Friday, February 8, 2008

Analyze Malware-infections on your own – Part I

People are depending more and more on ready technology and outsourcing to solve security problems, and getting damn lazy to do a single task or to look for the solution themselves. I can see this in their eyes whenever I visit anyone who has a virus-outbreak in his network, or the antivirus is not cleaning the infection, and I got mad when I hear this stupid answer: “oH! I’ve formatted the machine …!” Why…why... keep doing the same mistake again and again. Move your ass and search in Google about the virus name and see how it’s working, then craft your own recovery-plan till your lovely vendor release a signature for that. Since I’m supporting many customers, out of 10, you can get only 1 has done at least checked the vendor’s site.
To start working on malware analysis there are two ways: the hard way and the easy way, the hard way depends on advanced level of knowledge about assembly language, operating systems, programming languages (c, c++, vbscript, javascript, perl, python..Etc), and reverse-engineering. This part has been covered by the antivirus vendors and independent security researchers. The other way, depends on a high-level of skills about operating systems, networking, batch scripting, and security. If you have the required skills you can choose which way to follow. Today I’ll show you how to use free and easy to get tools, with some skills to recover your infected machine.

Know your system

To inspect infected systems, you have to know your system by heart. Windows for example, has two ways to access files and processes, GUI and CLI. Sometimes the GUI will be accessible and sometimes it will be locked and some features got disabled by the malware. For example, you can’t access “regedit.exe” or “task manager” or “Folder options of windows explorer”, so you have to access these things from the “CMD.exe”. Basically, my friend you have to get your hands dirty and help yourself by learning some commands to help during cleaning the system. Because it’s not always that Windows components are working as you expect it. Virus writers will make your life like hell, for example disabling the feature of executing “windows installer” means you can’t install any antivirus, so you have to stick with the running one, or get a “Portable version”. Another example is using a “Watch list” of windows titles that includes for example the following keywords (antivirus, Symantec, explorer, regedit, MacAfee, AVG, internet explorer, etc) will reboot Windows instantly!

Therefore, to learn about windows, get yourself familiar with following:

· Learn how to access anything in Windows using different ways; in case one way is blocked/disabled you’ll use another. (registry tools, task managers, explorers)
· Learn about Windows Registry (read / delete / add keys, permissions, regedit, reg)
· Learn about Windows Networking (TCP/IP, DNS, NetBIOS, shares, share permissions, admin shares, shares passwords, HOST file, enable sharing, disable sharing, restrict sharing)
· Learn about Windows CMD (learn as much as you can of commands and switches because sooner or later you have to access windows through cmd.exe only ! )
· Learn about Windows Firewall (rules / exceptions / logging)
· Learn about Windows IE (options / security / zones)
· Learn about Windows Event Viewer (event codes / security events / login failures / stopped services / application crashes)
· Learn about Windows Explorer (Explorer Shell, folder options, permissions, disabled components)
· Learn about Windows Task Manager (investigate new processes, CPU/Memory consuming processes, cmd.exe, kill processes)
· Learn about Windows Services (new services, stopped services)
· Learn about Windows Scripting (VB, JS, Batch to create scripts that will automate commands)
· Learn about systems modifications (registry keys, services, system files verification, new files, TCP/IP settings, IE security settings, HOST file, startup folders, listening ports, user accounts, user permissions, inbound/outbound connections)

Know the tools of the trade

Depending on windows alone to clean infections is a losing game. Because the side-effects of the malwares will make your job harder, so we have to depend on third party tools to replace the same function in Windows. To collect your own tools-kit you have to save them on a write-protected flash disk, because most malwares replicate to disks, shares and removable disks. We have to do our job without any risk of getting the infection from the machine, or your built-to-cure flash disk will be another “Mobile Mass Infector”. My tools-kit contains a lot, I usually use them besides batch scripts to automate my job. I’ll start talking about task managers that expand the functionality of the Windows built in basic “Task Manger”, because it’s the first place to check for malicious activity inside Windows. The first player in the show will be “Process Explorer” from SysInternals; this is your “Gladiator’s spear” to inspect suspicious processes. Basically, it displays running processes in a tree format that includes not only process names, but also program icons and other data, such as description, image, strings, TCP/IP connections, and processor time.

Now the question is, how can we utilize this nifty tool for our job to discover the main process(es) behind the infection? Well, let’s see the following features that this tool provides:

1. Kill a Process / process tree
2. Suspend a process
3. Debug a process
4. Restart a process
5. Display the running threads of a process
6. TCP/IP connection of the process
7. Security privileges of the process
8. Image path of the process
9. Printable strings found inside the process’s image/memory
10. Services registered in the process
11. CPU/Virtual Memory/Physical Memory/IO consuming by the process
12. Google the process name

So after showing the Process Explorer functions let me show how to use the tool to inspect the process “X”:

1. Google the process name: this is a very important step, because will bring all of the web pages of security vendors / user forums that have mentioned your process name in their topics, as a new security threat. So you can start collecting what others have found, start the notepad and write down the key notes about the behavior and the current findings.

2. Usually malwares don’t have a process description, so the first trick in using Process Explorer, is sort the Description column to group the processes with their own description together and leaves the ones without in the end. And start from there, this worked for me 100% all the time in my work.

3. You don’t want your infected machine to contact the neighbors, disconnect the cable at the first sign of any weird behavior. But to see how the computer is trying to reach the outside world, select the process name, then go to properties, then select the TCP/IP tab, if you found the connection’s state is LISTENING to a specific port, this means the malware is leaving a backdoor in your system, or SYN-SENT and the remote addresses are local, this means it’s definitely trying to infect the rest of the network.

4. Most of the malwares have some clues to help analyzers identify how they are working, either by TCP/IP connections or printable “strings” which contains for example: URLs, system functions, registry keys, system files, virus name, virus author…etc). To read the string of the image (process executable file), select the process then right click and click on properties then go to the String tab.

5. You can know the physical location of the process by selecting the process, right click and select properties then go to the Image tab. additionally, you can see if the process runs with command switches.

6. A lot of malware leaves a service to run them automatically once the user reboots the system, to see if the malware has registered any service, select the process then right click and select properties, and go to the Services tab.

7. Malwares depend on privileges to access forbidden places in the operating systems, to check under which privileges the malware is working, select the process then right click and select properties then go to the Security tab. You can see the user name, and the enabled privileges.

After you’ve done the first step, and you are sure that this is the malware, do the following:

1. Kill the process tree, now make sure it’s not showing in the console
2. Search for the process’s executable name in the hard drive and delete it
3. Search for the process’s executable name in the registry keys and delete all of them, sometimes, malwares put the read-only/hidden attributes to protect and hide themselves. So if killing the process doesn’t help in deleting the files, use the “FileAssassin” tool to delete locked files.
4. If the malware left a service, stop it then disable it.
5. Check the HOST file for any suspicious entries; if any exists just delete it.
6. Reset IE security settings to the Default ones, because malwares sometimes manipulate them to lower-down the security of IE.
7. Check TCP/IP settings for any modifications (DNS/Gateway/Proxy)
8. If you have an installed Antivirus, and it was not able to catch the malware, it’s the time for a full scan. Or even you were not able to install an antivirus to cure the system; it’s the time to do it.
9. Run the Windows System File Checker (SFC) for any modified system files and replace them with correct ones.

This is a multi part tutorial about analyzing and curing malware infections, too be continued.

Happy Analyzing ;)