engineering. This part has been covered by the antivirus vendors and independent security researchers. The other way, depends on a high-level of skills about operating systems, networking, batch scripting, and security. If you have the required skills you can choose which way to follow. Today I’ll show you how to use free and easy to get tools, with some skills to recover your infected machine.



Know your system



To inspect infected systems, you have to know your system by heart. Windows for example, has two ways to access files and processes, GUI and CLI. Sometimes the GUI will be accessible and sometimes it will be locked and some features got disabled by the malware. For example, you can’t access “regedit.exe” or “task manager” or “Folder options of windows explorer”, so you have to access these things from the “CMD.exe”. Basically, my friend you have to get your hands dirty and help yourself by learning some commands to help during cleaning the system. Because it’s not always that Windows components are working as you expect it. Virus writers will make your life like hell, for example disabling the feature of executing “windows installer” means you can’t install any antivirus, so you have to stick with the running one, or get a “Portable version”. Another example is using a “Watch list” of windows titles that includes for example the following keywords (antivirus, Symantec, explorer, regedit, MacAfee, AVG, internet explorer, etc) will reboot Windows instantly!



Therefore, to learn about windows, get yourself familiar with following:



· Learn how to access anything in Windows using different ways; in case one way is blocked/disabled you’ll use another. (registry tools, task managers, explorers)
· Learn about Windows Registry (read / delete / add keys, permissions, regedit, reg)
· Learn about Windows Networking (TCP/IP, DNS, NetBIOS, shares, share permissions, admin shares, shares passwords, HOST file, enable sharing, disable sharing, restrict sharing)
· Learn about Windows CMD (learn as much as you can of commands and switches because sooner or later you have to access windows through cmd.exe only ! )
· Learn about Windows Firewall (rules / exceptions / logging)
· Learn about Windows IE (options / security / zones)
· Learn about Windows Event Viewer (event codes / security events / login failures / stopped services / application crashes)
· Learn about Windows Explorer (Explorer Shell, folder options, permissions, disabled components)
· Learn about Windows Task Manager (investigate new processes, CPU/Memory consuming processes, cmd.exe, kill processes)
· Learn about Windows Services (new services, stopped services)
· Learn about Windows Scripting (VB, JS, Batch to create scripts that will automate commands)
· Learn about systems modifications (registry keys, services, system files verification, new files, TCP/IP settings, IE security settings, HOST file, startup folders, listening ports, user accounts, user permissions, inbound/outbound connections)

Know the tools of the trade

Depending on windows alone to clean infections is a losing game. Because the side-effects of the malwares will make your job harder, so we have to depend on third party tools to replace the same function in Windows. To collect your own tools-kit you have to save them on a write-protected flash disk, because most malwares replicate to disks, shares and removable disks. We have to do our job without any risk of getting the infection from the machine, or your built-to-cure flash disk will be another “Mobile Mass Infector”. My tools-kit contains a lot, I usually use them besides batch scripts to automate my job. I’ll start talking about task managers that expand the functionality of the Windows built in basic “Task Manger”, because it’s the first place to check for malicious activity inside Windows. The first player in the show will be “Process Explorer” from SysInternals; this is your “Gladiator’s spear” to inspect suspicious processes. Basically, it displays running processes in a tree format that includes not only process names, but also program icons and other data, such as description, image, strings, TCP/IP connections, and processor time.




Now the question is, how can we utilize this nifty tool for our job to discover the main process(es) behind the infection? Well, let’s see the following features that this tool provides:

1. Kill a Process / process tree
2. Suspend a process
3. Debug a process
4. Restart a process
5. Display the running threads of a process
6. TCP/IP connection of the process
7. Security privileges of the process
8. Image path of the process
9. Printable strings found inside the process’s image/memory
10. Services registered in the process
11. CPU/Virtual Memory/Physical Memory/IO consuming by the process
12. Google the process name


So after showing the Process Explorer functions let me show how to use the tool to inspect the process “X”:

1. Google the process name: this is a very important step, because google.com will bring all of the web pages of security vendors / user forums that have mentioned your process name in their topics, as a new security threat. So you can start collecting what others have found, start the notepad and write down the key notes about the behavior and the current findings.


2. Usually malwares don’t have a process description, so the first trick in using Process Explorer, is sort the Description column to group the processes with their own description together and leaves the ones without in the end. And start from there, this worked for me 100% all the time in my work.


3. You don’t want your infected machine to contact the neighbors, disconnect the cable at the first sign of any weird behavior. But to see how the computer is trying to reach the outside world, select the process name, then go to properties, then select the TCP/IP tab, if you found the connection’s state is LISTENING to a specific port, this means the malware is leaving a backdoor in your system, or SYN-SENT and the remote addresses are local, this means it’s definitely trying to infect the rest of the network.


4. Most of the malwares have some clues to help analyzers identify how they are working, either by TCP/IP connections or printable “strings” which contains for example: URLs, system functions, registry keys, system files, virus name, virus author…etc). To read the string of the image (process executable file), select the process then right click and click on properties then go to the String tab.


5. You can know the physical location of the process by selecting the process, right click and select properties then go to the Image tab. additionally, you can see if the process runs with command switches.


6. A lot of malware leaves a service to run them automatically once the user reboots the system, to see if the malware has registered any service, select the process then right click and select properties, and go to the Services tab.


7. Malwares depend on privileges to access forbidden places in the operating systems, to check under which privileges the malware is working, select the process then right click and select properties then go to the Security tab. You can see the user name, and the enabled privileges.

After you’ve done the first step, and you are sure that this is the malware, do the following:


1. Kill the process tree, now make sure it’s not showing in the console
2. Search for the process’s executable name in the hard drive and delete it
3. Search for the process’s executable name in the registry keys and delete all of them, sometimes, malwares put the read-only/hidden attributes to protect and hide themselves. So if killing the process doesn’t help in deleting the files, use the “FileAssassin” tool to delete locked files.
4. If the malware left a service, stop it then disable it.
5. Check the HOST file for any suspicious entries; if any exists just delete it.
6. Reset IE security settings to the Default ones, because malwares sometimes manipulate them to lower-down the security of IE.
7. Check TCP/IP settings for any modifications (DNS/Gateway/Proxy)
8. If you have an installed Antivirus, and it was not able to catch the malware, it’s the time for a full scan. Or even you were not able to install an antivirus to cure the system; it’s the time to do it.
9. Run the Windows System File Checker (SFC) for any modified system files and replace them with correct ones.

This is a multi part tutorial about analyzing and curing malware infections, too be continued.

Happy Analyzing ;)