sec 309 advanced malware cleaning mark russinovich technical fellow, platform and services division...
TRANSCRIPT
SEC 309Advanced Malware Cleaning
Mark Russinovich
Technical Fellow, Platform and Services Division
Microsoft Corporation
About Me
• Technical Fellow, Microsoft
• Co-founder and chief software architect of Winternals Software
• Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd Edition with David Solomon
• Author of tools on www.sysinternals.com
• Home of blog and forums
• Senior Contributing Editor, Windows IT Pro Magazine
• Ph.D. in Computer Engineering
Why Is Manual Cleaning Necessary?Why Is Manual Cleaning Necessary?
• How do users get malware?How do users get malware?
• They download apps that include adware and spyware They download apps that include adware and spyware
• They click on misleading popups or bannersThey click on misleading popups or banners
• They visit sites that use exploits to inject malwareThey visit sites that use exploits to inject malware
• Many users still don’t patch or don’t use antivirus or antispywareMany users still don’t patch or don’t use antivirus or antispyware
• Why doesn’t antivirus and antispyware stop malware?Why doesn’t antivirus and antispyware stop malware?
• They are dependent on signaturesThey are dependent on signatures
• Malware directly attacks itMalware directly attacks it
• Always perform manual cleaning Always perform manual cleaning afterafter you’ve run available you’ve run available antivirus and antispywareantivirus and antispyware
Malware Cleaning StepsMalware Cleaning Steps
• Disconnect from the networkDisconnect from the network
• Identify malicious processes and driversIdentify malicious processes and drivers
• Terminate identified processesTerminate identified processes
• Identify and delete malware autostartsIdentify and delete malware autostarts
• Delete malware filesDelete malware files
• Reboot and repeatReboot and repeat
Identifying Malware Processes
What Are You Looking For?What Are You Looking For?
Processes that…Processes that…
• ……have no iconhave no icon
• ……have no description or company namehave no description or company name
• ……unsigned Microsoft imagesunsigned Microsoft images
• ……live in Windows directorylive in Windows directory
• ……are packed are packed
• ……include strange URLs in their stringsinclude strange URLs in their strings
• ……have open TCP/IP endpointshave open TCP/IP endpoints
• ……host suspicious DLLs or serviceshost suspicious DLLs or services
What About Task Manager?What About Task Manager?
• Task Manager provides little information about images Task Manager provides little information about images that are runningthat are running
Process ExplorerProcess Explorer
• Process Explorer is “Super Task Manager”Process Explorer is “Super Task Manager”
• Runs on Windows 95, 98, Me, NT, 2000, XP, Server 2003Runs on Windows 95, 98, Me, NT, 2000, XP, Server 2003
• Also supports 64-bit (x64) and VistaAlso supports 64-bit (x64) and Vista
• Has lots of general troubleshooting capabilities:Has lots of general troubleshooting capabilities:
• DLL versioning problemsDLL versioning problems
• Handle leaks and locked filesHandle leaks and locked files
• Performance troubleshootingPerformance troubleshooting
• Hung processesHung processes
• We’re going to focus on its malware cleaning capabilitiesWe’re going to focus on its malware cleaning capabilities
The Process ViewThe Process View
• The process tree sort shows parent-child relationshipsThe process tree sort shows parent-child relationships
• Icon, description, and company name are pulled from Icon, description, and company name are pulled from image version informationimage version information
• Most malware doesn’t have version informationMost malware doesn’t have version information
• What about malware pretending to be from Microsoft?What about malware pretending to be from Microsoft?• We’ll deal with that shortly…We’ll deal with that shortly…
• Use the Window Finder (in the toolbar) to associate a Use the Window Finder (in the toolbar) to associate a window with its owning processwindow with its owning process
• Use the Google menu entry to lookup unknown processesUse the Google menu entry to lookup unknown processes
• But malware often uses totally random or pseudo-random names But malware often uses totally random or pseudo-random names
Refresh HighlightingRefresh Highlighting
• Refresh highlighting highlights changesRefresh highlighting highlights changes
• Red: process exitedRed: process exited
• Green: new processGreen: new process
• Change duration (default 1 second) in OptionsChange duration (default 1 second) in Options
• Press space bar to pause and F5 to refreshPress space bar to pause and F5 to refresh
• Cause display to scroll to make new processes visible Cause display to scroll to make new processes visible with Show New Processes optionwith Show New Processes option
Process-type HighlightsProcess-type Highlights
• Blue processes are running in the same security context Blue processes are running in the same security context as Process Exploreras Process Explorer
• Pink processes host Windows services (we’ll look at Pink processes host Windows services (we’ll look at services shortly)services shortly)
• Purple highlighting indicates an image is “packed”Purple highlighting indicates an image is “packed”
• Packed can mean compressed or encryptedPacked can mean compressed or encrypted
• Malware commonly uses packing (e.g. UPX) to make antivirus Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficultsignature matching more difficult
• Packing and encryption also hides strings from view Packing and encryption also hides strings from view
• There are a few other colors, but they’re not important for There are a few other colors, but they’re not important for malware huntingmalware hunting
Tooltips
• Process tooltips show the full path to the process image
• Malware more often hides behind Svchost and Rundll32
• Tooltip for Rundll32 processes shows hosted DLL
• Tooltip for service processes shows hosted services• Services covered in detail shortly…
Detailed Process Information
Double-click on a process to see detailed information
Image tab:•Description, company name, version (from .EXE)•Full image path•Command line used to start process•Current directory•Parent process•User name•Start time
Image Verification
• All (well, most) Microsoft code is digitally signed
• Hash of file is signed with Microsoft’s private key
• Signature is checked by decrypting signed hash with the public key
• You can selectively check for signatures with the Verify button on the process image tab
• Select the Verify Image Signatures option to check all
• Add the Verified Signer column to see all
• Note that verification will connect to the Internet to check Certificate Revocation List (CRL) servers
Windows Services
• Services can start when the system boots and run independently of the logged-on user
• Examples include IIS, Themes, Server, Workstation, …
• Can run as their own process or as a service DLL inside a Svchost.exe
• The services tab shows detailed service information:
• Registry name (HKLM\System\CurrentControlSet\Services\...)
• Display name
• Description (optional)
• DLL path (for Svchost DLLs)
Strings
• On-disk and in-memory process strings are visible on the Strings tab
• There’s only a difference if the image is compressed or encrypted
• Strings can help provide clues about unknown processes
• Look for URLs, names and debug strings
• You can also dump strings with the command-line Strings utility from Sysinternals
The DLL View
• Malware can hide as a DLL inside a legitimate process
• We’ve already seen this with Rundll32 and Svchost
• Typically loads via an autostart
• Can load through “dll injection”
• Packing highlight shows in DLL view as well
• Open the DLL view by clicking on the DLL icon in the toolbar
• Shows more than just loaded DLLs
• Includes .EXE and any “memory mapped files”
• Can search for a DLL with the Find dialog
• DLL strings are also viewable from the DLL menu`
Loaded Drivers
• There are several tools for viewing configured drivers:
• Start->Run->Msinfo32
• Builtin SC command: sc query type= driver
• Device Manager with View->Show Hidden Devices
• Process Explorer DLL view for the System process shows loaded drivers
• Even drivers that delete their image files
• Same path and version info as standard DLL view
• Simply identify them now
• Usually they’re not stoppable
• Delete their files and autostart settings later
TCPView
• Look for suspicious network endpoints with TCPView
• You can do this by looking at the TCP/IP tab of each process, but that’s slow
• TCPView also uses refresh highlighting
• TCPView includes a “close connection” capability
• …but you should be disconnected from the network
Terminating Malicious Processes
• Don’t kill the processes• Malware processes are often restarted by watchdogs
• Instead, suspend them• Note that this might cause a system hang for Svchost processes
• Record the full path to each malicious EXE and DLL
• After they are all asleep then kill them• Watch for restarts with new names…
Cleaning Autostarts
Investigating Autostarts• Windows XP Msconfig (Start->Run->Msconfig) falls short
when it comes to identifying autostarting applications
• It knows about few locations
• It provides little information
Autoruns• Shows every place in the system that can be configured
to run something at boot & logon
• Standard Run keys and Startup folders
• Shell, userinit
• Services and drivers
• Tasks
• Winlogon notifications
• Explorer and IE addins (toolbars, Browser Helper Objects, …)
• More and ever growing…
• Each startup category has its own tab and all items display on the Everything tab
• Startup name, image description, company and path
Identifying Malware Autostarts• Zoom-in on add-ons (including malware) by selecting these
options:
• Verify Code Signatures
• Hide Microsoft Entries
• Select an item to see more in the lower window
• Google unknown images
• Double-click on an item to look at where its configured in the Registry or file system
• Has other features:
• Can display other profiles
• Can also show empty locations (informational only)
• Includes compare functionality
• Includes equivalent command-line version, Autorunsc.exe
Deleting Autostarts
• Delete suspicious autostarts
• You can disable them if you’re not sure
• After you’re done do a full refresh
• If they come back, run Process Monitor (or Filemon and Regmon) to see who’s putting them back
• You might have misidentified a malware process
• It might be a hidden, system, or legitimate process
Rootkits
What’s a Rootkit, Anyway?• Hoglund and Butler write in “Rootkits: Subverting the
Windows Kernel”:A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer.
• My definition: Software that hides itself or other objects, such as files, processes, and Registry keys, from view of standard diagnostic, administrative, and security software.
• Hoglund’s revised definition from Rootkit.com on February 4:
A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system.
The Evolution of Malware• Malware, including spyware, adware and viruses want to be
hard to detect and/or hard to remove
• Rootkits are a fast evolving technology to achieve these goals
• Cloaking technology applied to malware
• Not malware by itself
• Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm
• Rootkit history
• Appeared as stealth viruses• One of the first known PC viruses, Brain, was stealth
• First “rootkit” appeared on SunOS in 1994• Replacement of core system utilities (ls, ps, etc.) to hide malware processes
Modern Rootkits
• Rootkits can hide virtually anything:
• Processes
• Files, directories, Registry keys
• Services, drivers
• TCP/IP ports
• There are several types of rootkit technology:
• User-mode hooking
• Kernel-mode hooking
• Code patching
• Hiding in other processes
• www.rootkit.com is the primary rootkit forum
Example Rootkit Cloaking
• Attack user-mode system query APIs
• Examples: HackerDefender, Afx
Taskmgr.exeTaskmgr.exe Ntdll.dllNtdll.dll
RootkitRootkit
Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe
user modeuser mode
kernel modekernel modeExplorer.exe, Explorer.exe, Malware.exeMalware.exe, Winlogon.exe, Winlogon.exe
Rootkit Detection
• All cloaks have holes
• Leave some APIs unfiltered
• Have detectable side effects
• Can’t cloak when OS is offline
• Rootkit detection attacks holes
• Cat-and-mouse game
Rootkit Detection Types
• Three classes of rootkit detection:
• Signature based• Microsoft Malicious Software Removal Tool
• Anomaly detection• System Virginity Verifier: http://www.invisiblethings.org/tools.html
• GMER: http://www.gmer.net/index.php
• IceSword: http://www.xfocus.net/tools/200509/IceSword_en1.12.rar
• Cross-view comparison• F-Secure Blacklight:
http://www.f-secure.com/blacklight/
• Sysinternals RootkitRevealer
• Use more than one tool!
RootkitRevealer
• RootkitRevealer (RKR) runs online
• RKR tries to bypass rootkit to uncover cloaked objects
• All cross-view detectors listed do the same
• RKR scans HKLM\Software, HKLM\System and the file system
• Performs Windows API scan and compares with raw data structure scan
RootkitRevealer
Rootkit
Windows API
Raw file system, Raw Registry hive
Filtered Windows API omits malware files and keys
Malware files and keys are visible in raw scan
RootkitRevealer Limitations
• Rootkits have already attacked RKR directly by not cloaking when scanned
• RKR is given true system view
• Windows API scan looks like raw scan
• We’ve modified RKR to be a harder to detect by rootkits
• RKR is adopting rootkit techniques itself
• Rootkit authors will continue to find ways around RKR’s cloak
• It’s a game nobody can win
• All rootkit detectors suffer the same vulnerability
Local Kernel Debugging
• Windbg supports “local kernel debugging” (LKD)
• Works like standard kernel debugging which requires two computers
• Requires Microsoft Debugging Tools For Windows (free download from Microsoft)
• Can examine kernel structures of a live system
• Supported on XP and higher including 64-bit
• For NT 4 and Windows 2000 use Sysinternals’ Livekd
• Both require matching kernel symbols
• Use Microsoft’s symbol server (documented in help file)
LKD Rootkit Hunting
• List running processes and compare with Process Explorer:!process 0 0
• List loaded drivers and compare with Process Explorer:.reload
lmkv
• Look for kernel hot-patches:!chkimg -d nt
• Dump the system service table and interrupt dispatch table (IDT):dd kiservicetable
!idt -a
Finding and Deleting Malware Files
Sigcheck
• Scan the system for suspicious executable images
• Look for same characteristics as suspicious processes
• Be especially wary of items in the \Windows directory
• Investigate all unsigned images
sigcheck -e -u -s c:\
Deleting Hard-to-Delete Files
• Files that are open or mapped can’t be deleted
• Find owning process with Process Explorer search
• Terminate the process and delete the file
• If you still can’t delete it (it might be protected by a driver or system process):
• Try renaming it
• If that fails, schedule it for deletion at the next reboot with Sysinternals’ Movefile:
• If it still won’t go away, delete it from an off-line OS
movefile malware.exe “”
Deleting Hard-to-Delete Registry Keys
• Watch for key security
• Some antispyware tools don’t report access-denied errors
• Use Regmon to check for errors
• Use Regedit to change security permissions
• Some keys have embedded nulls
• Can’t be open with standard tools like Regedit
• Use Sysinternals’ Regdelnull:
• As a last resort use Regedit in ERD Commander
regdelnull hklm\software
Summary and the Future
Malware Cleaning Steps
• Disconnect from the network
• Identify malicious processes
• Terminate identified processes
• Identify and delete malware autostarts
• Delete malware files
• Reboot and repeat
The Future of Malware
• We’re already seeing trends:
• Malware that pretends to be from Microsoft or other legitimate companies
• Malware protected by rootkits
• Malware that can’t be cleaned on-line
• Cleaning is going to get much harder
• Targeted and polymorphic malware won’t get AV/AS signatures
• Malware can directly manipulate Windows structures to cause misdirection
• All standard tools will be directly attacked by malware
• There will be more un-cleanable malware
• Malware will adapt to a limited-user environment
The Bottom Line
•
Be careful what you run!
ReferencesReferences
• Mark’s Sysinternals Blog: www.sysinternals.com
• Sony, Rootkits and Digital Rights Management Gone Too Far
• The Antispyware Conspiracy
• www.spywarewarrior.com
• www.rootkit.com
• Windows Internals, by Mark Russinovich and David Solomon, Microsoft Press
Summary
• Thanks for coming!
• Please fill out your evals
© 2006 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.