Analyze Malware-infections on your own - part 2

Today we will continue our talk about malwares, let's go one step forward to see how exciting is once you got the malware busted in your machine, then clean it. I always call this process "CSI - Malwares Analysis" -- Not yet broadcasted folks -- . Why?, your antivirus is clueless, because either it's not up-to-date, or there are no signatures yet for that malware. You have to come to the rescue, or format the system and loss your data, configurations, forgetten files...etc. So, your job start when the antivirus stops.

Once we started inspecting processess, it dosen't mean that we have the full picture, in other words malwares have skills to hide themselves inside your machine's corners. I will give some examples:

• The malware usually save itself inside system folders, and mostly (Windows, System32) because all of Windows system files are in this folder, so it's a tricky move thinking that savvy users will not reach those areas in thier computers unless you are a techie guy.
  
  
• Another trick, is using Windows system files names, yes the same names. For example, svchost.exe, lsass.exe, cmd.exe, iexplore.exe, smss.exe, winlogon.exe, services.exe, csrss.exe, winlogon.exe, inetinfo.exe, ...etc. But using the same system files names dosn't mean that is't a hard job to figure it out. Take this hint, fake system files don't exist inside the orginal folders. For example, %home%\Local Settings\Application Data\smss.exe.
  
  
• malwares can take advantage of the registry to create/modify/delete keys there to add itself to the startup process, or disabling a protection software/service, hijack explorer shell.
  
  
• malwares can use rootkit functionalities, which will help in hiding process from the taskmanager, files from windows explorer, connections from netstat, and so on.
  
  
• malwares can use "Polymorphism", which is basically a smart way to evade detection by encrypting the virus body and use a "Decryptor" component to decrypt the payload while the execution of the file. To go deeper, an encrypted virus consists of a virus decryption routine (VDR) and an encrypted virus body (EVB). Execution of an infected application enables the VDR to decrypt the EVB, which in turn causes the virus to perform its intended function. In the propagation phase, the virus is re-encrypted and appended onto another host application. A new key is randomly generated with each copy, thus altering the appearance of the code. However, the VDR remains constant and this is its inherent weakness, resulting in detection via signature recognition.
  
  
• Metamorphic malwares use Mutation Engine (ME) to mutate the whole virus body to get a new shape with the same function, so it's basiclly re-alter the code and changes it's signature pattern.
  
  
• malwares can use "Armouring", is the use of programming tricks that make disassembling, debugging and understanding of the code difficult.
  

After passing by these nasty ways that malwares use to hide/evade itself, i'll show you how to do advanced inspection at the machine/network level.

Starting from the machine level, using a systematic approach will make your job, more organised, professional, and error-free. This approach depends on creating a "Malware Activity log" using a text file, you can write down your findings and connect them to get the full picture and start putting the countermeasures locally and at the gateway.

To start the inspection process, you should consider the following:

1. The infected machine may be is busy sending spams outside your network, so if you don't enforce the allowed machines which are the allowed ones to send mails outside at the firewall, this will get your MX record blacklisted and get your mails rejected by mail servers. So be aware that at least one infected machine is a big trouble maker for you. Make sure that your mail server is the only one which is allowed through the firewall.
   
   
2. The infected machine is scanning the local subnets for other preys, so you can enable windows firewall and block "Windows File sharing" to prevent the virus from reaching the others.
   
   
3. The infected machine may be is a Bot, and participating in a big "Botnet" as a slave that does the dirty job on behalf of the Botnet's master from DoS'ing other networks, generating spams, open proxy/mail relays, scanning machines, ... etc.
   

From my experiance, most of the infection cases that i've seen before, I found the malware was one of the previous cases.

Your Arsenal of tools

We talked about "Process Explorer" before, but you need more tools for your forensics-arsenal. I'll categorize this toolkit to make sure we cover all Windows compnonets:

1. Portable Process managers: these managers will help you dig deeper and catch running viruses and collection information about (image path / strings / tcp/ip / ..etc)
   
   
2. Portable File managers: these managers will help exploring windows files system, and find files because malwares usually disable alot of Windows Explorer settings.
   
   
3. Portable Registry managers: these managers will help accessing the registry, read, add, delete, and modify keys.
   
   
4. Portable Anti-rootkits: discover and expose hidden processes/files/tcp/ip connections/services/registry keys/kernel modules/ and alot that "Task Manager" and "Process Explorer" will not.
   
   
5. Portable Antivirus: Don't always trust the running AV, because it could be corrupted, deleted, uninstalled, stopped, disabled.
   
   
6. Portable Hashers: hashers will help when you want to verify files hashes for modifications.
   Portable Compressors: to compress files incase you want to backup files /submit a virus sample.
   
   
7. Portable Sniffers: malwares do alot of traffic that may help you to discover what it's trying to do (ex. SMTP "SPAM" / DNS queries / Netbios-SMB "Access other computers shares / IRC "Botnet" / P2P "Botnet" / HTTP "Botnet - download other codes - register online").
   
   
8. Portable Browsers: IE may be got currpoted, insecure, or unaccessible.
   
   
9. Portable AutoRun monitors: these will reveal alot of viruses that try to run next time your reboot the system. 30% of your analysis depends on these monitors.
   
   
10. VirusTotal Uploader: this nifty tool will help you upload any file to VirusTotal.com and scan it agains 25 AV engine.
    

After listing our toolskit, let's see the "Analysis Path" that usuall you should consider to recover your system back:

click on the figure to see the large one

From the figure, it's obvious that analysis should take place from left-to-right starting from :

• discovering processes
• check for registry modification
• check tcp/ip listening ports / initiated connections
• taking process discovery to the next level by using sophisticated anti-rootkits that will usually reveal hidden objects from the OS
• inspecting system services for modifications (new services, stopped services)
• Virus scan is a primary task here because our main purpose is to clean the system but sometimes the antivirus will not be ready if the virus is hidden perfectly, so killing the main virus process that hides the child processes /files will clear out the dust and make it easier for cleaning
• VirusTotal.com provides a free services to upload sample files to scan it against 25 engines that will give the virus name
• Threatexpert provides online virus-sandbox services in which you submit a sample, and it'll get executed inside a controlled environment then reporting what Windows API calls it makes
• After building a full picture of what's going on in your system, it's the time for complete cleaning (delete malwares files, deleting registry keys, restting registry keys to the orginial state, fixing windows shell keys, fixing windows explorer folder options, gaining access to system tools (registry/cmd.exe/taskmanager/...etc), restting IE security settings, full scan under safe-mode, full boot scan, monitor system activity for any malicious behavior.
• If your antivirus was not able to catch the virus in the begining this means that it lacks the full signatures to detect it. Or this is a new variant that employs new techniques to hide itself from AV. Most Vendor have online submissions forms or by e-mail to send them these samples and they should update their definitions to detect this virus next time.

The Hunting Begins

To protect our tools-kit from infections, we should use a flash disk - with "Write-protection lock." To keep it as a read-only media only. From many cases, I noticed that malwares try to copy itself to the flash drive, by getting Windows access denied errors - because the disk is protected - so your flash will be shielded against infection.

Incase you can't use a flash-disk, you can burn out the toolkit to RW-CD, so it'll will be easy to add more tools in the future, or update the current versions. You have to be always up-to-date with the latest security tools to fight malwares.

I'm talking about normal situations when Windows is in operation and you can access it. But to expect the worse, we should be ready to access it offline. Yes offline, means accessing using a bootable Windows CD that also contains the previous tools. What this will help us is:

• Highly sophisticated rootkits will be in Sleeping-mode, means it's not executed and we can detect it normally, delete it, then go back to Windows and complete the job.
• Malwares some times destroy Windows boot files, registry that makes windows unaccessible and we have to fix it by copying the system files again, and start the analysis process.
• Human mistakes, when you modify the registry you have to be careful from harming the system, a single mistake could make Windows unbootable next time. Always take back up, I recommend "ERUNT".

Too be continued ....

Analyze Malware-infections on your own – Part I

People are depending more and more on ready technology and outsourcing to solve security problems, and getting damn lazy to do a single task or to look for the solution themselves. I can see this in their eyes whenever I visit anyone who has a virus-outbreak in his network, or the antivirus is not cleaning the infection, and I got mad when I hear this stupid answer: “oH! I’ve formatted the machine …!” Why…why... keep doing the same mistake again and again. Move your ass and search in Google about the virus name and see how it’s working, then craft your own recovery-plan till your lovely vendor release a signature for that. Since I’m supporting many customers, out of 10, you can get only 1 has done at least checked the vendor’s site.
To start working on malware analysis there are two ways: the hard way and the easy way, the hard way depends on advanced level of knowledge about assembly language, operating systems, programming languages (c, c++, vbscript, javascript, perl, python..Etc), and reverse-engineering. This part has been covered by the antivirus vendors and independent security researchers. The other way, depends on a high-level of skills about operating systems, networking, batch scripting, and security. If you have the required skills you can choose which way to follow. Today I’ll show you how to use free and easy to get tools, with some skills to recover your infected machine.



Know your system



To inspect infected systems, you have to know your system by heart. Windows for example, has two ways to access files and processes, GUI and CLI. Sometimes the GUI will be accessible and sometimes it will be locked and some features got disabled by the malware. For example, you can’t access “regedit.exe” or “task manager” or “Folder options of windows explorer”, so you have to access these things from the “CMD.exe”. Basically, my friend you have to get your hands dirty and help yourself by learning some commands to help during cleaning the system. Because it’s not always that Windows components are working as you expect it. Virus writers will make your life like hell, for example disabling the feature of executing “windows installer” means you can’t install any antivirus, so you have to stick with the running one, or get a “Portable version”. Another example is using a “Watch list” of windows titles that includes for example the following keywords (antivirus, Symantec, explorer, regedit, MacAfee, AVG, internet explorer, etc) will reboot Windows instantly!



Therefore, to learn about windows, get yourself familiar with following:



· Learn how to access anything in Windows using different ways; in case one way is blocked/disabled you’ll use another. (registry tools, task managers, explorers)
· Learn about Windows Registry (read / delete / add keys, permissions, regedit, reg)
· Learn about Windows Networking (TCP/IP, DNS, NetBIOS, shares, share permissions, admin shares, shares passwords, HOST file, enable sharing, disable sharing, restrict sharing)
· Learn about Windows CMD (learn as much as you can of commands and switches because sooner or later you have to access windows through cmd.exe only ! )
· Learn about Windows Firewall (rules / exceptions / logging)
· Learn about Windows IE (options / security / zones)
· Learn about Windows Event Viewer (event codes / security events / login failures / stopped services / application crashes)
· Learn about Windows Explorer (Explorer Shell, folder options, permissions, disabled components)
· Learn about Windows Task Manager (investigate new processes, CPU/Memory consuming processes, cmd.exe, kill processes)
· Learn about Windows Services (new services, stopped services)
· Learn about Windows Scripting (VB, JS, Batch to create scripts that will automate commands)
· Learn about systems modifications (registry keys, services, system files verification, new files, TCP/IP settings, IE security settings, HOST file, startup folders, listening ports, user accounts, user permissions, inbound/outbound connections)

Know the tools of the trade

Depending on windows alone to clean infections is a losing game. Because the side-effects of the malwares will make your job harder, so we have to depend on third party tools to replace the same function in Windows. To collect your own tools-kit you have to save them on a write-protected flash disk, because most malwares replicate to disks, shares and removable disks. We have to do our job without any risk of getting the infection from the machine, or your built-to-cure flash disk will be another “Mobile Mass Infector”. My tools-kit contains a lot, I usually use them besides batch scripts to automate my job. I’ll start talking about task managers that expand the functionality of the Windows built in basic “Task Manger”, because it’s the first place to check for malicious activity inside Windows. The first player in the show will be “Process Explorer” from SysInternals; this is your “Gladiator’s spear” to inspect suspicious processes. Basically, it displays running processes in a tree format that includes not only process names, but also program icons and other data, such as description, image, strings, TCP/IP connections, and processor time.

Now the question is, how can we utilize this nifty tool for our job to discover the main process(es) behind the infection? Well, let’s see the following features that this tool provides:

1. Kill a Process / process tree
2. Suspend a process
3. Debug a process
4. Restart a process
5. Display the running threads of a process
6. TCP/IP connection of the process
7. Security privileges of the process
8. Image path of the process
9. Printable strings found inside the process’s image/memory
10. Services registered in the process
11. CPU/Virtual Memory/Physical Memory/IO consuming by the process
12. Google the process name

So after showing the Process Explorer functions let me show how to use the tool to inspect the process “X”:

1. Google the process name: this is a very important step, because google.com will bring all of the web pages of security vendors / user forums that have mentioned your process name in their topics, as a new security threat. So you can start collecting what others have found, start the notepad and write down the key notes about the behavior and the current findings.

2. Usually malwares don’t have a process description, so the first trick in using Process Explorer, is sort the Description column to group the processes with their own description together and leaves the ones without in the end. And start from there, this worked for me 100% all the time in my work.

3. You don’t want your infected machine to contact the neighbors, disconnect the cable at the first sign of any weird behavior. But to see how the computer is trying to reach the outside world, select the process name, then go to properties, then select the TCP/IP tab, if you found the connection’s state is LISTENING to a specific port, this means the malware is leaving a backdoor in your system, or SYN-SENT and the remote addresses are local, this means it’s definitely trying to infect the rest of the network.

4. Most of the malwares have some clues to help analyzers identify how they are working, either by TCP/IP connections or printable “strings” which contains for example: URLs, system functions, registry keys, system files, virus name, virus author…etc). To read the string of the image (process executable file), select the process then right click and click on properties then go to the String tab.

5. You can know the physical location of the process by selecting the process, right click and select properties then go to the Image tab. additionally, you can see if the process runs with command switches.

6. A lot of malware leaves a service to run them automatically once the user reboots the system, to see if the malware has registered any service, select the process then right click and select properties, and go to the Services tab.

7. Malwares depend on privileges to access forbidden places in the operating systems, to check under which privileges the malware is working, select the process then right click and select properties then go to the Security tab. You can see the user name, and the enabled privileges.

After you’ve done the first step, and you are sure that this is the malware, do the following:

1. Kill the process tree, now make sure it’s not showing in the console
2. Search for the process’s executable name in the hard drive and delete it
3. Search for the process’s executable name in the registry keys and delete all of them, sometimes, malwares put the read-only/hidden attributes to protect and hide themselves. So if killing the process doesn’t help in deleting the files, use the “FileAssassin” tool to delete locked files.
4. If the malware left a service, stop it then disable it.
5. Check the HOST file for any suspicious entries; if any exists just delete it.
6. Reset IE security settings to the Default ones, because malwares sometimes manipulate them to lower-down the security of IE.
7. Check TCP/IP settings for any modifications (DNS/Gateway/Proxy)
8. If you have an installed Antivirus, and it was not able to catch the malware, it’s the time for a full scan. Or even you were not able to install an antivirus to cure the system; it’s the time to do it.
9. Run the Windows System File Checker (SFC) for any modified system files and replace them with correct ones.

This is a multi part tutorial about analyzing and curing malware infections, too be continued.

Happy Analyzing ;)