Sunday, February 10, 2008

Analyze Malware-infections on your own - part 2

Today we will continue our talk about malwares, let's go one step forward to see how exciting is once you got the malware busted in your machine, then clean it. I always call this process "CSI - Malwares Analysis" -- Not yet broadcasted folks -- . Why?, your antivirus is clueless, because either it's not up-to-date, or there are no signatures yet for that malware. You have to come to the rescue, or format the system and loss your data, configurations, forgetten files...etc. So, your job start when the antivirus stops.

Once we started inspecting processess, it dosen't mean that we have the full picture, in other words malwares have skills to hide themselves inside your machine's corners. I will give some examples:

  • The malware usually save itself inside system folders, and mostly (Windows, System32) because all of Windows system files are in this folder, so it's a tricky move thinking that savvy users will not reach those areas in thier computers unless you are a techie guy.

  • Another trick, is using Windows system files names, yes the same names. For example, svchost.exe, lsass.exe, cmd.exe, iexplore.exe, smss.exe, winlogon.exe, services.exe, csrss.exe, winlogon.exe, inetinfo.exe, ...etc. But using the same system files names dosn't mean that is't a hard job to figure it out. Take this hint, fake system files don't exist inside the orginal folders. For example, %home%\Local Settings\Application Data\smss.exe.

  • malwares can take advantage of the registry to create/modify/delete keys there to add itself to the startup process, or disabling a protection software/service, hijack explorer shell.

  • malwares can use rootkit functionalities, which will help in hiding process from the taskmanager, files from windows explorer, connections from netstat, and so on.

  • malwares can use "Polymorphism", which is basically a smart way to evade detection by encrypting the virus body and use a "Decryptor" component to decrypt the payload while the execution of the file. To go deeper, an encrypted virus consists of a virus decryption routine (VDR) and an encrypted virus body (EVB). Execution of an infected application enables the VDR to decrypt the EVB, which in turn causes the virus to perform its intended function. In the propagation phase, the virus is re-encrypted and appended onto another host application. A new key is randomly generated with each copy, thus altering the appearance of the code. However, the VDR remains constant and this is its inherent weakness, resulting in detection via signature recognition.

  • Metamorphic malwares use Mutation Engine (ME) to mutate the whole virus body to get a new shape with the same function, so it's basiclly re-alter the code and changes it's signature pattern.

  • malwares can use "Armouring", is the use of programming tricks that make disassembling, debugging and understanding of the code difficult.

After passing by these nasty ways that malwares use to hide/evade itself, i'll show you how to do advanced inspection at the machine/network level.

Starting from the machine level, using a systematic approach will make your job, more organised, professional, and error-free. This approach depends on creating a "Malware Activity log" using a text file, you can write down your findings and connect them to get the full picture and start putting the countermeasures locally and at the gateway.

To start the inspection process, you should consider the following:

  1. The infected machine may be is busy sending spams outside your network, so if you don't enforce the allowed machines which are the allowed ones to send mails outside at the firewall, this will get your MX record blacklisted and get your mails rejected by mail servers. So be aware that at least one infected machine is a big trouble maker for you. Make sure that your mail server is the only one which is allowed through the firewall.

  2. The infected machine is scanning the local subnets for other preys, so you can enable windows firewall and block "Windows File sharing" to prevent the virus from reaching the others.

  3. The infected machine may be is a Bot, and participating in a big "Botnet" as a slave that does the dirty job on behalf of the Botnet's master from DoS'ing other networks, generating spams, open proxy/mail relays, scanning machines, ... etc.

From my experiance, most of the infection cases that i've seen before, I found the malware was one of the previous cases.

Your Arsenal of tools

We talked about "Process Explorer" before, but you need more tools for your forensics-arsenal. I'll categorize this toolkit to make sure we cover all Windows compnonets:

  1. Portable Process managers: these managers will help you dig deeper and catch running viruses and collection information about (image path / strings / tcp/ip / ..etc)

  2. Portable File managers: these managers will help exploring windows files system, and find files because malwares usually disable alot of Windows Explorer settings.

  3. Portable Registry managers: these managers will help accessing the registry, read, add, delete, and modify keys.

  4. Portable Anti-rootkits: discover and expose hidden processes/files/tcp/ip connections/services/registry keys/kernel modules/ and alot that "Task Manager" and "Process Explorer" will not.

  5. Portable Antivirus: Don't always trust the running AV, because it could be corrupted, deleted, uninstalled, stopped, disabled.

  6. Portable Hashers: hashers will help when you want to verify files hashes for modifications.
    Portable Compressors: to compress files incase you want to backup files /submit a virus sample.

  7. Portable Sniffers: malwares do alot of traffic that may help you to discover what it's trying to do (ex. SMTP "SPAM" / DNS queries / Netbios-SMB "Access other computers shares / IRC "Botnet" / P2P "Botnet" / HTTP "Botnet - download other codes - register online").

  8. Portable Browsers: IE may be got currpoted, insecure, or unaccessible.

  9. Portable AutoRun monitors: these will reveal alot of viruses that try to run next time your reboot the system. 30% of your analysis depends on these monitors.

  10. VirusTotal Uploader: this nifty tool will help you upload any file to and scan it agains 25 AV engine.

After listing our toolskit, let's see the "Analysis Path" that usuall you should consider to recover your system back:

click on the figure to see the large one

From the figure, it's obvious that analysis should take place from left-to-right starting from :

  • discovering processes
  • check for registry modification
  • check tcp/ip listening ports / initiated connections
  • taking process discovery to the next level by using sophisticated anti-rootkits that will usually reveal hidden objects from the OS
  • inspecting system services for modifications (new services, stopped services)
  • Virus scan is a primary task here because our main purpose is to clean the system but sometimes the antivirus will not be ready if the virus is hidden perfectly, so killing the main virus process that hides the child processes /files will clear out the dust and make it easier for cleaning
  • provides a free services to upload sample files to scan it against 25 engines that will give the virus name
  • Threatexpert provides online virus-sandbox services in which you submit a sample, and it'll get executed inside a controlled environment then reporting what Windows API calls it makes
  • After building a full picture of what's going on in your system, it's the time for complete cleaning (delete malwares files, deleting registry keys, restting registry keys to the orginial state, fixing windows shell keys, fixing windows explorer folder options, gaining access to system tools (registry/cmd.exe/taskmanager/...etc), restting IE security settings, full scan under safe-mode, full boot scan, monitor system activity for any malicious behavior.
  • If your antivirus was not able to catch the virus in the begining this means that it lacks the full signatures to detect it. Or this is a new variant that employs new techniques to hide itself from AV. Most Vendor have online submissions forms or by e-mail to send them these samples and they should update their definitions to detect this virus next time.

The Hunting Begins

To protect our tools-kit from infections, we should use a flash disk - with "Write-protection lock." To keep it as a read-only media only. From many cases, I noticed that malwares try to copy itself to the flash drive, by getting Windows access denied errors - because the disk is protected - so your flash will be shielded against infection.

Incase you can't use a flash-disk, you can burn out the toolkit to RW-CD, so it'll will be easy to add more tools in the future, or update the current versions. You have to be always up-to-date with the latest security tools to fight malwares.

I'm talking about normal situations when Windows is in operation and you can access it. But to expect the worse, we should be ready to access it offline. Yes offline, means accessing using a bootable Windows CD that also contains the previous tools. What this will help us is:

  • Highly sophisticated rootkits will be in Sleeping-mode, means it's not executed and we can detect it normally, delete it, then go back to Windows and complete the job.
  • Malwares some times destroy Windows boot files, registry that makes windows unaccessible and we have to fix it by copying the system files again, and start the analysis process.
  • Human mistakes, when you modify the registry you have to be careful from harming the system, a single mistake could make Windows unbootable next time. Always take back up, I recommend "ERUNT".

Too be continued ....