231 63 29MB
English Pages 376 Year 2016
SECSOl
| A D V A N C E D SECURITY ESSENTIALS - ENTERPRISE
DEFENDER
Malware
THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, A N D RESEARCH | s a n s . o r g
Identifying and Removing Malware
All Rights A12 02 and R e m o v i n g Malware
This page intentionally left blank.
© 2 016
Pedro
1
Course Outline (1) Our training will focus on two parts:
Using Microsoft Windows basic built-in CLI tools •
Using Microsoft Windows Advanced built-in CLI tools •
Using Microsoft Windows built-in GUI tools II
•
•
Using external tools to fight BHO •
Using Microsoft Windows external tools •
Fighting rootkits •
Using Network-based tools to identify malware traces Using online resources to get help Identifying and Removing
Course Outline Identifying and Removing Malware One o f the biggest challenges facing an enterprise environment today is to make sure that a l l its lines o f defense are actually effective against new threats. Sometimes, even w i t h several lines o f defense such as firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), antivirus gateways, host-Based firewalls, and host-based antivirus programs, a new threat may be occurring i n one or more machines i n the networked environment.
Using the B u i l t - i n Tools
I t is important that companies understand h o w to properly use certain tools that are already installed i n your system b y default, both command-line interface ( C L I ) and graphical user interface ( G U I ) tools.
There are three types o f b u i l t - i n tools: • •
Basic Advanced
• GUI
Basic tools such as D i r , Netstat, tasklist, taskkill, and are easily accessed because they are usually somewhere along the W i n d o w s path environment variable. Advanced C L I tools such as W i n d o w s Management Instrumentation Command Line, or simply W M I C , (an interface for the Windows Management Instrumentation) enables useful queries to be done o n the system to assist i n fighting malicious code. The basic G U I tools are utilities available i n Microsoft W i n d o w s , w h i c h help to track d o w n malware programs and remove them.
2
© 2 016
Pedro Bueno
Course Outline (2) Our training will focus on two parts:
•
Using Microsoft Windows basic built-in CLI tools •
Using Microsoft Windows Advanced built-in CLI tools •
Using Microsoft Windows built-in GUI tools
Part I I •
Using external tools to fight BHO
•
Using Microsoft Windows external tools •
Fighting rootkits •
Using Network-based tools to identify malware traces •
Using online resources to get help Identifying and Removing Malware
II A d d i t i o n a l tools exist and can be included i n our toolkit to identify and remove malware infections. These tools include B H O Tools Microsoft External Tools Rootkit Detectors A P T Style R A T (Remote Administration Tool) N e t w o r k Based Tools Online Resources F r o m "Browser Helper Objects" (BHOs) to rootkits, programs are available to help y o u determine the causes o f unexpected activity on your network. A Browser Helper Object is a D L L that allows developers to customize and enhance Internet Explorer. W h e n installed the B H O has access to a l l the events and properties o f the browser session. Rootkits are nasty pieces o f software that become so tied into the operating system that sometimes i t m a y be better to do a complete reinstall o f the system. Since we could see a lot o f target attacks usually referred to as Advanced Persistent Threats ( A P T ) . M o s t o f these attacks were performed w i t h the help o f the Remote administration tools, also k n o w n as R A T s , such as Poison Ivy, GhOst, and DarkCommet. Some malware m a y generate network activity, such as downloading an external component, posting information, connecting to command and control servers, etc. Packet capture trace tools help to identify this type o f traffic. M a n y additional resources exist on the Internet, providing tools and utilities that can help analyze malware and give y o u tips about where to look for i t o n your system.
Pedro Bueno
3
Tools for This Module • Dir: Windows built-in tool • Netstat: Windows built-in tool • Findstr: Windows built-in tool • Tasklist: Windows built-in tool • Taskkill: Windows built-in tool
Identifying and
Malware
Tools for This Module W i n d o w s b u i l t - i n tools include:
•
dir •
netstat •
findstr •
tasklist
• taskkill
W i n d o w s comes complete w i t h some o l d tools as w e l l as some new ones that have been added i n W i n d o w s X P and 2003. W i n d o w s 7, w h i c h is the base operating system o f our training, has all these tools. Using some new tricks w i t h the good, o l d D i r command, recently updated options o f Netstat, and understanding how i t can be usefiil for us, and some not so common C L I tools such as Findstr, Tasklist and Taskkill may help us get to the bottom o f a pesky malware problem. These tools are available at the command prompt, good o l d D O S . Each tool has a set o f options available, w h i c h can be listed b y using the /? switch. Sometimes, this is all y o u have to help y o u identify and remove malware infections on a system.
A l l o f these tools are n o w available on W i n d o w s 8, W i n d o w s 7, W i n d o w s X P , 2003, and Vista, and, some o f them were added i n resource kits for W i n d o w s N T and W i n d o w s 2000.
Pedro Bueno
Some Definitions and Terms • CLI: Command-line interface • GUI: Graphical user Interface •
WMIC: Windows Management Instrumentation Command Line • BHO: •
Browser Helper Objects
Key: Registry Key Identifying and Removing Malware
Some Definitions and T e r m s
C L I (Command L i n e Interface) •
G U I (Graphical User Interface)
•
W M I C ( W i n d o w s Management Instrumentation Command Line) •
B H O (Browser Helper Objects) •
K e y ( W i n d o w s Registry Keys)
I f the terms o n this page are not already part o f your day-to-day vocabulary, they w i l l be soon. They are critical tools and components o f the W i n d o w s operating system and w i l l be helpful as y o u begin to analyze and evaluate machines.
•
C L I ( C o m m a n d L i n e Interface): These are tools that are b u i l t - i n to W i n d o w s and that can easily he accessed from the D O S prompt (for example, dir, del, and such). •
G U I (Graphical U s e r Interface): These are tools that are accessible through W i n d o w s and use graphical elements such as w i n d o w s , icons, and buttons and allow the use o f a mouse for point-and-click navigation (for example, Regedit, TaskManager, and Windows Explorer). •
W M I C (Windows Management Instrumentation C o m m a n d L i n e ) : A powerful extension o f regular W i n d o w s C L I . Introduced on W i n d o w s X P and 2003, i t offers a powerful range o f tasks and has its o w n query language, called W Q L .
Pedro Bueno
B H O (Browser Helper Objects): Since Internet Explorer 4.x, developers got an opportunity to create special applications that can be loaded together w i t h the browser and have almost complete control over Internet Explorer. These help monitor activities such as download attempts and calls to a downloader manager. B u t these are also used b y malware to monitor browsing sessions, U R L s , passwords, and so forth. A l t h o u g h the term B H O applies to Internet Explorer only, y o u can the same type o f objects i n other browers such as Chrome or Firefox.
K e y (Windows Registry keys): Stores operating system settings, options, and most software and hardware used by the operating system (OS). Malware programs often change some o f these settings to hide themselves or to disable various operating system functionalities.
© 2 016
Pedro Bueno
Background (1) We can define malware as malicious software that performs actions that are not wanted/expected by the computer owner. The malware can: • Have a control channel • Replicate itself • Have network activities • Be installed silently • Be attached to another binary ...or not! © I d e n t i f y i n g and R e m o v i n g
Background (1)
Warm-Up Before starting w i t h the tools, y o u need to understand some o f the typical behavior o f malware and the tricks used b y some malware when installed on a computer, such as h i d i n g itself or configuring the system to load the malware every time the system boots, and the usual places that malware hides. This understanding can help y o u to determine the type o f malware y o u are dealing w i t h .
A malware program can be described as malicious software that performs actions that are not wanted or expected by the computer owner. I t can present different behaviors depending on its purpose. Today's malware falls into the following behavioral categories:
•
•
Control channel: This is the typical behavior o f B o t programs, robot programs that are controlled by a malicious third party. I t connects to a remote server, usually an Internet Relay Chat (IRC) server, to receive instructions such as scanning for vulnerable machines on the network, searching for documents on the hard drive, and more. A lot o f recent use H T T P as a command and control mechanism or even other Peer-to-Peer (P2P) protocols. •
Install as add-on or plug-ins from shareware applications and display unwanted advertising: A lot o f "free" applications w i l l install unwanted extensions and/or plug-ins for browsers. •
Replicate: Malware can copy itself to different folders/locations w i t h i n the OS and hard disk. These folders can be, for example; P2P shared folders, folders w i t h a random name, or may use names o f popular things such as a rock star video. Generate network activity: I t is typical behavior for a w o r m to infect a machine and then go looking for other machines to infect that have a similar vulnerability. The network traces for these worms can be similar to a Bot. The difference being a w o r m typically doesn't have a control channel whereas a Bot does.
© 2 016
Pedro Bueno
7
InstaUed silently: The binary may be installed silently, w h i c h means that when y o u try to run it, such as b y double-clicking i t , nothing visible happens. Or i t may use a deceptive trick, like opening a file in notepad or displaying a picture to hide the real intent, w h i c h is to install the malware i n the background.
Attached to another binary: This is a typical parasitic behavior whereby the malware attaches itself to other legitimate programs on the computer. For example, it can attach itself to the Notepad application notepad.exe, and while the notepad program still works as wanted, i t also performs other actions defined b y the malware author.
© 2 016
Pedro Bueno
Background (2) • Basic behavior of most malware: • Using the Windows environment and tools to hide itself: • Like using Attrib.exe • Adding itself to selected Registry keys so that it will reload on reboot • Copy itself to different directories to avoid "eye" detection! Identifying and R e m o v i n g Malware
Background (2) M o s t malware attempts to keep running undetected on a system for as long as possible, sometimes using the o w n system environment and its tools to accomplish it. I t uses various methods to avoid detection and makes removal extremely difficult. One clear example o f how effective some malware is at hiding is by looking at the w o r l d o f botnets. O n some communication channels that are used for command and control o f the bot malware, i t is possible to see the bots reporting their status as shown here: [17:11] [ M A I N ] : Uptime: 2d [17:11] [ M A I N ] : Uptime: Od 7h [17:11] [ M A I N ] : Uptime: 23d 8h 10m. [ M A I N ] : Uptime: Od 8h 8m. The third entry shows that a bot malware has been running on a machine for more than 23 days, presumably without detection by the machine owner! To achieve this objective malware tends to use some basic techniques. One trick being utilized is scripting to mask the software after installed b y changing the physical appearance o f the file i n the directory structure. A simple script may call the C L I tool attrib.exe to change the attributes o f the malware, such as:
•
Attrib.exe +h To put the filename.exe i n hidden mode and avoid i t being shown w h e n listing directories w i t h the dir command.
Pedro Bueno
9
•
Attrib.exe +r Jilename.exe: To put the Jilename.exe the del command. •
Attrib.exe +s Jilename.exe: To put the Jilename.exe i n System mode, preventing i t from being shown when listing directories w i t h dir and avoiding deletion w i t h del command.
in
mode, avoiding deletion w i t h
A l s o , most malware change some Registry keys to activate what may be termed the " I ' l l be back" mode. This means they have to make sure that w h e n the user reboots the machine, the program w i l l be loaded again.
A n d as a last common behavior, y o u can have multiple copies o f it i n different directories, always referenced i n the Registry keys. B u t i n almost 99% o f cases, the most common directory used b y malware is the windows\system32 folder, w h i c h is always i n the path for the user.
I n addition, they also t r y to use rootkits, w h i c h y o u learn more about later.
10
© 2 016
Pedro Bueno
Background (3) Most frequently used Registry keys: • • • •
Identifying and Removing Malware
Background (3) Windows Registry K e y s The W i n d o w s Registry stores operating system settings and options and settings for most software and hardware used b y the OS. These options control the behavior o f the computer hardware and software both at system startup and during system operation. M a n y programs that are started at boot time are configured using Registry keys. For example, y o u may have a Registry key w i t h the name ITunesHelper, and the value o f the key could be Files\iTunes\iTunesHelper.exe. W h e n malware infection takes place on a computer, entries or modifications may be made to those keys that allow the malicious program to take control o f the computer. Using Regedit.exe, the Registry editing program that comes w i t h Windows, y o u can quickly determine applications that are running at system startup b y checking the entries i n the locations described here. For the newer version o f W i n d o w s ( X P , 2003, Vista, and 7 ) 1 the following four keys can perform this action: • • • • On Windows 7, the standard user does not have permission
to run
from
For older versions o f Windows Microsoft specifies seven Registry keys that make software run automatically when the system starts, ensuring the " I ' l l be back" mode.
Pedro Bueno
• • • • •
RunServices
•
RunServicesOnce •
© 2 016
Pedro Bueno
Background (4) Most frequently used directories: • %windir% (\windows\) • %systemroot%\system32 (\windows\system32\) • \Documents and Settings\\StartMenu \Programs\Startup • \Users\\AppData\Local\ (Windows 7)
Identifying and Removing
Background (4) Most Frequently Used Directories M o s t malware programs tend to copy themselves to the W i n d o w s and/or Windows\System32 directories. The main reason for this is that these directories are i n the users P A T H environment variable, and the programs can be started or r u n without having to be i n the actual directory. This means that most o f the time y o u can
the
malware program b y searching those directories for anomalies. This is not always the case, o f course, and malware can reside i n any folder and can be accessed either b y adding the folder to the P A T H environment variable or b y referencing the malware application w i t h a complete path such as
malware
folder\bad_app.exe
Another option that the malware author has is to use the computer startup folder to initiate and
the program
each time W i n d o w s starts. A l l files or shortcuts that are i n the startup folder w i l l be executed each time Windows starts. The folder is usually at:
\Documents and
One disadvantage to the malware author is that i t is visible b y looking i n Start
Programs
StartUp. This is
probably w h y this is the least preferred o f the methods used. This folder has the same meaning as the " I ' l l be back" mode Registry keys because a l l programs i n i t w i l l be loaded each time the user logs i n to the system.
© 2 016
Pedro Bueno
1
Preparing the Environment (1) • Turn on VMware • Disable Windows Defender • Open the training CD and copy course.exe to the VMware Windows 7 desktop • Course.exe
Options
fcy
to
j
j
Identifying and R e m o v i n g Malware
Preparing the Environment (1) I n this step, you prepare the training environment. There are just a couple o f steps i n this phase:
Turn on your 2.
Load the W i n d o w s Image that y o u
3.
Disable W i n d o w s Defender: • •
C l i c k the Start Button, type "Windows Defender," open it, click on Tools, and then click Options. Go to Administrator options and the box "Use this program."
14
This step is necessary to run some o f the exercises that have real malware code.
4.
Open the training C D that y o u received and copy course.exe to the V M w a r e Windows 7 desktop.
5.
Double-click course.exe
to complete the extraction o f the files needed for the training.
© 2 016
Pedro Bueno
Preparing the Environment (2) • Create a Snapshot of your clean Windows 7 install and call it Clean7 • Important: Run both tools and malware as Administrator • Remember that the answers for all hands-on labs can be found in the end of the module. Identifying and Removing Malware
Preparing the Environment (2)
6.
Create a Snapshot o f your clean W i n d o w s 7; install, and call i t Clean7.
7.
O n the V M w a r e menu, select V M , Snapshot, and then select the Take Snapshot option.
These steps prepare your system so you can follow the examples demonstrated i n the course.
Important: W h e n a malware gets installed on the system, i t may be installed as Administrator. I t depends on several aspects, such as the use o f exploit, elevation o f privilege, etc. For this reason, to m i m i c the worst scenario, y o u always run the malware as Administrator. The same rule applies for the tools y o u use to get most o f them; y o u also run them as Administrator.
For the command-line tools, y o u open the CMD.exe as Administrator as w e l l .
For CMD.exe, click Start - > Type C M D on the search box. Right-Click the C M D . e x e and select Run as Administrator.
For Tools and Malware: Right-click and select R u n as Administrator.
A l l answers for the Hands-On Labs can be found i n the last section o f today's module i n the section "Hands-On Answers."
© 2 016
Pedro Bueno
1
Using Windows Basic Built-in CLI Tools to Identify and Remove Malware
Identifying and Removing Malware
Using Windows Basic B u i l t - i n C L I Tools to Identify and Remove N o w that we have identified some o f the behaviors and tricks used b y most malware programs, we look at h o w to use the basic DOS tools to assist i n identifying the malware and removing it. The basic C L I tools are already installed i n your system. These tools D i r , netstat, tasklist, taskkill and findstr, can help us track down malware w h e n i t has damaged the W i n d o w s interface, and the only w a y to boot the computer is i n Safe Mode Command Prompt Only. I n this mode, the G U I tools are unavailable so a l l that may be available is the Basic C L I tools.
16
© 2 016
Pedro Bueno
MS Windows CLI Tools: DIR (1) • Introducing: Dir • Basic function: List files and directories • Old time tool! • Introduced on DOS 1.0 in 1981! • Still a valuable tool for looking for files!
I d e n t i f y i n g and R e m o v i n g Malware
M S Windows C L I Tools: D I R (1) Remember dir? Yes, i t is an o l d t o o l introduced w i t h the first version o f D O S , i n The basic purpose o f the dir command is to show the files and directories on a system. This command is still one o f the most-often used C L I tools. M o s t people use i t to show only the basic characteristics o f the files i n a specific date, time, length, filename, and < D I R > i f i t is a directory. For example:
01/16/2012 04:16 P M
pedro
AM
Public
07/03/2011 0 File(s)
0 bytes
4 Dir(s) 206,438,273,024
free
W h e n y o u make use o f the different options i t offers, i t can search for files flagged as Hidden or System. These attributes are often used b y malware programs and may be indications o f a malware program installed on the system. A s y o u w i l l see, there are some helpful options and switches that can be used w i t h the dir command to provide some valuable information about the characteristics o f the files listed.
©2016
Pedro Bueno
17
MS Windows CLI Tools: DIR (2) • More options on DIR: • • • •
/a: show files with attributes -Useful and you can search the entire hard drive /s: Scans the current directory and all subdirectories /o: Sort the way the files display. I like the /0:d option, which sorts by date, so you can see the last files added! /t: sort by (Creation, Last Access, Last Written). It is also useful to use with scripts and finds recently accessed files!
Identifying and
Malware
M S Windows C L I Tools: D I R (2)
More Options on dir I n addition to the regular and common usage o f the dir command, i t also offers some more advanced and useful options that can make your life easier w h e n looking for suspicious files. There are many •
options:
/a: W i t h this option, used i n combination w i t h a and the file attribute y o u are looking for, it also lists the files that have any attribute set such as hidden files (a:H", read-only files (a:R) and system files (a:S). Some malware can set the attribute o f files as hidden, + h , to hide files from a normal dir listing. Using this option, y o u can list all files regardless i f an attribute is set. Example: dir /a:R lists the files that are read-only
•
Is: This option enables y o u to search for a file i n a recursive way. This means that i t searches for the requested filename i n the current directory and a l l subdirectories. So, i f y o u are on the root o f C:\ i t searches for the file i n all the folders and subfolders o f the C drive. Example: dir * . d l l /s searches for all files i n the target folder and all its subfolders and that have an extension
•
18
/o: The sort option offers different ways to sort the w a y the files display. I prefer to sort b y date. This allows me to see the last files added, w h i c h makes i t easy to spot recently added files.
© 2 016
Pedro Bueno
•
It: I f y o u want to k n o w w h e n a file was last accessed, y o u definitely need this option. I t can show when a file was last accessed or created, for example:
putty.exe
Results in the following
being
displayed:
Volume in drive C has no label. Volume Serial Number is xxx-xxxx
Directory
of C:\
05/06/2007
20:01 421.888
bytes
0 Dir(s)
bytes free
C:\dir /t:c putty.exe
Results in the following
being
displayed:
Volume in drive C has no label. Volume Serial Number is xxx-xxxx
Directory
05/22/2006
of C:\
21:13 421.888
0 Dir(s)
bytes bytes free
T o find out what other options are available w i t h this helpfiil DOS command, y o u can get a complete list b y using the /? switch.
C:\>dir/?
Pedro Bueno
Uncovering Hidden Files with DIR • Good old Dir • Looking for something new! • CD c:\windows\system32 • DIR/0:d DIR/0:d/a 01/03/2013 01/03/2013 01/03/2013 01/03/2013 01/04/2013 01/04/2013 01/04/2013
08:15 08:21 08:21 11:29 03:17 11:33 02:46
PM PM
PM AM AM PM
Tasks 1,221,389 64,858
02:46 PM 02:47 PM 80 60
PFRO.log inf
.
Prefetch 17,055,359 bytes 206,424,956,928 bytes
01/03/2013 01/03/2013 01/03/2013 01/03/2013 01/03/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013
PM PM 08:21 PM PM 11:29 PM 03:17 AM 11:33 AM PM PM PM 02:48 PM 02:48 PM 83 64
537,108 PFRO.log
Tasks 133,644
. ..
17,257,336 bytes bytes free
Identifying and Removing Malware
Uncovering Hidden Files with D I R
O l d and Good dir W h e n a malware program is installed o n the system, i t can use some techniques to hide itself from detection such as using the attrib.exe tool. W h e n using the dir command w i t h the different switches, y o u can sort the directory v i e w b y date (dir / 0 : d ) , w h i c h shows the oldest first, making it easy to see the latest files added to that directory. Y o u can combine sorting b y date w i t h other attribute filtering such as:
(hidden) dir / 0 : d /a:s (system file) dir / 0 : d /a:r (Read-Only)
A s shown i n this example, using dir / 0 : d /a i t is possible to see that the mal.exe was recently added on the system and that i t was not visible using the plain dir command o n the left versus using the /a option i n the second dir command (example o n the right). That makes i t suspicious!
20
© 2 016
Pedro Bueno
MS Windows CLI Tools: Tasklist (1) • Introducing: Tasklist.exe -Basic function: List running processes on a local or remote system -Introduced in Windows XP -Useful to list applications when you have limited GUI access to the system, such as malware that blocks access to some GUI tools Identifying and Removing Malware
M S Windows C L I Tools: Tasklist (1)
Introducing tasklist.exe The program tasklist.exe is a great C L I tool added i n Windows X P and is present i n W i n d o w s 7 and 8. W i t h this tool i t is possible to list the standalone processes and services running on the computer directly from the DOS prompt, even remotely.
Remember that malware can be running on your computer as:
•
A single process • M u l t i p l e processes •
A service •
Injected into an existing, legitimate process or service
© 2 016
Pedro Bueno
MS Windows CLI Tools: Tasklist (2) • More options of Tasklist: •
/v: for verbose info. Useful because you can get extra information such as and the Window Title of the process •
/svc: Shows the services as well. A lot of times a malware can be executed as a service instead of a simple process!
•
/fi: Perhaps the most powerful option. It enables you to filter by any specified information shown with the /v option like Status,Imagename, Services, and Modules. And can be used with operators such as eq, ne, gt, It, ge and •
For example, to list any process in which the username is not equal to "NT Authority System" and the PID is greater than 2000, you could use: TASKLIST /FI "USERNAME ne NT /FI "PID gt 2000" Identifying and R e m o v i n g Malware
M S Windows C L I Tools: Tasklist (2)
Using Options with tasklist.exe Tasklist is a powerful t o o l that enables y o u to combine different options to get the information that y o u need about the programs, processes, or services running on the system.
The tasklist.exe program has several built-in operators for filtering the information: • E q : equal •
Ne: not equal •
G t : greater than L t : less than
•
Ge: greater than or equal •
L e : less than or equal
Some other options: The filtering option: Enables y o u to filter the output based on username, that is: •
Tasklist /svc •
" U S E R N A M E eq pbueno"
This command lists a l l processes that are running w i t h the username o f pbueno
The format option allows y o u to get the output i n the default 'table', The
w i l l show something like: •
22
or list format:
"tasklist.exe","2280","N/A": respectively process, P I D , Service
© 2 016
Pedro Bueno
The list w i l l show something like: Image Name:
tasklist.exe
PID:
2280
Services:
N/A
To find out what other options are available w i t h this helpful D O S command, y o u can use the /? switch to get a complete listing.
C:\>tasklist/?
Pedro Bueno
23
MS Windows CLI Tools: Tasklist (3) Introducing: tasklist.exe •
On a previous slide we saw that a new file was found. Now, let's see if it is running on the system. •
Basic raw usage gives you the Image Name, Process ID, Session Name, Session ID, and Memory usage:
Image Name
PID
System Idle Process
0
Session Name
Mem Usage
Console
28 K
Console
K
3332
Identifying and R e m o v i n g Malware
M S Windows C L I Tools: Tasklist (3)
Introducing Tasklist.exe Entering the command tasklist.exe w i t h no options lists the Image Name (program), Process I D (PID), Session Name, Session*, and the amount o f memory i n use b y the program ( M e m Usage). The good thing is that y o u can see all running processes on the machine. The downside is that y o u can easily get lost w i t h the amount o f information provided to you.
A better solution ( i f y o u already k n o w the specific filename that y o u are looking for) w o u l d be:
tasklist /svc / f i "imagename eq mal.exe"
This w o u l d give information related to only the processes that are running as a result o f the program specified. I n this example, i t shows the mal.exe file w e found i n the directory is running and has the process I D ( P I D ) o f 3332.
24
© 2 016
Pedro Bueno
MS Windows CLI Tools: Netstat and FindStr • Introducing: Netstat.exe •
For protocol statistics and listing TCP/IP connections • Useful options added in Windows XP version of Netstat • Now it's possible to see the process ID associated with a connection
• Introducing: Findstr.exe • Allows searching for text strings in files • Introduced in WinNT 4.0 Resource Kit • Native to Windows 2000 and later
Identifying and Removing
M S Windows C L I Tools: Netstat and F i n d S t r
Introducing netstat.exe and findstr.exe T w o additional tools that may be o f value i n tracking d o w n malware programs are Netstat and Findstr.
Netstat is a useful tool i n the U N I X w o r l d , and over the past years i n the W i n d o w s w o r l d as well. I t helps y o u to identity the established network connections, as w e l l as the ports and protocols your machine is serving to the outside w o r l d and locally.
Findstr is another interesting application that was added since W i n d o w s 2000. This application is equivalent to Grep i n the U N I X w o r l d . I t is useful when searching for specific strings inside o f files, as w e l l as for searching the output information generated b y other applications.
© 2 016
Pedro Bueno
Useful Options of Netstat •
More options with Netstat: •
-a: Shows you all running processes, which is what you want to see most of the time
•
-n: Does not try to resolve names. It is faster, and if you are in a hurry, is the option that you want to use •
-o: Cool option added on recent versions of Windows XP, Vista, and 7. It also displays the Process ID (PID) associated with the connection. Useful to track any suspicious process
Identifying and Removing Malware
Useful Options of Netstat
Using Netstat and Its Options When using netstat, two o f the most used options are
• •
-a: The most common option shows y o u a l l the processes and enables y o u to see a l l the connections on your machine. -n: This option displays the addresses and port numbers i n numerical format. I t also displays the information faster because i t doesn't have to resolve the IP to D N S names. I f y o u are i n a hurry, this is the option that y o u want to use.
So using these options y o u w o u l d have an output that looks something like:
Proto Local Address
Foreign Address
TCP
0.0.0.0:0
0.0.0.0:80
State LISTENING
This indicates that there is a process/application listening on port 80, but y o u don't k n o w w h i c h one i t is.
One missing option on Netstat prior to Windows X P that was present i n the U N I X version was the ability to see the process I D associated w i t h the connection. I n the U N I X version the switch - p w o u l d show a l l associated processes. Starting w i t h Windows X P , Microsoft decided to add this as a Netstat option as w e l l . N o w using the - o option, i n Windows, allows y o u to see w h i c h process I D ( P I D ) is associated w i t h that connection. This option is still v a l i d i n W i n d o w s 7 and 8.
26
© 2 016
Pedro Bueno
Another useful option is the - o option. This option according to the Netstat help:
•
-o: Displays the o w n i n g process I D associated w i t h each connection.
So the output o f netstat - a o n w o u l d result i n something like:
Proto
L o c a l Address
TCP
0.0.0.0:80
Foreign Address 0.0.0.0:0
State LISTENING
PID 1832
N o w y o u can do a specific query w i t h task list, as discussed earlier, and identify this process!
To help
out what other options are available w i t h this helpful D O S command, y o u can get a more by using the switch.
C:\>netstat/?
© 2 016
Pedro Bueno
Using Findstr to Search the Output • More options with findstr: •
The simple usage of findstr is already useful, for example, to search for "URL" inside the mal-strings.txt you simply use: Findstr "URL" mal-strings.txt
•
findstr can search for strings directly from the output of another application like this: Dir | findstr •
Shows you all files that have the string
in the filename.
-i option makes it case-insensitive: Dir | findstr - i "mal": Displays both MALware.exe and malware.exe
Identifying and Removing Malware
Using Findstr to Search the Output
Using findstr.exe and Its Options I f y o u have a large text simply do:
and want to k n o w i f there is a string
C:\ more
inside this text
y o u can
| findstr " U R L D O W N L O A D "
This command shows a l l instances o f " U R L D O W N L O A D " that appear i n the
Maybe the best usage o f findstr is the ability to use i t to search the output o f the information generated b y another application, such as:
| findstr "malware.exe"
I n this example, the output from the dir /s command w i l l be sent as the input to the findstr command, w h i c h then searches for filenames that have "malware.exe" i n their name!
To make i t
To help
just add the - i (or / i ) and i t is done!
out what other options are available, w i t h the helpful little DOS command, y o u can get a more complete b y using the /? switch:
/?
28
© 2 016
Pedro Bueno
Netstat and FindStr Together • • •
Introducing: netstat.exe and findstr.exe On previous slides, we noticed that a suspicious file was running on the system. Our next step is to identify if it has any kind of network traffic associated with it. Using netstat with options -ano and findstr, it is possible to query for our specific process ID (3332): C:\netstat -ano
findstr 3332
Proto
Local Address
rCP
192.168.0,12:1081
Foreign Address xxx.34.124.34:6667
State
PID
ESTABLISHED
3332
and
Malware
Netstat and FindStr Together
Using Netstat.exe and Findstr.exe A s we have discussed, y o u can use a combination o f netstat and findstr to the information y o u need to track d o w n a process. Y o u have already found the process I D (PID) o f the running process, a netstat listing o f the process IDs o f all connections and a findstr to show only the process I D . That information is then quite useful to speed up the process o f finding the malware!
I n this case, y o u can see that the suspicious process had an established connection w i t h a foreign address o n remote port 6667! This makes this process even more suspicious because 6667 is the common port for the I R C service and is w i d e l y used by hots and botnets! This fact can lead to further investigation leaning i n the direction o f an bot infection.
Pedro Bueno
MS Windows CLI Tools: Taskkill • Introducing: Taskkill.exe • Basically used to end a running process id (PID) or image name, forcefully or not • Introduced on Windows XP • Can be used remotely -> Run the CMD.exe as Administrator! Identifying and Removing Malware
M S Windows C L I Tools: T a s k k i l l
Introducing Taskkill.exe N o w y o u can query the system and get a l l the information regarding a malicious process such as the image name and/or process I D ( P I D ) ; however y o u still lack a w a y to terminate i t . I n the U N I X w o r l d whenever y o u want to terminate a process, forcefully or not, y o u can use an application called k i l l .
Microsoft decided to create a similar useful tool and introduced Taskkill i n W i n d o w s X P . This C L I tool makes it possible to k i l l standalone processes and/or services running o n both the local computer and on a remote computer i f y o u provide the proper domain username and password.
A s w i t h many o f the commands executed i n this course, i t is recommended that y o u open the command prompt as Administrator. To do this on W i n d o w s 7, go to start, type on the search box, and wait for i t to appear on the search results. N o w , right-click and select R u n as Administrator.
30
© 2 016
Pedro Bueno
Killing Processes and Services with Taskkill • More options on taskkill: •
A "tasklist" to kill processes: Basically, same options as tasklist, but to kill a process
•
Nice option to choose to kill by Process ID (PID) number or ImageName! •
Can also use operators: • eq, ne, gt, It, ge, and le • And kill with a combination of Status,Imagename, PID, Session,SessionName, CPUTime, Username, Services, and Modules •
Most common usage: • Kill by PID: taskkill /PID 2000 • by ImageName: taskkill
Identifying and Removing Malware
Killing Processes and Services with T a s k k i l l
More T a s k k i l l Options One o f the basic features o f this program is the ability to k i l l a process/application using either the Image Name (that y o u get from tasklist, for example) or b y process I D (PID). taskkill.exe taskkill.exe
malware.exe 1234
But i t also allows y o u to combine different filtering options to k i l l the exact process using both operators like: E q : equal Ne: not equal Gt: greater than L t : less than Ge: greater than or equal L e : less than or equal .. the regular filtering names such as Status, ImageName, P I D , Session, CPUTime, M E M U s a g e , UserName, Modules, Services, and W i n d o w T i t l e .
© 2 016
Pedro Bueno
So y o u could get a command like:
TASKKILL
putty.exe — Force to
k i l l the process w i t h image name putty.exe
TASKKILL " I M A G E N A M E eq putty.exe" — Force to filtering criteria where imagename equals putty.exe
k i l l a l l the
that match the
T w o different ways to k i l l the same process using the ImageName!
To find out what other options are available w i t h this helpful D O S command, y o u can get a more complete listing b y using the /? switch.
C:\taskkill.exe /?
32
© 2 016
Pedro Bueno
Taking Action • Taking action: • Recent file added on windows\system32 folder • The suspicious file is running on our computer • The suspicious process has an active connection to a foreign address on IRC port (port 6667)! So, it is time to take an action! I d e n t i f y i n g and R e m o v i n g M a l w a r e
T a k i n g Action I f y o u remember the steps followed so far, y o u can see that y o u have learned h o w to:
• Identify a recently added file on the system. •
See what is running on the system. •
See what has a network connection (on port 6667!).
Putting a l l these pieces together, i t may be necessary to stop this running process so that y o u can actually remove i t .
© 2 016
Pedro Bueno
Killing the Process with Taskkill • Introducing: taskkill.exe • To get rid of our suspicious process, you need to terminate it and all its related processes and threads •
To do this, you pass the PID as an argument to taskkill so that it can "kill" our suspect process: C:\taskkill.exe
SUCCESS: •
The process
/PID
3332
with PID 3332
/F
has been
terminated
The / F argument Is to force it to be terminated!
and Removing Malware
K i l l i n g the Process with T a s k k i l l
Using Taskkill.exe I n the previous slides, we identified the running process and got the process I D , (PID 3332). W e also learned that there is a tool i n W i n d o w s X P that allows the termination o f a process and/or service.
U s i n g taskkill w i t h the
C:\taskkill.exe
switch, w e can k i l l this process like this:
3332
SUCCESS: The process w i t h P I D 3332 has been terminated
To be sure that y o u are successful i n your attempt to stop the process, i t is recommended that y o u use the switch to force i t to be terminated. This allows the process to be terminated while the program is running, without getting a message that the process could not be terminated.
34
Pedro Bueno
Using Windows Basic Built-in CLI Tools to Identify and Remove Malware
Hands-on - Lab 1
Identifying and Removing Malware
Basic C L I Tools H a n d s - O n I n this module, y o u learn about some basic C L I tools provided o n W i n d o w s 7. Y o u can follow these examples on your V M w a r e W i n d o w s 7. To make i t possible, open the Course.exe on the desktop o f your V M w a r e W i n d o w s 7. Then, open the Part 1 folder, right-click the and select the option Extract A l l to extract the contents. Because i t was compacted w i t h a password, y o u w i l l he prompted to enter this password. A l l files on the C D are protected w i t h the password training, w h i c h y o u should enter w i t h o u t quotes. N o w open the new folder created, called and execute the as administrator. Go to the D O S command prompt and to the windows/system32 directory: ->
c:\windows\system32
Questions: H o w many files were added to the Windows System32 directory? (Tools o f interest: dir) 2.
A r e any o f them running? (Tools o f interest: tasklist) Can y o u identify any network connections associated w i t h those files? (Tools o f Interest: netstat)
4.
H o w can y o u k i l l that connection? (Tools o f interest: tasklist, taskkill)
© 2 016
Pedro Bueno
35
Identifying and Removing Malware Using Windows Advanced Built-in CLI Tools to Identify and Remove Malware
and R e m o v i n g Malware
This page intentionally left blank.
36
Pedro Bueno
Microsoft Windows WMIC • Introduced in Win XP Pro and Win 2k3 • Interact with Microsoft WMI (Windows Management Instrumentation) framework • No more complex scripts • WMI gives direct access to configuration and settings
Identifying and Removing Malware
Microsoft Windows W M I C
Introduction I f y o u are one o f those people frustrated w i t h not having a more advanced w a y to perform tasks at the Windows command line, y o u w i l l be happy to hear about W i n d o w s Management Instrumentation Command Line ( W M I C ) , w h i c h was introduced i n W i n d o w s X P Pro and W i n d o w s 2003. A l l the W i n d o w s advanced built-in C L I tools can be found i n one utility: W M I C .
I f y o u k n o w the U N I X w o r l d , y o u k n o w that y o u can have several scripting languages such as Python, T C L , and so on, so y o u can create scripts to perform various actions that y o u want. W i t h W M I , y o u can also create scripts to access configurations and settings, but Microsoft creates an easier w a y to do i t directly from the command line w i t h W M I C .
© 2 016
Pedro Bueno
37
Microsoft Windows • Introducing WQL: WMI query language! • ANSI-like query language • WMIC Console versus DOS prompt
Identifying and Removing
Microsoft Windows
Introducing W Q L N o w that y o u k n o w there is a more advanced way to perform tasks from the command line, y o u learn h o w this can he accomplished. I f y o u use the U N I X w o r l d example again, taking either Python or T C L , running the executable displays the version information.
Python example:
lab2:~# python Python 2.3.5 (#2, Oct 16 [GCC 3.3.5 (Debian 1:3.3.5-13)] on linux2 Type "help", "copyright", "credits", or "license" for more information.
»> T C L example: lab2:~# %
Those examples show the Python and T C L languages ways to access the console, and from the console execute the programs, which is pretty much what y o u w i l l do w i t h
38
Pedro Bueno
Windows WMIC: Console • Firing up WMIC console: w m i c • The WMI console prompt: • A simple /? switch gives you the help file • Unfortunately, Microsoft documentation is not informative about WMIC!
I d e n t i f y i n g and R e m o v i n g Malware
Windows W M I C : Console
I f y o u remember the previous slide, about the U N I X T C L and Python, y o u are familiar w i t h the w a y to call the W M I C tool. Simply typing W M I C at the D O S prompt gives y o u the W M I C shell, so y o u can start to use i t :
C:\Users\pedro>wmic wmic:root\cli>
Or i f y o u prefer y o u don't have to enter into W M I C console, just type on the Dos prompt: wmic as y o u w i l l see.
I prefer to use the console mode, but i f y o u like to use from the Dos prompt.
To get complete help, you can
or pipe, y o u may want to use it directly
use:
C:\wmic /?
This command w i l l generate a large output w i t h a lot o f helpful information for you.
Unfortunately, Microsoft doesn't provide adequate help information i n either its Help file or online. A s y o u can see at the Microsoft website, i t provides o n l y basic information about i t
© 2 016
Pedro Bueno
Remembering SQL • Query languages are usually intuitive • Simple basic ANSI-SQL s e l e c t query is powerful • No need to understand advanced SQL queries
Identifying
Removing
Remembering S Q L
S Q L Queries For people that never played w i t h databases, the SQL language may he a little difficult to use and understand. For this reason, y o u do not go into an advanced SQL example. Advanced S Q L is not needed to accomplish our basic tasks w i t h W M I C .
I n the example, imagine a fictitious database called Corporate that can have multiple tables.
Our boss w o u l d like to k n o w w h o inside the SANS organization has admin access to the system. A basic S Q L query o n the database can check the SANS table only and ask w h i c h users have the admin access field set. The resulting output w o u l d show the users that have A d m i n rights.
Our SANS table has the f o l l o w i n g fields:
Username
40
- The username used on the system
City
- Location o f the user
Date o f B i r t h
- User's date o f birth
E-mail
- U s e r ' s e-mail
Admin
- I f the user has A d m i n rights
© 2 016
Pedro Bueno
Our SANS table is populated w i t h the following data:
Username
| City | e-mail
of Birth | Admin
Jbrain
| Portland | [email protected]
|03/04/73 | no
Boston | [email protected]
| ok
| Washington | [email protected]
| ok
Norain
Then using the following, query on the preceding table:
>Select username from SANS where admin = ' o k '
w o u l d return the following information:
odeman
| Boston
| [email protected]
norain
| Washington
|07/10/78
| [email protected]
| ok | ok
This is a basic example o f SQL language but helps us to understand h o w the W M I C and W Q L applications work!
© 2 016
Pedro Bueno
Windows WMIC x Regular DOS Tools • Basic CLI tools versus WMIC/WQL T • asklist T • askkill
and Removing Malware
Windows W M I C x Regular D O S Tools
Basic C L I tools Versus W M I C can provide a number o f different actions to the user, such as the ones performed b y some o f the actions that y o u saw i n the previous module: listing the processes w i t h the tasklist.exe tool and terminating a process w i t h the taskkill.exe tool.
To better understand h o w W M I C works, we start w i t h a comparison between those standalone tools and
42
© 2 016
Pedro Bueno
Windows WMIC: An Advanced Tasklist Command (1) • The basic CLI tool tasklist shows the processes running on the machine • Listing processes running with WMIC: - While in the WMIC console, simply ask it to list the process in a brief way: list brief - This command shows the following fields: HandleCount, Name, Priority, and WorkingSet Identifying and R e m o v i n g
Windows W M I C : A n Advanced Taskkill C o m m a n d (1)
W M I C Versus Tasklist One favorite use o f W M I C is to list processes. I t can give y o u different ways to see a l l the processes running o n the machine. I n our example, we use the output view called brief, w h i c h shows the most important fields i n a malware analysis perspective, such as the name and P I D .
HandleCount
Name
0
System Idle Process
Priority Processld ThreadCount WorkingSetSize 0
0
1
28672
1936
System
8
4
78
253952
25
smss.exe
11
1412
3
372736
1061
csrss.exe
13
1508
13
5111808
533
winlogon.exe
13
1532
21
5795840
B u t there are other views o f listing the process, such as:
•
BRIEF •
FULL •
INSTANCE • •
•
MEMORY STATISTICS
•
STATUS •
SYSTEM
The syntax is the same, but instead o f brief, y o u can choose among the preceding ones. © 2 016
Pedro Bueno
43
Windows WMIC: An Advanced Tasklist Command (2) • As with most of WMIC commands, the processes can also be seen with WQL • To list all processes that have the name you could use: where l i s t brief
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Windows W M I C : A n Advanced T a s k k i l l C o m m a n d (2)
W M I C Versus Tasklist I n this slide, y o u see how to query the system to list a l l processes that have the name svehost.exe and list them a b r i e f way:
Remember that there are t w o ways to get the W M I C commands to be executed; one is entering the w m i c console, typing wmic ; the other is simply adding the wmic w o r d before the command.
wmic:root\cli>process where name-svchost.exe' list b r i e f
HandleCount
Name
259
svehost.exe
8
1752
19
4747264
540
svehost.exe
8
1844
10
4153344
1980
svehost.exe
8
440
81
27172864
8
640
6
3387392
338
svehost.exe
8
1096
18
6955008
107
svehost.exe
8
1932
3
3182592
161
svehost.exe
8
812
5
3305472
134
44
Priority Processld
© 2 016
ThreadCount WorkingSetSize
Pedro Bueno
Windows WMIC: An Advanced Taskkill Command (1) • Using the taskkill.exe to terminate a process by name taskkill
/ f /IM " m a l . e x e "
• Using the taskkill.exe to terminate a process by Process ID (PID) taskkill
/ f /PID
• Using WMIC/WQL to terminate a process:
Identifying
delete
Removing
Windows W M I C : A n Advanced Taskkill C o m m a n d (1)
W M I C Versus T a s k k i l l I n this slide, y o u see how to terminate a process using the ImageName o f "mal.exe." To do exactly the same thing w i t h W M I C , ask i t to delete a process w i t h the specified P I D :
wmic:root\cli> process 584 delete Delete want to really terminate the process I D 584.
< - Here i t asks for confirmation
I f y o u press Y y o u get the following message: Deleting instance Instance deletion successful.
That means that y o u successfully terminated the process mal.exe!
© 2 016
Pedro Bueno
y
process where name='mal.exe' delete Delete y o u want to really terminate the process I D 584.
< - Here i t asks for confirmation i f
I f y o u press Y y o u get the f o l l o w i n g message: Deleting instance Instance deletion successful. Delete I f y o u press Y y o u get the f o l l o w i n g message: Deleting That means that y o u successfully terminated all the processes mal.exe!
46
© 2 016
Pedro Bueno
Windows WMIC: Listing Auto-Loading Programs (1) • Some programs modify Registry keys to allow a restart on reboot • This mode, called be back," may be complicated to identify • WMIC provides a way to query the system for all programs that will be loaded on each l i s t
f u l l
Identifying and R e m o v i n g
Windows W M I C : Listing Autoloading Programs (1)
Listing Auto-Loading Modules I n the previous module, y o u learned that some malware registers itself to ensure that the system runs i t i f the user decides to restart the machine. This is called " I ' l l be back" mode because even i f the user decides to reboot, thinking about i t as a cleaning mode, i t w i l l be executed again.
W M I C provides a w a y to query the system for w h i c h programs w i l l be loaded at startup.
I n the W M I C console, simply type:
list
This command generates a lot o f output. For learning purposes, w e use the Google Update example:
Caption=Google Update /c
< - the
command line to r u n this program Description=Google Update < - < - The registry key! SettingID=
© 2 016
Pedro Bueno
47
Windows WMIC: Listing Auto-Loading Programs (2) • Using the s t a r t u p l i s t
f u l l you get
a list of all startup programs in your system and even which Registry key it is associated with! • The fields: Caption, Command, Description, Location, and User
Identifying and
Malware
Windows W M I C : Listing Autoloading Programs (2)
Listing auto-loading Modules The startup command is interesting because y o u can see a l l the programs that w i l l be loaded o n the system, and in this case, y o u may want to r u n i t outside the W M I C console, so y o u can redirect the output to another to examine it later!
C:\Users\pedro>wmic startup list foil >
48
© 2 016
Pedro Bueno
Windows WMIC: Listing Auto-Loading Programs (3) • Text is good but what about a good html format? • WMIC provides different kinds of formats to work with • For example, to get an html formatted report, the command line will be wmic s t a r t u p l i s t
full
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Windows W M I C : Listing Autoloading Programs (3)
Listing Auto-Loading Modules in Other Formats W h e n doing an analysis on a machine, y o u probably want to w o r k w i t h the data later, and sometimes text files can be quite hard to w o r k w i t h , especially i f there is a lot o f data.
W M I C provides the f o l l o w i n g formats to w o r k w i t h :
• • HFORM • HMOF • HTABLE • • LIST •
RAWXML
I f y o u decide to get a p l a i n C S V , y o u j u s t have to specify i t :
W m i c startup list full
I prefer the Table format
but y o u have to choose one that works i n your environment.
© 2 016
Pedro Bueno
Windows WMIC: Listing Auto-Loading Programs (4) Process List
List ft
Toois fcleJp ;
|
;.
-
:
[Name
I
126
..
•
(Caption
4436 11 4399104 fait
.
. -1 fitesUava\}re&\bin\Jusch«J.fci process.html
For the Startup list:
W m i c startup list
50
/format:hform : startup.html
© 2 016
Pedro Bueno
Windows WMIC Listing Shared Drives • Sometimes, malware tries to spread through shared drives • Identifying these shared drives is essential in determining possible infection vectors used by the malware • Net share usually shows you this information but WMIC can provide even more information and in different formats: wmic s h a r e l i s t
full
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Windows W M I C Listing Shared Drivers Malware can behave i n different ways, as y o u saw previously. One way is copying itself i n all shares that i t can
I f y o u are trying to identify and track a malware, one usefiil w a y is to also identify w h i c h shares the computer has, so y o u can investigate further. One commonly used command is net share, w h i c h shows y o u the shares i n the f o l l o w i n g way: S h a r e name
Resource
C$
Remark
C:\WINDOWS
Remote Admin
C:\
Default
IPC$ The
Share
Remote I P C command c o m p l e t e d
Using W M I C , you can also use i t and export the output using one o f the several formats available. Y o u can choose between full or b r i e f description. The brief description shows y o u the same information as net share, whereas full can give y o u plenty o f details: Wmic s h a r e l i s t
full
© 2 016
Pedro Bueno
51
Windows WMIC: Listing Services (1) • How to identify and list the services on the machine after a malware registers itself as a service • Knowledge of services is essential • WMIC provides a comprehensive way to list those services: • wmic
service l i s t
full
• Always suspect blank or weird service descriptions
Identifying and
Windows W M I C : Listing Services (1)
It is interesting to note that sometimes malware can register itself as a service on the system. There is actually no accredited reason for this, but i t is k n o w n that a service is more difficult to terminate than a process, so this may be a reason.
Listing the services i n a friendly w a y is also essential to quickly identify a possibly malicious one.
To list a l l services w i t h full information i n h t m l format y o u can use
Wmic s e r v i c e l i s t
full
>
services.html
N o w y o u can open services.html i n your browser and look for suspicious services.
52
Pedro Bueno
Windows WMIC: Listing Services (2) A friendly way to see the services frobrarfc;
mam
Help v •
FALSE.
FALSE.
TRUE.
FALSE.
Provides support for out-of-process session states for Is stopped, out-of-process requests be FALSE. processed. this service Is disabled, any services that explicitly depend on it will fall to start..
State Service.
ASP.NET State Service.
Identifying and Removing Malware
Windows W M I C : Listing Services (2)
Listing Services in H T M L I n this slide, y o u can see an excerpt o f the H T M L output generated b y the W M I C command:
W m i c service list full
I n the graphic, note a service called ApacheServ. This can be suspicious because there is no web server on the machine and no description about it! For comparison, right below is the State Service w i t h a nice description.
© 2 016
Pedro Bueno
Windows WMIC: Listing Services (3) • As you will notice, in the output there are a lot of services but not all are running • It is interesting to determine which ones are actually running! • Again, we will use a SQL-like query to list only the running services: • w m i c
s e r v i c e
w h e r e l i s t
b r i e f
Malware
Identifying and
Windows W M I C : Listing Services (3) A regular computer w i t h W i n d o w s OS can have multiple services, but not all w i l l be running: only those specified by you, the administrator, or the default services.
T o get a cleaner v i e w o f the services, y o u may choose to list only those that are actually running, doing a simple query:
Wmic s e r v i c e
where
list
brief
W h i c h w o u l d give y o u a cleaner output like the raw format excerpt:
54
ExitCode
Name
Processld
StartMode
State
0
6to4
440
Auto
Running O K
0
ALG
3916
Manual
Running O K
0
ApacheServ
1300
Auto
Running O K
0
AudioSrv
440
Auto
Running O K
© 2 016
Pedro Bueno
Status
Windows WMIC: Manipulating Services • The ApacheServ service is suspicious so we would like to terminate it. Using WMIC is quite easy: • w mic s e r v i c e where delete Or stop it! • wmic s e r v i c e where c a l l stopservice •
Pretty much like terminating a process! and Removing Malware
Windows W M I C : Manipulating Services
Listing Services As y o u saw on the previous slides, the ApacheServ became suspicious for a number o f reasons. N o w , y o u have decided to terminate it. W M I C offers two ways to do it: The first way is using the common delete, as when terminating a process.
•
W m i c service where
delete
Delete
Y
Deleting
The second w a y is simply stopping it! Y o u already saw that i t was running, so b y preventing i t from running, y o u can stop the malware:
Wmic s e r v i c e
where name='ApacheServ'
Call
stopservice
Execute (Y/N/?)? Y
A n d i f you ask to list this service again, y o u get the information that i t was stopped:
where
© 2 016
list
Pedro Bueno
brief
ExitCode
Name
Processld
StartMode
State
0
ApacheServ
8080
Disabled
Stop
I f you decide to restart i t later, simply change the stopservice for startservice!
For a process, just change the "service" w o r d for "process."
C:\wmic process where name-'bad.exe" delete
© 2 016
Pedro Bueno
Status Pending
Degraded
Using Windows Advanced Built-in CLI Tools to Identify and Remove Malware Hands-on
Identifying
Malware
Advanced C L I Tools: Hands-on I n the Advanced C L I Tools Hands-On part, y o u start w i t h the following steps:
Revert the V M w a r e Windows 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.
Open the folder Course on the V M w a r e W i n d o w s 7 Desktop. Open the Part 2 folder.
4.
Right-click the malware.zip password training.
and select the option Extract A l l to extract the contents. Enter the
5.
Double-click the n e w l y created folder called Malware.
6.
Right-click the malware.exe
and select R u n as Administrator.
Answer the following questions:
H o w can y o u start W M I C console? (Tools o f interest: cmd.exe, w m i c ) 2.
List a l l processes i n a b r i e f way. W h i c h command d i d y o u use? (Tools o f interest: w m i c w i t h the keyword process)
© 2 016
Pedro Bueno
57
3.
L i s t all instances
processes. W h i c h command d i d y o u use? (Tools o f interest: w m i c w i t h
the keywords process and where)
4.
5.
Use W M I C to k i l l all processes o f name malware.exe. (Tools o f interest: w m i c w i t h the k e y w o r d delete)
Check
is configured to start w h e n the computer reboots. (Tools o f interest: w m i c w i t h
k e y w o r d startup)
6.
Generate the list o f all processes that start on boot time i n the H T M L format and open w i t h I E . (Tools o f interest: w m i c w i t h keywords startup and format)
7.
L i s t all services and see
is running as a service as w e l l . (Tools o f interest: w m i c w i t h
k e y w o r d 'service')
58
© 2 016
Pedro Bueno
Identifying and Removing Malware Using the HijackThis Tool
Identifying and Removing Malware
This page intentionally left blank.
© 2 016
Pedro Bueno
What is the HijackThis Tool • Free tool created by Merijn • Acquired by AV • Multi-purpose tool • List processes • Checks for ADS (Alternate Data Streams) • Verify hosts file • Kill processes/services
• Mainly used to uncover and identify malicious BHO (Browser Helper Objects) and autoloading binaries! Identifying and Removing Malware
W h a t is the H i j a c k T h i s Tool? HijackThis is a popular tool used to fight malicious software.
I t was originally created b y M e r i j n Bellekom, and i n M a r c h 2007, i t was acquired b y the antivirus vendor TrendMicro and continues to be available at no cost, and included as an open source project at
The tool can be downloaded at
HijackThis is a multipurpose tool because i t can be used to list the processes a la Task Manager, open the hosts file o f your machine, and enables y o u to see i f there is a strange entry, k i l l processes and/or services, check for A D S (Alternate Data Streams) besides the most used feature, and find malicious software installed as Browser Helper (BHOs) i n the computer.
A B H O may be a legitimate or malicious piece o f software installed i n the computer, used to customize and/or control the Internet Explorer Browser.
Since version 2.0.4, i t also supports W i n d o w s 7.
60
© 2 016
Pedro Bueno
Are All BHOs Dangerous? • Why are BHOs dangerous? • Not all BHOs are dangerous • Adobe Acrobat has BHOs... • Apple iTunes has BHOs... • Microsoft MSN has BHOs... • Oracle Java has BHOs... • But you can also find: • Password Stealers as BHOs! • Spy Agents as BHOs! • Spyware BHOs! Identifying and
Malware
A r e A l l B H O s Dangerous?
Are BHOs? HijackThis is a multipurpose tool, but y o u can notice that most o f time y o u use i t to scan your system trying to identify malicious entries i n the system, such as malicious B H O s . The reason is that those D L L s , used as B H O s , are quite difficult to spot without appropriate tools, such HijackThis.
In and 2012, one o f the most common payload distributed b y the BlackHole Exploit k i t was a B H O to capture the search queries from common search engines.
W h e n scanning your system y o u may notice a lot o f B H O s because they are w i d e l y developers for a more complete approach w i t h Microsoft Internet Explorer.
b y software
Examples o f legitimate B H O s are:
•
Adobe Acrobat B H O •
A p p l e iTunes B H O • Microsoft
•
BHO
Oracle Java B H O
However, malware writers also learned about that feature o f and created malware to be included as B H O s , so they can monitor the U R L s visited or passwords typed on the machine and send them to a remote site.
© 2 016
Pedro Bueno
HijackThis Tool Main Interface Trend Micro HijackThis -
The Interface: • Main menu with six buttons: • System Scan • Log • No Log • Backup items • Misc. Tools • Online guide • Go to Scan mode
Welcome to and fit software.
What
program s o n your PC and generate a log commonly manipulated try good
of
you fte to Do a
save a togfle
Do a system scan only
backups
the
section
onine HijackThis
None of the above, Just start the program
I start
Identifying and Removing Malware
H i j a c k T h i s Tool M a i n Interface There are six main buttons on the HijackThis interface: D o a System Scan and Save a L o g File D o a System Scan O n l y The first t w o refer to the most-used tools o f HijackThis, the System Scan, w i t h w h i c h y o u can choose hetween saving a log file or not. V i e w the List o f Backups I t is about the list o f items that y o u deleted and that i t created a backup, so y o u can choose to restore them later. Open the
Tools Section
This leads to another menu, w i t h additional tools, such as a custom Task Manager, a process/services terminating application, and more useful tools. Open Online HijackThis Go to online tutorial about h o w to use i t None o f the above, just start the program
W i l l go directly to the System Scanning mode; however, without an actual scan.
62
© 2 016
Pedro Bueno
HijackThis Scanning Options Trend Micro HijackThis -
Getting started with HijackThis:
Welcome to and
program
you ||
• Scanning the system • Option to Save the generated • Logfile can be useful when sharing info • Scan only is straight to the point
your PC and by as
settngs
Do a
a as good
of
to do? and
a
|
Do a system scan only
j
backups
j
|
HijackThis Quicks
start
R
show
program
|
j
1 start
Identifying and Removing
H i j a c k T h i s Scanning Options
Getting Started with H i j a c k T h i s When you up the HijackThis software, y o u are prompted w i t h Trend M i c r o ' s E n d User License Agreement, and i f you agree, y o u are presented to the slide's window. W e start w i t h the System Scanning mode.
The difference between the first two options is that the first one enables y o u to save a l o g file w i t h the results o f the system scanning plus a list o f all processes running at that moment, so y o u can send i t over a security help forum or share w i t h another person/group asking for help.
© 2 016
Pedro Bueno
63
HijackThis Scan Results Info generated by the scanning: Registry changes StartPage changes MSIE Toolbars Autoloading entries
Trend Micro HijackThis the of the careful what you delete the button. Scan resuis do not whether an is bad or not. The to and show the tog to folks.
best
F -
BHO 2 SSV Helper -
03
04 OA 04
-
/STANDALONE {Adobe Reader Speed launcher] {Adobe ARM]
04 _ 04 04 : -
Task] GUI]
04 -
[Exodus]
Save
All bad stuff??
Browser -
BHO: BHO: BHO; BHO:
tog
[
Fix
|
Info...
Info on
Add checked to
Identifying and Removing Malware
Scan Results
Understanding the
Report
HijackThis Scanning generates a report w i t h a lot o f information, such as all Internet Explorer BHOs, enumerate the Toolbars, Suspicious Autoloading Registry Entries, and extra tools and buttons, among other information.
A g a i n , the first important thing to notice here is that not all information generated represents bad or malicious stuff i n the computer or w i t h Internet Explorer.
For example: 02 - BHO:
-
-
This line shows a B H O (or type 02, that means Enumeration o f existing M S I E BHOs), w h i c h is named A c r o I E H l p r O b j Class. I t also shows the component object I D , the path o f the D L L .
64
© 2 016
Pedro Bueno
HijackThis Basic Usage Trend Micro HijackThis -
Basic usage •
•
Select the item you want more info on
best thing) 0 3 - T o o l b a r Foxit T o o l b a r -
Rt
- C:\Program -
•
D e t a i l e d information on
H*
Click for Selected Item ...
- RE
Get info on selected item
OS:
IE T o o l b a r s a r c part of (Browser O b j e c t s ) like the G o o g l e T o o l b a r that are helpful, but c a n also b e and malicious by tracking y o u r behaviour a n d displaying p o p u p ads. (Action
Registry value is deleted.)
EST
•
Fix (delete) it •
Put on (ignore list)
-
ram
•
[BCSSync] CM -
"C:\Program
/STANDALONE
Scan
Other I Scan
Fix c h e c k e d
Conrg... Add checked to
item.
Removing
Malware
H i j a c k T h i s : Basic Usage The basic and most common usage o f HijackThis is to identify malicious software that can be injected together w i t h M S I E and then monitor the user activities without consent.
When
shows the system scan results, it also presents y o u w i t h the possibility o f checking any item.
W h e n an item is checked, y o u have the following options:
•
•
F i x the item: HijackThis removes that entry f r o m your system.
Get info on the selected item: I t shows what the item does i n your system.
A d d the checked item to a whitelist: This is also k n o w n as ignore list and it prevents from showing it on next system scan.
© 2 016
Pedro Bueno
Removing Suspicious Entries with HijackThis Trend Micro
Removing an entry:
- v2.0.4
are the of the button. Scan best thing to do is to
Be careful what you the 'Fix do not determine whether an tern Is bad or not- The and the log ft* to foks.
-
-
RO
•
*
Page = -H
Check the item
fc?Untdd=S
•
Click Fix checked •
Scan the system again to ensure deletion! •
But when should you do it?
1 what you selected.
RO • H RO - H F2 R 02 -B
This
delete and/or repair
fr02 • BHO 102 - BHO: Java(tm) Rug-In SSV Helper • • Scan stuff
on
-
/StartedF
Add
to
and Removing Malware
Removing Suspicious E n t r i e s with H i j a c k T h i s
Removing Entries Some malware adds itself as B H O s . I t is not easy to spot them simply by looking at the report generated b y HijackThis.
I n general they follow one o f t w o options:
•
T r y to appear as legitimate software; this is more difficult to spot. •
Load the B H O noisily; this is easier.
© 2 016
Pedro Bueno
HijackThis Usage in Malicious BHO Example Suspicious BHO 002 • example
EM):
•
Class -
•
02 - BHO: What makes it suspicious? 1. Name 2. path Name 3. Google them
-
on Obejc)t a crafted po rga rm that n itegrates n i to access rg i hts on your syse tm, Though can be htem pup roses etc.
A 8H0 and has
Regsirty
dee lted, BHO i !
is dee lted,)
j
and Removing Malware
Usage in Malicious B H O E x a m p l e
Spotting a Suspicious B H O W h e n the system scan is done, a large number o f items may be reported. Focusing on the possible BHOs, y o u may notice that some appear to be legitimate, whereas some may appear malicious.
O n the slide example, y o u have a B H O (type 02) called Internet Security Class, a C L S I D , and the path where it is being loaded
N o w y o u have to remember some deceptive tactics used b y the malware: They try to look like some "security" component, usually using some antivirus vendor name. 2.
They try to look like a Microsoft Windows component, usually taking the name o f a legitimate Windows process/service, or something related to Windows.
I n this case, we have both: a B H O w i t h the suspicious name o f Internet Security Class (note that Norton Antivirus has a B H O called Norton Internet Security and the D L L called which would suggest that it is trying to look like an M S Windows Update component!
Suggested actions: • •
F i x it! (Delete i t by clicking the F i x Checked button.) your system to see whether i t was actually deleted!
Remember that y o u can always restore a deleted item because HijackThis keeps a backup o f all deleted items!
© 2 016
Pedro Bueno
Using the HijackThis tool Hands-on
Identifying and R e m o v i n g M a l w a r e
Using the H i j a c k T h i s tool - H a n d s - O n I n the "Using the HijackThis T o o l " section, we start w i t h the f o l l o w i n g steps:
Revert the V M w a r e W i n d o w s 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.
Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.
3.
Open the Part 3 folder.
4.
Right-click the the password training.
and select the option Extract A l l to extract the contents. Enter
Start HijackThis by right-clicking HijackThis, selecting R u n as Administrator, and answer the f o l l o w i n g questions and follow the next slides to see the answers.
After y o u try to answer the following questions, continue for an interactive r u n o f the lab.
W h a t do y o u see w h e n y o u click D o a System Scan Only? Take note o f anything suspicious that w i l l be loaded at boot time.
68
2.
I f the suspicious process is running, t r y to kill/terminate i t . Describe the process used to k i l l the suspicious process using HijackThis.
3.
I f the process were successfully terminated, i t is time to remove the malicious Registry entries. Using the tool, w h i c h function enables y o u to remove the entries?
© 2 016
Pedro Bueno
© 2 016
Pedro Bueno
Hands-on: Checking the Report Generated Micro H i j a c k T h i s -
Malware in Action: • Change in IniFile to autoload a file called SSVICHOSST.EXE • Change on the computer policy to disable access to RegEdit: DisableRegEdit =1 • Check the log
Below the results of the ttJackThts checked button. do not
Bo
what you delete the an Is bad or not. The knowledgeable
Toolbar: -
Plus] [VMware [VMware User Process]
•
DNS
-s
[Yahoo
CM - Startup; Shortcut to Related 0 9 - Extra Show
Links - 192.168 !
•
023 * Packet Capture Protocol (experimental) 023 Service: VMware Service • VMware, -
-
. log
|
[
j |
Identifying and Removing Malware
Checking the Report Generated
M a l w a r e in Action A system scanning w i t h
shows a nice report.
The first thing i t shows is an F2 entry. F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.EXE
F entries, according to the HijackThis Info button mean IniFile value, mapped to Registry. This means that the SSVICHOSST.EXE.
Autoloading entries, and F2 means Changed was changed to load the file
I t makes i t highly suspicious because usually SVCHOST.exe is loaded as a service, and not as a process called b y autoloading. Also note, i t is not S V C H O S T . E X E , but S S V I C H O S S T . E X E , trying to l o o k like S V C H O S T (a legitimate Windows system process)!
This was the first deceptive tactic o f the malware. The second one is right below i n the report:
04 -
[Yahoo Messengger] C:\WINDOWS\System32\SSVICHOSST.exe
I t is a type o f entry. A c c o r d i n g to the HijackThis info the entries means Other, several sections. A n d 0 4 means Enumeration o f suspicious autoloading Registry entries.
70
© 2 016
Pedro Bueno
This means that there is a Registry entry that autoloads the process from Windows\System32\SSVICHOSST.EXE, the key name is [Yahoo Messenger] (notice the Messenger w i t h 2 Gs). So, this is the second deceptive tactic o f the malware, trying to l o o k like a Yahoo Messenger process, w h i c h w o u l d autoload every time W i n d o w s restarts. The third suspicious entry from this report is a System Policy change: 07 -
DisableRegedit=l
I t is Type again. Type 0 7 means Disabling RegEdit w i t h Policies. So, even i f y o u d i d n ' t get it from the report w o r d DisableRegedit=l, the info file tells you exactly the same thing: The malware changed the policy to prevent y o u from opening the Registry Editor (regedit.exe) and seeing the keys/entries added to them. For your reference, here is a portion o f the log generated b y Logfile o f Trend M i c r o HijackThis v2.0.4 Scan saved at 5:43:13 A M , on Platform: W i n d o w s X P ( W i n N T 5.01.2600) M S I E : Internet Explorer v6.00 (6.00.2600.0000) Boot mode: N o r m a l Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE and and and and and - REG:system.ini:
SSVICHOSST.exe
0 3 - Toolbar: & R a d i o -
-
04 -
[MSMSGS]
04 -
[Yahoo Messengger]
/background C:\WINDOWS\System32\SSVICHOSST.exe
07 -
DisahleRegedit=l
0 9 - Extra button: Related 0 9 - Extra 'Tools'
of
Show &Related Links - {c95fe080-8f5d-lld2-a20b-00aa003cl57a} -
bytes
© 2 016
Pedro Bueno
Hands-on: HijackThis Misc Tool Section ; fi Trend
Actions to take: • Open the Misc Tool Section from the Main menu • Find out where the SSVICHOSST.exe process is • Terminate it • the system and fix the changes
Welcome lo registry and software.
Thts
What would you
scan your PC and generate tog manipulated by as as good
of
to do?
Do a s y s t e m s c a n a n d s a v e a Do a s y s t e m s c a n only
View the
Open the
of backups
Took section
HijackThis Quick
None of the above, just start the program
Do not show
window
ten 1 start
Identifying and Removing Malware
H i j a c k T h i s Misc Tool Section
Taking Action Because we have information regarding the malware, i t is time to take action.
First, go to the M a i n menu and select the Open the Misc Tools Section button, so we can use the customized Process Manager tool.
Then, t r y to
the location o f the SSVICHOSST.EXE process and terminate it.
A n d to finish, rescan the system and
72
the changes!
© 2 016
Pedro Bueno
Hands-on: HijackThis Process Manager fi
Trend
-
The Misc. Tools: • HijackThis offers some other tools to help you • This time, use the Open Process Manager to determine what the suspicious process is and where the file is located
Main
|
|
Backups
| |
vi.52) Generate
fog
also
sections sections
tools process manager
j a i much
hosts fie manager
|
on reboot...
fcd w
«
If a Delete
process manager. the Task Manager.
|
Delete an NT service
cannot be Windows can be setup to when the system restarted. Windows NT Service USE
WITH open A D S Spy...
Open
i
the totegrated A D S scan for hidden date streams.
[
to
to manage the Jems in the
other stuff
|1 |
Malware
H i j a c k T h i s Process Manager
The Misc Tools A s mentioned before, HijackThis offers some additional tools to help identify suspicious activities o n the system.
One o f the best tools is the Process Manager, w h i c h reminds y o u o f the W i n d o w s Task Manager, but w i t h some more advanced functions, such as listing the D L L s o f each process.
Pedro Bueno
73
Hands-on: HijackThis Process Manager View Micro
HijackThis Process Manager:
-
-
1 |
j
Backups
| ]
Misc Tools
Running processes; •
(show
F
)
\
• Shows the complete PATH • Allows you to terminate any process with the Kill Process button • Just select the chosen process and click Kill Process!
932 1004 1272 1492
,
\
\
|
|
|
|l j
Identifying
| •
|
,
1 s
Removin g Malware
H i j a c k T h i s Process Manager V i e w
The H i j a c k T h i s Process Manager The HijackThis process manager is quite easy to understand.
O n the first one-half o f the w i n d o w , y o u can see all processes running on the machine w i t h the associated process I D (PID).
I f the
Show D L L s is marked, i t also shows each
that is associated w i t h the process.
I n this case, y o u can see that the process I D 248 is the one y o u are looking for. I t shows the path o f the process as (or the path where the malware was executed). O n some systems, y o u might need a reboot to see the exact screen as displayed on the slides
Also, remember that the Process I D (PID) may be different on your computer.
74
© 2 016
Pedro Bueno
Hands-on: Killing a Process with HijackThis Killing the process: • To terminate the suspicious process, you have to select it from the process list and the Kill process button • Refresh and check again
| j
|
Backups
| j
Misc Tools
Manage*|7 i
s
ff\
Any
lost.
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Killing a Process with H i j a c k T h i s
Killing the Process To terminate the suspicious SSVICHOSST.exe process, y o u have to select i t h y clicking i t and pushing the K i l l process button.
Another w i n d o w pops up asking i f y o u are sure about terminating that process. I f i t is the process y o u want to k i l l , just confirm by selecting Yes.
After that, y o u can click the Refresh button and see i f it was actually terminated.
© 2 016
Pedro Bueno
Hands-on: Rescanning the System Trend Micro HijackThis
Fixing the changes: • Clicking Main menu gives the option to rescan the system • Now it is time to fix the changes made by the malware • Select, Fix, Rescan!
Below thing to
resits of the Be you delate the Scan resAs do not whether en Item bed or not. The to end show the log
-
-
DM5 Plus]
DNS
-s
(Yahoo - Extra button: Related • - Extra Tools' Show 77 77 3 - Service: Packet Capture 3 - Service: VMware
ft fir
• -
- 192.168, 192.168 CACE Technologies VMware, Inc.
log
|
-
Other Flu c h e c k e d |
Info...
j
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Rescanning the System
Fixing the Changes After terminating the process, y o u need to fix the changes caused by the malware. Returning to the M a i n menu, y o u can ask HijackThis to do a System Scan again, and this time, the changes.
That is an easy task because y o u j u s t have to check the item y o u want to button.
and click the F i x Checked
The reverts the change on the Regedit Disable, letting y o u access RegEdit again, and remove the autoload entries from the SSVICHOSST.exe file.
76
Pedro Bueno
Identifying and Removing Malware Microsoft Sysinternals Process Explorer and TCPView
Identifying and R e m o v i n g Malware
This page intentionally left blank.
Pedro Bueno
Microsoft Sysinternals Suite • Large suite of free tools for Windows Platforms including Win95, WinXP, Win2k3, Windows 7, and Windows 8 • Acquired by Microsoft in 2006 • Supports 64-bit versions! • Caveats: Some tools need SP2 on Windows XP
Identifying and Removing Malware
Microsoft Sysinternals Suite
I s Sysinternals? I n this module, y o u learn about the Sysinternals w o r l d . Sysinternals was created i n b y M a r k Russinovich and Cogswell. For a long time, its website was a source o f excellent free tools for W i n d o w s systems. They provided free tools for System Information, Security, File and D i s k Information, N e t w o r k , Processes, and more.
One o f the reasons they became so popular is they provided tools that could help to see information on W i n d o w s systems, and Microsoft d i d not provide these tools.
Some examples o f popular tools are: •
Process Explorer: A n advanced Task Manager •
T C P V i e w : For viewing networking activities •
L i s t D L L : Enables the user to list a l l the D L L s that are currently loaded on the system, associated w i t h each process, and their version numbers
•
RegMon: Enables the user to see the Registry activities i n real time •
Streams: Enables the user to see the Alternate Data Streams ( A D S ) i n the
system
Another advantage o f these tools is that most r u n on a l l versions o f W i n d o w s , from W i n d o w s 95 to W i n d o w s 7, and even w o r k on 64-bit versions. Because o f advances i n the W i n d o w s kernel, some tools w i l l not be f u l l y functional, and some o f the more recent tools need the installation o f some Service Packs, such as the Process M o n i t o r tool, w h i c h needs Service Pack2.
78
© 2 016
Pedro Bueno
MS Sysinternals Process Explorer Introducing: Process Explorer Aka Advanced Task Manager In fact, much more than that! Allows you to view processes, services, threads, strings...
Identifying
Removing Malware
M S Sysinternals Process E x p l o r e r Introducing: Process Explorer I n this module, y o u learn h o w t w o tools from Sysinternals can w o r k together: • •
Process Explorer TCPView
B o t h tools were developed b y Sysinternals, w h i c h was acquired b y Microsoft i n 2006, but remains available free o f charge. The only stipulation is that n o w y o u have to agree w i t h Microsoft's End User License Agreement ( E U L A ) when first running the applications. Process E x p l o r e r The first tool, Process Explorer, can be downloaded at This is one • • • • • •
o f m y preferred tools because i t gives y o u a complete v i e w o f the system, such as: A l l running processes A l l running services Threads associated w i t h the above Strings w i t h i n the running processes/services C P U and M e m o r y usage Path to the running process/service program files Command line used b y the process/service
This is important w h e n analyzing a system and searching for malware activity because i f y o u can get a l l this information, y o u can start to solve the puzzle o f what could be happening i n your system.
© 2 016
Pedro Bueno
79
MS Sysinternals Process Explorer Toolbar Process
Understanding t h e toolbar: Shows system performance •
Save the results to a text file Force refresh (default is 1 second) •
•
Shows more system performance information Displays processes in tree format • •
Splits the window in two panels. First panel shows the Processes & Services, PID, CPU usage, description, and company name • •
•
Users
•
Second panel shows the Handles and DLLs Kill the process/service
Spooler VMware Tools Generic Host
1280 1180 758 1840 108 124
B
Explorer Microsoft,. VMware,.,. VMware/...
4 £ 8 1032 Type Desktop (cry Directory Evert Evert Evert Fie Fie Fie Fie
Windows
fou Usage:
fcorwr*
Event SGS vert and Common-..
Search for any DLL/Process Identifying and Removing Malware
M S Sysinternals Process E x p l o r e r Toolbar
T h e Process Explorer Toolbar The Process Explorer offers an easy w a y to w o r k w i t h its options. The m a i n interface offers a number o f buttons on its toolbar to make i t easier and faster for the user to take the most common actions. •
•
The floppy disk icon lets you save the results that are shown i n a text file. I f y o u select a process first ( w i t h one click o f the mouse) and then save the result, a l l the processes and services plus a l l D L L s associated w i t h the selected process, showing the D L L name, Description, Company Name, and Version Number w i l l be saved to a
•
The commonly k n o w n Refresh button means that y o u can force an update o f the view. The default update is 1 second but can also be configured to be 2, 5, and 10 seconds. •
The next icon is the System Information button that can show information like the Performance tab on W i n d o w s Task Manager but w i t h more information, including information about a specific process i f y o u select i t first. The next icon is the Show Process Tree button. This is the default v i e w o f Process Explorer. F r o m the Process Explorer Help File:
"By default, Process Explorer sorts processes into the system process tree. The process tree reflects the parent-child relationship between processes, where child processes are shown directly beneath their parent and right-indented. Processes that are left-justified are orphans; their parent has exited."
The next icon is the one that enables y o u to split the v i e w into t w o panels, leaving the Processes and Services on the top panel and showing the Handles/DLLs on the lower panel.
80
© 2 016
Pedro Bueno
The f o l l o w i n g icon is the one that enables y o u to see the handles or the D L L s associated w i t h each process/service.
The next icon is the Properties icon. I t is the same as double-clicking on a process. W h e n showing the properties, Process Explorer opens another w i n d o w w i t h eight different tabs:
•
•
Image •
TCP/IP •
Security •
Performance •
Environment •
Performance Graph •
Threads Strings
The Red X icon is the one that lets y o u k i l l a process or service. Just select the process and click the red X button. Another w a y is to right-click the selected process/service and choose either K i l l Process or K i l l Process Tree. A third option is given to terminate a process/service; just select the process and then press the D E L key.
The binoculars icon enables y o u to search for a Handle or D L L to see w h i c h process/service is using i t .
The last icon is a Target icon. Y o u can drag i t onto any open application w i n d o w and i t shows the Process Explorer information about i t .
© 2 016
Pedro Bueno
MS Sysinternals TCPView • Introducing: TCPView • Aka Advanced Netstat • Allows you to view current processes that have network connections, the protocols used, and terminate them
and Removing Malware
M S Sysinternals T C P V i e w
Is TCPView? The T C P V i e w tool is also produced b y Sysinternals (Microsoft Sysinternals since 2006) and can be downloaded at
82
© 2 016
Pedro Bueno
MS Sysinternals TCPView Capabilities -
Like a GUI Netstat Shows the Processes, Protocols, Local and Remote Address and ports, and connection state Updates the info in real time Allows the user to close an on-going connection Allows the user to terminate a process
Ne CI
Process View Help
. TCP .
• 3 3 3 3 "
V
TCP TCP TCP
LISTENING
LISTENING V
LISTENING LISTENING
Identifying and Removing Malware
M S Sysinternals T C P V i e w Capabilities
T C P V i e w Capabilities Y o u can think o f this tool as the graphical and advanced version o f W i n d o w s C L I t o o l Netstat. It shows the same information as Netstat, plus provides some advanced functions such as:
•
Shows the connections i n real-time w i t h the protocols, port numbers and connection state. •
Enables y o u to close an on-going connection •
Enables y o u to k i l l a process that has network connectivity, for example, a malicious backdoor program listening on a port.
©2016
Pedro Bueno
MS Sysinternals Process Explorer and TCPView • Using both Process Explorer and TCPView together gives a better view of the scenario • In the following example, a computer was identified as generating lots of network traffic!
Identifying and Removing Malware
M S Sysinternals Process Explorer and T C P V i e w
Process Explorer W h e n dealing w i t h malware that makes use o f networking, the use o f Process Explorer together w i t h T C P V i e w gives y o u a more complete view o f the problem and increases your chances o f identifying and removing the malware.
I n the next few slides y o u see an example o f such usage. W e image a computer on the network that has been identified as being responsible for generating a lot o f network traffic, and your j o b is to t r y to identify and remove the malware that may be causing such behavior.
84
Pedro Bueno
MS Sysinternals Process Explorer in Action -
Viewing all processes and services running on the machine Suspicious sslms.exe process: • No Process description • No Company name Is network activity associated with this process?
Be
Sew
CPU | B
95
033
Hardware Interrupts .
4 Microsoft,
672 700 744
0 98 Services Generic Host Generic Host
1148, 1280 1484 756
Microsoft, Microsoft., Microsoft., Microsoft.. Microsoft,
VMware Tools SR.. Windows
Microsoft,. Microsoft,
108 Microsoft.. 648 1032 Usage:
j
Malware
Identifying
M S Sysinternals Process Explorer in Action Process Explorer: Putting I t to Use When firing up Process Explorer on the computer, y o u can see the default Windows processes and services plus some additional processes such as Microsoft Messenger Client, our Process Explorer, TCPView, and so on. W e also see another process called sslms.exe w i t h no description or company name. That, and the fact that i t is not a k n o w n process name, makes it suspicious.
Process System
PID Idle
Description
0
94.12
n/a
1.96
Company Name
Process Interrupts
Hardware
Interrupts
DPCs
n/a
Deferred
Procedure
smss.exe
436
Windows
NT Session
csrss.exe
680
winlogon.exe
708
services.exe
752 956
0.98
Client
Server
Windows 0.98
Calls Manager
Microsoft
Corporation
Process
Microsoft
Corporation
Application
Microsoft
Corporation
Microsoft
Corporation
Microsoft
Corporation
Runtime
NT Logon
Services
and Controller
Generic
Host
Process
app for
Win32
Services
2016 Pedro Bueno
85
svchostexe
1044 Generic Host Process for Win32
Services
1236 Generic Host Process for Win32
Services
1248 Generic Host Process for Win32 spoolsv.exe
Spooler Subsystem
App
Services
Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation
VMwareService.exe lsass.exe
VMware
Tools
Service
764 LSA Shell (Export
explorer.exe
252
Windows
472 VMwareUser.exe
VMware,
492
Version)
Inc.
Microsoft Corporation Microsoft
Explorer
Corporation
VMwareTray
VMware,
Inc.
VMwareUser
VMware,
Inc.
msmsgs.exe Messenger
Microsoft
Client
Corporation procexp.exe TCPView.exe sslms.exe
86
1996 1032
1.96
Sysinternals TCP/UDP
Process endpoint
1816
© 2 016
Pedro Bueno
Explorer viewer
Sysinternals Sysinternals
MS Sysinternals Process Explorer: Properties • Double-clicking a process in Process Explorer shows the properties of the selected process including important information like the location of the binary and the command line used • This shows that the malware is running from: C:\windows\system32\sslms.exe
|
| Performance
|
|
Graph
|
| Threads
j
••
Version: Time: Path (Image • '•\ '. j .
.
.
"
i
. "- :
.
:
.
-
AM 8/2/2007
firmg
|
I d e n t i f y i n g and
to
|
fclPioccst
j
|
Malware
M S Sysinternals Process Explorer: Properties
Process Properties W h e n double-clicking any process or service, another w i n d o w that has the properties o f the process or service w i l l pop up.
The Image tab is important because it can give y o u information such as the path where the file is located and the command line used to load the process or service i n case y o u need to check to see i f any option is used b y the process. I n our case this process is not invoking any special attribute on the command line, but for example i n the S V C H O S T . E X E service, y o u can see something like:
Command line:
-k L o c a l S e r v i c e
© 2 016
Pedro Bueno
MS Sysinternals TCPView in Action TCPView shows information regarding the suspicious process: •
•
A ! Protocol TCP
3 3
Connections from our lab-machine to nastyserver
foea*KJitl032
TIME_WAIT
TCP
TCP
3
Connection to port 6667
Local
LISTENING
8., TCP TCP
LISTENING -5vr
LISTENING
3
6667 is the standard IRC port number!
3 3
UOP LISTENING LISTENING
TCP 3 3
UDP UDP
I d e n t i f y i n g and R e m o v i n g Malware
M S Sysinternals T C P V i e w in Action
Using T C P V i e w N o w i t is time to use T C P V i e w to see i f this process has any network connections. W e could use Process Explorer to g this information, hut T C P V i e w is better to give us this information:
Our suspicious process sslms.exe has an established connection to "nasty-server" on port 6667!
I t could be that i t is just a coincidence, but port 6667 is the standard port for Internet Relay Chat (IRC), an Internet cha service that is the main method used to b u i l d and control Bots and Botnets!
88
Process
Protocol
lsass.exe:764
UDP
sslms.exe:1816
TCP
sslms.exe:1816
TCP
nasty-server:6667
sslms.exe:1816
TCP
Lab-machine:0
sslms.exe:1816
TCP
Local Address
Remote Address
Lab-machine:1074
lab-machine:1075
Pedro Bueno
State
LISTENING
ESTABLISHED
LISTENING
ESTABLISHED
TCP
Lab-machine:1025
UDP
Lab-machine: 1026
1044
UDP
Lab-machine: 1028
1044
UDP
svchost. exe: 1044
UDP
svehost.exe: 1236
UDP
svehost.exe: 1248
Lab-machine:0
LISTENING
TCP
Lab-machine:0
LISTENING
svehost.exe: 1248
UDP
*:*
svehost.exe: 1248
UDP
*:*
svchost.exe:956
TCP
svehost.exe:
UDP
svchost.
6
Lab-machine:ntp
1ab-machine:ntp
Lab-machine: 1027
Lab-machine:0
LISTENING
*:*
System.4
TCP
Lab-machine:microsoft-ds
Lab-machine:0
LISTENING
System: 4
TCP
lab-machine:netbios-ssn
Lab-machine:0
LISTENING
System: 4
UDP
Lab-machine:microsoft-ds
System:4
UDP
lab-machine:netbios-ns
System:4
UDP
lab-machine:netbios-dgm
© 2 016
Pedro Bueno
*: *
Process Explorer and TCPView Example • Summary of information collected: • Suspicious process called sslms.exe • Process connected to strange server on IRC port number (6667)
• Questions to Answer: • What is this process? • How to get rid of it? Identifying
Removing Malware
Process Explorer and T C P V i e w E x a m p l e S u m m a r y
S u m m a r y of the C u r r e n t Status: •
Y o u found a process called sslms.exe. •
The process has an established connection to a remote server. •
The remote server is listening on port 6667, w h i c h is the standard TCP port number for Internet Relay Chat (IRC), used b y legitimate chat users hut also used b y malware authors as the main Command & Control method for Botnets!
A n d y o u still have the f o l l o w i n g questions to answer: •
W h a t is this process? Is i t suspicious? Besides the lack o f process information and the network connection to a remote server, y o u are still not sure about i t . • I f you decide that i t is indeed suspicious, what should y o u do to remove i t from the system?
90
© 2 016
Pedro Bueno
Process Explorer: Strings View (1) • One of the nicest things about Process Explorer is the ability to show the strings within a selected process: • From physical image or from memory • Strings can reveal a lot of information!
• Advantages of memory view: • Even if the malware is packed, it will be unpacked in memory revealing its secrets! Identifying and R e m o v i n g Malware
Process Explorer: Strings V i e w (1) Process Explorer offers a nice w a y to get into the process and read the character strings that are present inside the process binary. This is important because sometimes we can identify the purpose o f the malware b y reading the strings inside it.
For example, an online banking password stealer program might contain references to a bank website U R L , the bank's names, and usernames and passwords.
One problem when reading strings o n the binary is that the strings may be obfiiscated i n the binary w i t h the use o f programs called Packers and Protectors. Packers are easily available on the Internet and examples o f popular packers are: • • •
Petite • •
Yoda
That is w h y Process Explorer offers an option to read the strings directly from memory, too. Most runtime packers decrypt the binary into memory w h e n i t is running. This gives Process Explorer the chance o f reading the unpacked strings contained w i t h i n it. Even i f the binary is packed, when i t is running i n memory i t has to unpack itself, making i t possible to read the strings contained w i t h i n i t !
Pedro Bueno
91
Process Explorer: Strings View (2) • On the Strings tab, you can go to the Strings of the selected process letting the user select between Image or Memory views • In memory view, you can see the strings in the process running in memory and search for useful words that can help to identify the malware • Words of interest: PASS, NICK, USER, PING, and JOIN
Image
|
j
Pedoimance
| found
rem
. PASS '4s HICK
JOIN Z%
OK
|
|
Identifying and Removing Malware
Process Explorer: Strings V i e w (2)
The Strings T a b O n the Properties dialog's Strings tab, y o u have the option o f seeing the process strings from the image on the hard drive or from the process running i n memory, w h i c h makes i t possible to the strings i n most cases even i f the executable has been packed. The default view o f the strings is from the image, so y o u have to select the M e m o r y option to let Process Explorer show the strings from memory. Strings of Interest W h e n viewing the strings from a file, y o u are presented w i t h a l o t o f data and many o f them w i l l be garbage. Searching for strings o f interest is not a quick task and demands some time to complete especially i f i t is a large I n this example, y o u can see b y the vertical scrolling bar that there are many strings i n the
selected.
W e found strings o f interest close to halfway through the list. They are strings found i n typical Bot and I R C commands, such as: •
PASS • NICK
•
USER • PING •
PONG
• JOIN •
92
USERHOST
Pedro Bueno
Process Explorer and TCPView Analysis Summary • A process that is connected to a server on port 6667 (IRC port) • The same process has the words PASS, NICK, USER, PING, and JOIN in its strings. • Putting it all together we appear to have a malicious and nasty bot! • so 2006... NOT! • As of 2012, several still use IRC as a C&C method, like W32/Autorun worms ... Identifying and Removing Malware
Process Explorer and T C P V i e w Analysis S u m m a r y
New S u m m a r y So far we have the following information:
•
•
A suspicious process was found on a system.
•
I t is located i n c:\windows\system32\ folder. •
The process is connected to a remote server.
•
The remote server is listening on TCP port 6667 ( I R C TCP port). I t was possible to find strings o f a typical I R C session.
W e have a bot connected to a botnet!
W h e n a system has a bot connected to a botnet, the system control n o w belongs to the bot master and she can send commands to our system to make i t perform various functions. One o f these is scanning large blocks o f IP ranges looking for other vulnerable machines, so i t can exploit them and get another bot installed. That may be the cause o f the large amount o f network traffic originally detected from our investigated system.
A l t h o u g h the explosion o f bots and botnets happened i n 2004/2005, there are still several different bot families i n the w i l d , and to make things even more nasty, other malware families are also adopting I R C as a Command and Control ( C & C ) method. One example is the family that spreads using network, thumb drives, open
N o w that we have identified the offending process, h o w can w e remove i t from our system?
© 2 016
Pedro Bueno
93
Cleaning the Bot from the System • Next steps: Terminate it and clean the system! • Terminate the process • Look for auto-loading traces • Delete the file
Identifying and Removing Malware
Cleaning the Bot from the System
Next Steps So n o w y o u have three steps to remove the malware from the system:
1.
Terminate/kill the process. This is the first step because sometimes the system does not let y o u delete the i f the process is running. A l s o any attempts to clean the system Registry can fail because the malware can possibly prevent changes to the Registry.
2.
Check the Registry looking for Registry entries that may be doing the " I w i l l be back mode," also called auto-loading. Y o u can do i t manually or using our friend HijackThis. After terminating the process and cleaning the traces, y o u should delete i t from the system.
94
© 2 016
Pedro Bueno
Process Explorer: Killing a Process (1) • Process Explorer also enables you to easily kill any process or service running • Basic operation: • Select the process • Click the red X on the toolbar
Identifying and Removing Malware
Process Explorer: Killing a Process (1)
Killing a Process with Process Explorer One o f the functions o f Process Explorer is to allow an easy way to kill/terminate a process. There are three ways to do it:
•
•
Select the process and click the red X button on the toolbar. Select the process and press the D E L key. • Right-click the process, and select K i l l Process from the pop-up menu.
© 2 016
Pedro Bueno
Process Explorer: Killing a Process (2) j System Interrupts System 3
UDP
Server Run., NT Log... Con, Host Pro.., Host Host Pro,,
Host Explorer
1,38 2.97%
j
Process
Charge:
Processes:
J
-
Removing
Process Explorer: K i l l i n g a Process (2)
Killing a Process with Process E x p l o r e r I n the slide, notice Sslms.exe is active i n the T C P V i e w window. Select and click the Red X button on the toolbar asking for Process Explorer to k i l l i t . Then, get a pop-up asking for confirmation.
"Are y o u sure y o u want to k i l l sslms.exe?"
Y o u bet!
© 2 016
Pedro Bueno
Process Explorer: Killing a Process (3)
Identifying and Removing Malware
Process Explorer: K i l l i n g a Process (3)
Killing a Process with Process E x p l o r e r Right after clicking Yes from the Process Explorer pop-up asking for confirmation for k i l l i n g the sslms.exe process, notice that there is no more activity from the process i n T C P V i e w or i n Process Explorer. This is a clear indication that y o u were successful i n terminating the process!
© 2 016
Pedro Bueno
Cleaning the Bot from the System Next steps: Terminate it and clean the system! • Terminate the process • Look for auto-loading traces • Delete the file
Identifying and
This page intentionally left blank.
98
©2016
Pedro Bueno
HijackThis: Checking Autoloading Entries Cleaning the
Malware
traces
•
Bringing to the Scene: •
•
System Scan shows three occurrences
•
Select all instances Click Fix Checked •
Confirm!
Below are the of the button. Scan best thing to is to
CM ! • CM •
you delete the To. bad or not. The
do and
log
to
[VMware User Process) sslms.exe
[] sslms.exe button; Related - Extra Show links - Service: Remote Packet Capture Protocol Service: Service - VMware, Inc. -
-
•
fix Save
j
i
checked j
en selected item...
I d e n t i f y i n g and
j
i
|
j |
Malware
H i j a c k T h i s : Checking Autoloading Entries
Cleaning the
Traces
N o w i t is time to check for any traces left b y the malware. Right now, we are sure only that we killed the malicious process that was running but we cannot guarantee that i t w i l l not run again when the system reboots. There are alternatives for checking the traces:
One is to manually check w i t h regedit, w h i c h can take a long time because there are often many entries to be checked and the Registry is a large place to hide things i n . Still, when y o u k n o w the filename o f the malware, y o u can search the Registry for any pointers to it. The other is to use our friend HijackThis.
Running
y o u can see some interesting entries:
0 3 - Toolbar: &Radio 04 -
-
[ V M w a r e Tools]
F i l e s W M w a r e W M w a r e ToolsWMwareTray.exe
0 4 - H K L M \ . . \ R u n : [ V M w a r e User Process]
FilesWMwareWMware
exe 0 4 - H K L M \ . . \ R u n : [Windows Services Layer] sslms.exe 04 -
[ W i n d o w s Services Layer] sslms.exe
04 -
[MSMSGS]
/background
04 -
[Windows Services Layer] sslms.exe
© 2 016
Pedro Bueno
99
0 9 - Extra button: Related 0 9 - Extra
-
menuitem: Show &Related Links -
-
W i t h this log from y o u can see three Registry entries from the malware that allows i t to r u n time the system. 2 on H K E Y L O C A L J V L A C H I N E and 1 on is restarted.
100
© 2 016
Pedro Bueno
HijackThis: Removing Autoloading Entries Below
Bo button. Scan to to
•
:
do not
whether an Is bad or not. The knowledgeable
Process] [Windows Services [Windows Services layer)
[Windows - Extra button: roemitcm: Show feReiated D Remote Packet capture • 023 VMware Tools Service
- CACE
Other stuff kg
checked |
on
I
:
Upload to I
to
Identifying and Removing Malware
H i j a c k T h i s : Removing Autoloading Entries
Cleaning the M a l w a r e Traces N o w that w e have identified the traces left b y the malware, w e have to clean them. W i t h HijackThis, simply have to check all items that apply and click F i x Checked button. This removes a l l the entries created b y the malware on the system. T o ensure y o u were successful, y o u need to do another scan and verify all the selected entries are gone.
© 2 016
Pedro Bueno
101
Cleaning the Bot from the System • Next steps: Terminate it and clean the system! • Terminate the process • Look for auto-loading traces • Delete the file
I d e n t i f y i n g and R e m o v i n g M a i w a r e
This page intentionally left blank.
102
© 2 016
Pedro Bueno
Deleting the Malicious File (1) • From Process Explorer it was possible to see that the malware was running from: C:\windows\system32\sslms.exe • From the DOS prompt, you can go to the directory and delete it from the system Identifying and Removing
Deleting the Malicious File (1)
Removing the Because we terminated the malware process and fixed the Registry entries, i t is time to remove the malware application from the system.
F r o m the process properties on Process Explorer, i t is possible to see that the malware path is
This is usefiil information because y o u can go to the Windows\System32 folder and delete the sslms.exe file. A l t h o u g h y o u can do i t using W i n d o w s Explorer, i t is better to do i t fiom the command / DOS prompt because y o u have more options i n case something goes w r o n g w i t h the file deletion.
© 2 016
Pedro Bueno
1
Deleting the Malicious File (2) Using dir to show the file may be frustrating on the first try: in Serial Directory Not
C h a s no l a b e l , Number i s 5 8 F 7 - E C 7 C
of
Found
But why? I d e n t i f y i n g and R e m o v i n g M a l w a r e
Deleting the Malicious
(2)
Removing the Malware Although removing a file can be trivial most o f the time, sometimes i t can simply go wrong. I n this case, something has happened. A s y o u can see on the slide, a dir command to list the sslms.exe file failed.
But why? There could be many reasons, such as:
• Was this
deleted already?
• Is it hidden? • Is some rootkit hiding it?
104
© 2 016
Pedro Bueno
Deleting the Malicious File (3) • A dir/a can show the answer sslms.exe drive no l a b e l . Volume S e r i a l Number i s D i r e c t o r y of 05:00 1 0 Dir
sslms.exe 265,216 b y t e s 2,251,980,800 b y t e s f r e e
• The file was set with attributes to hide it! Showing all attributes revealed it. Identifying and Removing Malware
Deleting the Malicious
(3)
Removing the Malware Because apparently i t cannot
the
y o u cannot delete it. B u t w h y d i d i t happen? What could be wrong?
© 2 016
Pedro Bueno
105
Deleting the Malicious File (4) • The use of attributes can also prevent the deletion of the file
Could
Not
Find
Identifying and Removing Malware
Deleting the Malicious File (4)
Removing the M a l w a r e A s y o u have seen, malware writers use a lot o f different techniques to prevent a file from being shown on the system and to prevent the user from seeing or deleting them. One o f these techniques is to set some file attributes, such as Hidden and System File, using for example the attrib.exe W i n d o w s C L I tool.
B y using the D I R command w i t h the option /a i t makes D I R display a l l files no matter w h i c h attribute is set on the
N o w y o u can see the sslms.exe
106
w i t h a size o f 265,216 bytes.
© 2 016
Pedro Bueno
Deleting the Malicious File (5)
• Attrib.exe can solve the problem by resetting the attributes -s in drive Serial
- r sslms.exe
sslms.exe C h a s no is
of 265,216 s s l m s . e x e 265,216 b y t e s bytes free
1 File(s) 0 Dir
I d e n t i f y i n g a n d Removing M a l w a r e
Deleting the Malicious F i l e (5)
Removing the Malware Because you k n o w that this
has some attributes set preventing us from seeing and deleting the file, y o u
need to reverse the changes done. The easiest w a y to do i t is to reset all attributes that could prevent us from seeing and deleting the
I n this case, y o u use attrib to remove the attributes S (System File), R (Read-only),
(Hidden).
This can be accomplished w i t h the command:
C:\windows\system32\attrib
—s
sslms.exe
N o w a simple D I R w i l l show the file:
C:\windows \system32 \dir
08/23/2001
05:00AM
exe
265,216
sslms.exe
This also means that n o w y o u can remove i t from the system.
Pedro Bueno
107
Deleting the Malicious File (6) Now that you can see the file and it is no longer a system file, you can safely delete it
Identifying and R e m o v i n g
Deleting the Malicious File (6)
Removing the Since y o u were able to reset the attributes that were preventing y o u from seeing and removing the file, y o u can safely remove the malicious binary w i t h the D E L command:
:\windows\system32\del
exe
I f y o u d o n ' t get any error messages, y o u can assume that y o u are done. I f y o u want to ensure that the been removed, r u n another D I R on the file to verify that y o u were successful i n deleting the
has
Y o u can also search the hdd for any other occurrence o f the filename anywhere on the h d d w i t h the D I R /s command.
C:\dir /s sslms.exe
Note that some malware w i l l use names o f real W i n d o w s processes/files, but w i l l save them i n other directories, so while a search on the entire hdd is a good idea, y o u have to be extra carefiil w i t h the files i n c:\windows directory since they may be legitimate.
© 2 016
Pedro Bueno
MS Sysinternals Process Explorer and TCPView Hands-On
Identifying and R e m o v i n g Malware
I n the M S Sysinternals Process Explorer and T C P V i e w section, w e start w i t h the following steps: Revert the V M w a r e Windows 7 image to the Snapshot Clean7. V M -> Snapshot - > Select Clean7 2.
Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.
4.
Right-click the nasty.zip file and then select Extract A l l . Enter the password training without quotes.
5.
Double-click the new created folder; right-click the nasty.exe Administrator.
6.
R u n both tools and malware as Administrator!
Open the Part4
folder.
and select R u n as
N o w i t is your turn! 1. D o y o u see any suspicious activity on the machine, using both Process Explorer and TCPView? 2. W h i c h remote ports are involved? 3. Is i t using any method to ensure that i t w i l l be loaded at boot time?
4.
aces?
5. 6.
o u delete it?
Pedro Bueno
W i t h T C P V i e w y o u can notice that the malware is m a k i n g connections, but the process that is doing i t is not the malware process, but a W i n d o w s process, called TaskHost.exe. (Note that y o u may observe different behaviors on W i n d o w s 7 32 bit and W i n d o w s 7 64 bit).
This means that the malware injected its code into a legit w i n d o w s process to make i t harder for the analyst to find it.
W i t h the tools provided i n the folder, y o u can
After y o u delete it, t r y to r u n the
the autostart mechanism and the folder where i t is located.
and remove the
7. D i d the Autorun entry get removed?
N o w reboot the system and try to remove the A u t o r u n entry again.
10
© 2 016
Pedro Bueno
entry. Then scan again.
Identifying and Removing Malware Microsoft Sysinternals ListDLLs
and R e m o v i n g Malware
This page intentionally left blank.
Pedro Bueno
Microsoft Sysinternals ListDLLs (1) Introducing: ListDLLs Shows the DLLs loaded on the system, the processes associated with them, and the command line used by the process
Identifying and R e m o v i n g Malware
Microsoft Sysinternals L i s t D L L s
Introducing L i s t D L L s The L i s t D L L s tool is another tool developed b y Sysinternals, acquired b y Microsoft i n 2006. This tool can be downloaded at
L i s t D L L s is a command-line interface ( C L I ) tool that offers a simple and easy w a y to v i e w a l l D L L s loaded b y a process or service running on the system.
A s an output o f L i s t D L L , y o u can get:
•
Process name •
Command line used by the process/service • D L L s loaded b y the process/service
• F u l l path o f the D L L loaded
112
•
Version number o f the D L L •
Base Address
© 2 016
Pedro Bueno
Microsoft Sysinternals ListDLLs (2) • Some malicious software may inject a DLL into other processes and will not appear in a regular process listing application like Windows Task Manager •
e.g.: BHO (DLL injected on IE)
• ListDLLs can be helpful to identify injected DLLs on systems Identifying and Removing Malware
Microsoft Sysinternals L i s t D L L s (2)
Understanding L i s t D L L s The usual problem w i t h malware D L L s is that they are more difficult to than a regular process or service because they do not appear on a regular process listing application such as the W i n d o w s Task Manager.
The malicious D L L can be into a legitimate process or service, and then the malicious activity appears as coming from that process or service. The most common list o f services and processes used by malware for this purpose follow:
• •
Explorer.exe
•
Services.exe •
Winlogon.exe •
Iexplore.exe (Microsoft Internet Explorer)
O n Internet Explorer, the most common type o f D L L s injected are the Browser Helper Objects ( B H O ) . A l t h o u g h there are several B H O s , the malware may use them to include their malicious code inside I E .
L i s t D L L s can be used to identify malicious D L L s injected into a process or service while giving us a l l the information regarding the loaded D L L s .
Pedro Bueno
1
Malicious DLLs: Process Explorer View Fit
Process Explorer doesn't show any process or service that looks suspicious This may indicate one of two things: • A rootkit is hiding a process from us • A DLL was injected into a process, so you can't see all the processes
ftacess
Users
j|
53 ®
Process 0 •
interrupts
Interrupts .. 4 540 640
NT Log.. Microsoft.. Generic Host Pro.,. Microsoft,.: Generis Host Pro... Host Microsoft...
704 164 172 200
Can you see the threads in IE?
VMware Toots St.. She* Windows
Messenger Comma... Proa..
364
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Malicious D L L s : Process E x p l o r e r View
Process E x p l o r e r Results Running Process Explorer i n this case was not o f much help. A l l processes shown seem to be normal. Besides the regular default services and processes from Windows X P , y o u have the f o l l o w i n g processes running:
•
VMware •
Messenger
•
TCPView •
Cmd.exe •
Process explorer •
Internet Explorer
For clarity, y o u can see the report generated b y Process Explorer (see next page).
114
© 2 016
Pedro Bueno
Process
PID
System Idle
0
Description 93.07 0.99
Interrupts DPCs System
Company Name
Hardware Interrupts Deferred Procedure Calls
4
0.99
540
Windows NT Session Manager
Microsoft Corporation
616
Client Server Runtime Process
Microsoft Corporation
winlogon.exe
640
Windows NT Logon Application
Microsoft Corporation
services.exe
684
Services and Controller app
Microsoft Corporation
Generic Host Process for Win32 Services
Microsoft Corporation
980
Generic Host Process for Win32 Services
Microsoft Corporation
svehost.exe
1148
Generic Host Process for Win32 Services
Microsoft Corporation
svehost.exe
1160
Generic Host Process for Win32 Services
Microsoft Corporation
spoolsv.exe
1292
Spooler Subsystem App
Microsoft Corporation
VMwareService.exe
1456
VMware Tools Service
VMware, Inc.
svehost.exe
1876
Generic Host Process for Win32 Services
Microsoft Corporation
lsass.exe
704
L S A Shell (Export Version)
Microsoft Corporation
explorer.exe
1860
Windows Explorer
Microsoft Corporation
VMwareTray.exe
164
VMwareTray
VMware, Inc.
VMwareUser.exe
172
VMwareUser
VMware, Inc.
msmsgs.exe
200
Messenger Client
Microsoft Corporation
Tcpview.exe
360
0.99
endpoint viewer
1636
procexp.exe
1832
IEXPLORE.EXE
364
3.96
Sysinternals
Windows Command Processor
Microsoft Corporation
Sysinternals Process Explorer
Sysinternals
Internet Explorer
Microsoft Corporation
© 2 016
Pedro Bueno
115
The Internet Explorer process that is running is the one the user is using to browse the Internet, so i t is a legitimate process.
Because we are still watching the unwanted pop-up dialog activity and we cannot see any obviously suspicious process or service running, i t may indicate one o f two things:
•
A rootkit may be installed on the system, preventing us from seeing the malicious process running •
A D L L may be injected into a legitimate process and is w h y i t is not showing up on any process listing software such as Task Manager or Process Explorer.
A good start is verifying the individual threads o f Internet Explorer to see i f y o u can identify anything suspicious.
16
© 2 016
Pedro Bueno
Malicious DLLs: Process Explorer: Threads View Double-clicking any selected process or thread in Process Explorer shows the properties of the file
|
| Graph
]
On the Threads tab it is possible to see all threads associated with that process Hard to know all drivers and on the system to tell which one may be malicious: WebAssist.dll, IEXPLORE.EXE, WININET.dll, ntdll.dll, kernel32.dl, RPCRC4.DLL, mshtml.dll, and WINMM.dll
Thread Start
AM:
Staler
Time:
car
|
Identifying a n d Removing Malware
Malicious D L L s - Process Explorer: Threads V i e w
Listing Threads with Process E x p l o r e r Process Explorer is a great and useful tool. One great feature from Process Explorer is the capability to show the various threads spawned from a process or service. Simply double-clicking a selected process or service shows its properties w i t h several tabs. Choosing the Threads tab shows all threads associated w i t h the selected process.
A l t h o u g h i t is useful information, i t can sometimes be hard to identify suspicious information based o n the Threads report alone because i t is hard to k n o w w h i c h dlls and drivers are malicious.
O n the Internet Explorer process, y o u can see the f o l l o w i n g threads:
• • IEXPLORE.EXE
•
•
WININET.dll •
ntdll.dll •
kemel32.dll •
RPCRC4.DLL •
Mshtml.dll •
Wdmaud.drv WINMM.dll
So unless y o u are the Microsoft developer or an Internet Explorer expert, i t is not easy to say i f something is malicious based only on the preceding report.
© 2 016
Pedro Bueno
117
Malicious DLLs: HijackThis View Micro HijackThis -
•
Process Explorer wasn't of much help • A system scan with HijackThis might shed some light •
of
Be
button. do Is to
best 02 -
no** The and
the
to
WebAssist -
-
•
[VMware Took] CM • -
button: Extra - Service;
-
-
Packet Capture Protocol v.O
-
1 BHO called WebAssist
Is it injected only into Internet Explorer?
Upload to to
|
I d e n t i f y i n g and R e m o v i n g
Malicious D L L s :
Bringing
View
to the G a m e
Process Explorer wasn't o f much help because we could not see any suspicious process or service, and the I E threads information also d i d n ' t show much information that could lead to the culprit.
Another shot that we can try is w i t h HijackThis, and this time we get more usefiil information.
HijackThis reports 1 Browser Helper Object ( B H O ) called WebAssist WebAssist.dll. I t is also one o f the threads from Internet Explorer that Process Explorer showed. N o w i t is possible to understand what i t was doing here. Because i t is a B H O , i t w i l l always be loaded w i t h Internet Explorer!
The
report:
0 2 - B H O : WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} -
0 3 - Toolbar: & R a d i o -
04 04 -
[ V M w a r e Tools]
-
F i l e s W M w a r e W M w a r e ToolsWMwareTray.exe
[ V M w a r e User Process] ToolsWMwareUser.exe
FilesWMwareWMware
0 4 - HKCU\..\Run: [MSMSGS]
/background
0 9 - Extra button: Related -
118
-
© 2 016
Pedro Bueno
0 9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-lld2-a20b-00aa003cl57a} 0 2 3 - Service: Remote Packet Capture Protocol v.O (experimental) (rpcapd) - C A C E Technologies 0 2 3 - Service: V M w a r e Tools Service ( V M T o o l s ) - V M w a r e , Inc. F i l e s W M w a r e W M w a r e ToolsWMwareService.exe
So n o w y o u k n o w that this WebAssist.dll is injected into Internet Explorer, hut can y o u be sure that i t is injected only i n Internet Explorer? This is important information because y o u need to k n o w this when t r y i n g to remove i t from the system.
© 2 016
Pedro Bueno
1
Microsoft Sysinternals ListDLLs: Listing the DLLs • Time to get more info with listdlls.exe • Best to redirect the output to a text file for later processing: • Basic usage of ListDlls.exe
•
>
Take your time to carefully read it!
Identifying and R e m o v i n g Malware
Microsoft Sysinternals L i s t D L L s : Listing the D L L s
Using L i s t D L L s Sometimes, y o u may need to get information about the D L L s loaded on a system, and Windows does not offer a w a y to get this information. U s i n g the Microsoft Sysinternals L i s t D L L s tool can give y o u a complete v i e w o f the processes and D L L s loaded w i t h them.
The basic usage o f listdll is
C:\listdlls.exe
This command line generates the output directly on the screen making reading the information quite difficult. One option is to use the pipe "|" option and the more command: C:\listdlls.exe | more
This option still generates the output o n the screen but pauses w h e n the information fills the screen so that y o u have time to read it before going to the next screen.
The other option is to redirect the output to a text file, so y o u can read i t w i t h a text editing application like notepad.
Another possibility is to use the
120
function o f Process Explorer to search for a
© 2 016
Pedro Bueno
Microsoft Sysinternals ListDLLs: Results (1) Excerpt from listdlls.exe result.txt output: 828 Command
line:
"C: \Program
Base
Size
0x762a0000 0x76f90000 0x76620000 0x76600000 0x76670000
OxfOOO 0x10000 0x4e000 OxlbOOO 0xe4000
Files\Internet
Version
Explorer\IEXPLORE.EXE"
Path
5.01.2600.0000 C:\WINDOWS\system32\MSASNl.dll C:\WINDOWS\System32\Secur32.dll 5.01.2600.0000 C:\WINDOWS\System32\cscui.dll 5.01.2600.0000 C:\WINDOWS\System32\CSCDLL.dll 5.01.2600.0000 C:\WINDOWS\System32\SETUPAPI.dll 2.01.0000.0000 0x760f0000 0x78000 6.00.2600.0000 C:\WINDOWS\system32\urlmon.dll
I d e n t i f y i n g and
Malware
Microsoft Sysinternals L i s t D L L s : Results
L i s t D L L s Output The output generated h y L i s t D L L s is quite simple to understand:
For each Process and Service i t gives the process name and process I D (PID), the command line used to load it, and the list o f D L L s loaded w i t h it. For each D L L i t gives the f o l l o w i n g information: Base Address Size ( i n hexadecimal) Version Number DLL
Here is an excerpt o f the L i s t D L L s output from Internet Explorer:
I E X P L O R E . E X E p i d : 828 Command line: Base
Size
Version
0x00400000 0x19000
6.00.2600.0000
0x77f50000 0xa9000
5.01.2600.0000
0x77e60000 0xe5000
5.01.2600.0000
0x77d40000 0x8d000
5.01.2600.0000
Path
C:\WINDOWS\system32\USER32.dll
© 2 016
Pedro Bueno
0x77c70000 0x40000
5.01.2600.0000 C:\WINDOWS\system32\GDI32.dll
0x77dd0000 0x8b000
5.01.2600.0000
0x77cc0000 0x75000
5.01.2600.0000
0x772d0000 0x63000
6.00.2600.0000
C:\WINDOWS\system32\SHLWAPI.dll
0x771b0000 OxllaOOO 5.01.2600.0000 C:\WINDOWS\system32\ole32.dll
122
0x75f80000 OxfcOOO
6.00.2600.0000
0x72430000 0x12000
6.00.2600.0000 C:\WINDOWS\System32\browselc.dll
0x76200000 0x97000
6.00.2600.0000 C : \ W I N D O W S \ s y s t e m 3 2 \ W I N I N E T . d l l
0x10000000 0x35000
2.01.0000.0000
0x760f0000 0x78000
6.00.2600.0000 C:\WINDOWS\system32\urlmon.dll
Pedro Bueno
Microsoft Sysinternals ListDLLs: Results (2) From the report, you can see three things that make the WebAssist.dll file suspicious •
The Base address The Version number • •
Path
To check if it is injected in any other process, you can search for its dll name: •
exe -d webasslst. dll >
txt
IEXPLORE.EXE pid: 828 Command line: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" Base Size Version Path 0x10000000 0x35000 2.01.0000.0000 •
It shows that this DLL is part only of Internet Explorer I d e n t i f y i n g a n d Remolding M a l w a r e
Microsoft Sysinternals L i s t D L L s : Results (2)
L i s t D L L s Output U s i n g the L i s t D L L s tool y o u can see three things that make WebAssist.dll suspicious when compared w i t h the other loaded D L L s :
Base Address Version Number Path
Base Address
F r o m the f o l l o w i n g excerpt, notice that most D L L s are loaded on base address:
0 x 7 X X X X X X X range w h i l e the WebAssist.dll is on base address
0x00400000 0x77f50000
0xa9000
0x19000
6.00.2600.0000 5.01.2600.0000
0x77e60000
0xe5000
5.01.2600.0000
Explorer\IEXPLORE.EXE
0x77d40000
0x8d000
5.01.2600.0000
C:\WINDOWS\system32\USER32.dll
0x771b0000
OxllaOOO
5.01.2600.0000
C:\WINDOWS\system32\ole32.dll
0x75f80000
OxfcOOO
6.00.2600.0000
0x72430000
0x12000
6.00.2600.0000
C:\WINDOWS\System32\browselc.dll
Pedro Bueno
0x76200000 0x97000 6.00.2600.0000 C : \ W I N D O W S \ s y s t e m 3 2 \ W I N I N E T . d l l 0x10000000 0x35000 2.01.0000.0000 C:\WINDOWS\WebAssist.dll 0x760f0000 0x78000
6.00.2600.0000 C:\WINDOWS\system32\urlmon.dll
Version Number
I n addition, from the same excerpt, notice that most version numbers are 6.00.2600.0000 or 5.01.2600.0000. has the version number 2.01.0000.0000. Usually the Microsoft D L L s tend to follow the format: . < M i n o r Version For example, the Kernel32.dll has the version number o f 5.01.2600.0000, w h i c h means: 5.01 - W i n d o w s X P , 2600 means the released W i n d o w s X P . W i n d o w s X P SP2 has a b u i l d number o f
Path
As y o u can see from the excerpt, most D L L s loaded are from the default system directory (c:\windows\system32). The WebAssist.dll is loaded from the W i n d o w s directory (c:\windows).
Note: These are usually just indicators that something might not be right according to the default system behavior, but they cannot be seen as definitive checks to identify malware!
Another good search was performed w i t h L i s t D L L s to search a l l processes and services that may have W e b A s s i s t d l l loaded. Usually searches for specific D L L s can be done w i t h C:\listdlls.exe - d .
I n this case, y o u can see that i t returned only Internet Explorer.
© 2 016
Pedro Bueno
Getting Information About the DLL • •
What does Windows have to say about this DLL? Every DLL usually has this information: •
Company •
•
File Version Internal Name Language Product Name
• • •
Product Version •
Copyright Description •
That is not the case with the DLL! Also, doesn't show Microsoft Copyright OK
Identifying and R e m o v i n g Malware
Getting Information about the D L L
Using Windows E x p l o r e r to See Missing Points W i n d o w s Explorer can also be used to try to identify missing aspects or attributes from the suspicious D L L . Usually, a D L L w i l l have the f o l l o w i n g fields filled w i t h information:
•
•
File version •
Description o f the D L L •
Copyright from the company Internal Name
•
Language •
Product Name •
Product Version
W h e n going to the C:\Windows folder and right-clicking the WebAssist.dll, y o u can see that i t has an incomplete version o f 2.1.0.0 and an empty Description and Copyright messages. Also, i t has only the fields File Version, Language, Product Name, and Product Version.
These are good indications that this is not something legitimate and that it can be safely removed without crashing the system.
© 2 016
Pedro Bueno
ListDLLs and HijackThis Summary Summary: • Computer browsing showing undesired popups • HijackThis found a BHO called WebAssist • ListDLLs shows that this dll is injected only into Internet Explorer • ListDLLs and Windows show suspicious traces from the DLL I d e n t i f y i n g and R e m o v i n g M a l w a r e
L i s t D L L s and H i j a c k T h i s Summary This is the summary o f what we have found:
• • •
A computer showing undesired behavior o f pop-ups when user is browsing on the Internet. HijackThis found a B H O on Internet Explorer. L i s t D L L s show that this WebAssist.dll is loaded only w i t h Internet Explorer. The D L L presents traces like Base Address, Version Number, and other D L L information that makes it highly suspicious!
126
>2016 Pedro Bueno
Removing the Malicious DLL: HijackThis (1) • Next steps: Clean the system, test, and remove it • Clean the BHO • Test the browser • Delete the file
Identifying and R e m o v i n g Malware
Removing the Malicious D L L : H i j a c k T h i s (1)
Next Steps I n the previous actions, w e got enough information to consider that D L L to be a malicious piece o f code. I t is now time to take some actions.
The suggested actions i n this case are:
•
•
Clean the B H O from the system. •
Test the browser to see i f it is w o r k i n g properly. Delete the
from the system.
Pedro Bueno
127
Removing the Malicious DLL: HijackThis (2) • • • •
The easiest way to get rid of BHOs is using HijackThis Close all Internet Explorer and Windows Explorer windows first Select the BHO box and click Fix Checked button Confirm
To*] Iter Process] 0* 09 -
-
-
-
e
•
•
Identifying and
Removing the Malicious D L L : H i j a c k T h i s (2)
Removing the B H O Removing B H O s is not an easy task because i t involves something that is linked to the browser. The safest and easiest w a y to remove those malicious, or just annoying, B H O s is b y using the previously discussed friend
I t involves just three simple rules:
Because y o u w i l l remove an Internet Explorer component, i t is recommended to close all M S I E and W i n d o w s Explorer windows first so that the change can take effect. 2.
R u n the System Scan on HijackThis and check the B H O box from the WebAssist B H O . C l i c k F i x Checked button and confirm!
128
© 2 016
Pedro Bueno
Removing the Malicious DLL: HijackThis (3) • Rescan the system! Below are t h eresults the B ecareful w h a t y o u delete with t h e checked' S c a n results d o n o t whether a n bad not. T h e best thing to d o to and show the file t o k n o w l e d g e a b l e folks. - Toolbar: -
[VMware Tools] [VMware User [MSMSGS] "C;\Program
-
/background
Extra button: Related - Extra menuitem: Show Links - Service: R e m o t e Packet C a p t u r e Protocol v.O (experimental) (rpcapd) - C A C E Technologies -
• No traces from the BHO! Identifying and Removing Malware
Removing the Malicious D L L : H i j a c k T h i s (3)
E n s u r i n g the Removal
When y o u confirm the
operation, i t removes the B H O from Internet Explorer.
Just to be sure the removal happened successfully, performing another scan is recommended.
On the report, y o u can see that there is no longer any trace o f the WebAssist B H O : 0 3 - Toolbar: & R a d i o 04 04 -
[ V M w a r e Tools]
F i l e s W M w a r e W M w a r e ToolsWMwareTray.exe
[ V M w a r e User Process] ToolsWMwareUser.exe
04 -
FilesWMwareWMware
[MSMSGS]
/background
0 9 - Extra button: Related 0 9 - Extra
-
menuitem: Show &Related L i n k s -
-
0 2 3 - Service: Remote Packet Capture Protocol v.O (experimental) (rpcapd) - C A C E Technologies 0 2 3 - Service: V M w a r e Tools Service ( V M T o o l s ) - V M w a r e , Inc. F i l e s W M w a r e W M w a r e ToolsWMwareService.exe
© 2 016
Pedro Bueno
129
Removing the Malicious DLL Next steps: Clean the system, test, and remove it • Clean the BHO • Test browser • Delete the file
Identifying and R e m o v i n g Malware
Removing the Malicious D L L
Next Steps The first step was done successfully, and there are no traces o f the B H O . N o w i t is time to move to the next step, w h i c h is to open Microsoft Internet Explorer and test i t to ensure that no other suspicious activity has occurred i n its place, and confirm that y o u have stopped the unwanted pop-ups.
Also, ensure that the browser is w o r k i n g normally, as sometimes the B H O takes over some functionality and changes settings for D N S or LSPs, w h i c h renders the browser unusable without the B H O loaded.
130
© 2 016
Pedro Bueno
Backup Before Remove with HijackThis •
•
In general, removing BHOs not cause any problems on your machine or browser because they are just add-ons for the Internet Explorer In the case of a browser complaining about the missing BHO, you can always restore from the HijackThis Backup! "Configuration
•
• •-
| •
•
| |
Backups
Misc Tools
j
is y o u r of items t h a t w e r e b a c k e d u p . can restore them (causing to re-detect them unless you place them on the or delete t h e m from (Antivirus programs m a y
| Delete
|
D e l e t e ell
j
and R e m o v i n g Malware
Backup Before Remove with
Using
Backups
I n general, removing B H O s from Internet Explorer is an easy and safe task. I t w i l l not cause any harm to the computer or the browser because they are created as add-ons for Internet Explorer and are not an intrinsic part o f it. I n case something went w r o n g or y o u are missing a legitimate B H O , y o u can use the HijackThis backup.
Every time removes a B H O , i t creates a backup list on the system w i t h a l l items removed b y it. The Backup list is under the M a i n menu on a button called V i e w the List o f backups. W h e n y o u click V i e w the list, it goes to the backup list. Here y o u have the option to select the backup item and restore i t to the original place (putting a B H O back to I E , for example).
Pedro Bueno
131
Removing the Malicious DLL (1) Next steps: Clean the system, test, and remove it • Clean the BHO • Test browser • Delete the file
Identifying and
Malware
Removing the Malicious D L L (1)
Next Steps N o w that y o u removed the B H O from I E and tested the browser to see i f everything is w o r k i n g correctly, y o u can assume that the previous steps were successful and that y o u can delete and permanently remove the D L L from the system. The next step focuses on finding and deleting the D L L that was acting as a B H O .
©2016
Pedro Bueno
Removing the Malicious DLL (2) • Because you already know the path of the DLL, which is c:\windows\ webassist.dll, you can just go there and delete the file • Now, there is a difference if you do it after or before run HijackThis
Identifying and R e m o v i n g Malware
Removing the Malicious D L L (2) I n previous actions, y o u found the D L L was located on the c:\windows directory as listed on the L i s t D L L s report:
0x10000000 0x35000 2.01.0000.0000
C:\WINDOWS\WebAssist.dll
So n o w y o u can just go to this directory and delete the I t is important to k n o w there is a difference i f y o u do this after or before y o u r u n HijackThis to remove the B H O .
Pedro Bueno
133
Removing the Malicious DLL: HijackThis and Prompt DOS • Deleting after using HijackThis: • Another nice feature from HijackThis is that when you decide to Fix it, it will also remove the file. So you will not find it
File C=
in Serial of Not Found
C
.d l l no is
X.
Identifying and Removing Malware
Removing the Malicious D L L : HijackThis and Prompt D O S I f y o u decide to follow the steps and delete the
after running HijackThis, y o u can notice that there is no
WebAssist.dll on the c : \ W I N D O W S directory anymore and therefore y o u need not delete i t .
The reason for this behavior is that HijackThis already d i d i t for us! W h e n y o u run the System scan on HijackThis and check an item and F i x it, i t w i l l also move the associated w i t h that B H O to a quarantine space, so y o u w i l l not find i t i n the original path location. The quarantine space is used for backup purposes that y o u can restore i t later i f needed.
Please note that depending on the state o f the Internet Explorer process, the HijackThis, so a manual delete w o u l d be needed.
© 2 016
Pedro Bueno
w i l l not be deleted b y
Removing the Malicious DLL: Prompt DOS (1) Deleting before using HijackThis: • In this case, you can go directly to the dll it path and : ir Uolume i n drive C S e r i a l Number Directory
no l a b e l .
84,992 84,992 bytes
1 0
free
Identifying and R e m o v i n g Malware
Removing the Malicious D L L : Prompt D O S (1) I f y o u decide to go directly to the path found by L i s t D L L s and delete the WebAssist.dll before running HijackThis, y o u can list i t w i t h D I R and delete i t w i t h the regular D E L command.
Basically:
C:\windows\dir webassist.dll
08/07/2007
09:41 A M
84,992 W e b A s s i s t d l l
A n d delete it:
C:\windows\del webassist.dll
© 2 016
Pedro Bueno
Removing the Malicious DLL: Prompt DOS (2) Deleting before using HijackThis C no Uolume S e r i a l Number i s S 8 F 7 - E G 7 C D i r e c t o r y of 09:41 84,992 File > 0 Dir
WebAssist.dll bytes bytes free
HijackThis will show a "file missing" message show
Ma
•
(He •
.
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Removing the Malicious D L L : Prompt D O S (2) After a successful fde deletion, you may want to run HijackThis to see i f y o u did the j o b right. The System Scan from HijackThis still reports the presence o f a B H O on the system. Because y o u manually removed the fde, it reports that the B H O trace is there, but the D L L associated w i t h it is not:
0 2 - B H O : WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll missing)
This means the B H O trace is there i n I E , but the D L L that makes the B H O w o r k is not. The best thing to do i n those cases is to check the B H O box and click the Fix Checked button so that removes the B H O traces from the system.
Note, however, that because y o u manually removed the folder and hence you cannot restore it from a backup later!
136
© 2 016
Pedro Bueno
cannot store i t i n the quarantine items
Identifying and Removing Malware Fighting Alternate Data Streams (ADS)
Identifying and Removing Malware
This page intentionally left blank.
© 2 016
Pedro Bueno
Understanding ADS Questions to be answered: • What are ADSes? • Are all ADSes malicious? • Can Windows show ADSes on files? • How can you identify ADSes on the system? • How can you remove malicious ADSes from the system? Identifying and R e m o v i n g Malware
Understanding
Introduction I n this module, y o u learn h o w to fight Alternate Data Streams.
First, w e take a look at the different parts o f files and attempt to determine whether they are malicious. Then, w e identify Alternate Data Streams ( A D S ) on the system using W i n d o w s internal tools. W e then take a look at some external tools. W e also take a look at h o w to remove them.
138
© 2 016
Pedro Bueno
What Are ADS? • What are ADSes? • Introduced on NTFS file system • Way to add an alternative stream of information/data onto an existing file • The size of the alternative stream matter
Identifying and Removing
Are ADSes? Alternate Data Streams were added i n the N T F S file system, w h i c h means that y o u w o n ' t have it on systems that use the F A T system. I t appears that Microsoft hasn't fully developed this feature due to the lack o f Microsoft documentation on i t .
Basically, i t was created and introduced i n N T F S on W i n d o w s N T to provide compatibility w i t h Apple's Macintosh Hierarchical File System (HFS) and was completely ignored and forgotten.
W i t h o u t getting into details about the system, what y o u need to understand is that i t allows every in N T F S to create an A D S , w h i c h is a hidden file associated w i t h the initial As a hidden it provides a nice w a y to hide malicious software, configuration files, illegal files, and any other content that y o u w o u l d like to keep hidden.
Another thing is that N T F S doesn't care about the size o f the A D S . For example, y o u can have a large binary file as an A D S attached to a single small text file.
Pedro Bueno
139
ADS: Always Malicious? • Are all ADSes malicious? • Simple answer: No • Extended answer: Maybe • Some AV vendors use it • Kaspersky AV is an example
• Starting in XP SP2 Windows also uses it as file "zone identifier" • What about Backdoor Identifying
Removing Malware
A D S : Always Malicious?
A r e A l l A D S e s Malicious? I a m tempted to answer yes, but the right answer is no.
A l t h o u g h most users, even W i n d o w s , ignore A D S . Some do use i t , and even Microsoft started to use i t w i t h Internet Explorer on X P SP2. Kaspersky antivirus vendor also used the A D S feature, called iStreams h y Kaspersky, w h i c h added an A D S to each scanned file to speed up subsequent scans. This feature was abandoned after Kaspersky released version 6 o f its A V product and w h i c h also has an option to delete those streams left on the system.
For more information on this, visit http://www.kaspersky.com/faq?qid=156636746.
W i n d o w s also started to use streams as a "security" feature. Since W i n d o w s X P SP2 a l l files originating from the Internet got an A D S to identify the Zone (Trusted, zones) i t came from. This allows W i n d o w s to warn the user i f they try to execute the file.
For example, a file received through Google Talk I M program w i l l have an A D S like:
[ZoneTransfer] ZoneId=3
I n addition, i f you right-click a safe i n an A D S .
140
i n W i n d o w s File Explorer, select properties, and add a summary, i t w i l l be
© 2 016
Pedro Bueno
W h a t About Backdoor Poisonlvy? This backdoor is created using a graphical utility. A l t h o u g h there have been no developments o f this graphical u t i l i t y since the end o f 2007/2008, as o f 2015, we have seen several backdoors created w i t h this tool. This is because the S D K for i t is also available. One o f the options is to install i t as an A D S on the infected machines, making i t harder to be identified.
© 2 016
Pedro Bueno
How to Identify an ADS? (1) • How do you identify an ADS? • Several external tools can Identify and remove an ADS • Our example focuses on: • A CLI tool from Sysinternals called Streams • A GUI tool from
Identifying and Removing
H o w Do Y o u Identify an A D S ? (1) Various tools identity ADSes on a system, such as L A D S from Heysoft, w h i c h y o u can (not W i n d o w s 7 compatible).
at
Today, most antivirus and antispyware products also detect A D S .
I n this module, you learn h o w to deal w i t h an A D S using t w o tools:
• •
142
A C L I tool called streams, from Microsoft Sysinternals, w h i c h can be downloaded at A G U I tool that was already used for other purposes, the HijackThis tool.
© 2 016
Pedro Bueno
How Do You Identify an ADS (2) • Windows 7 now has a simple but effective option for when you need something fast! • Regular Dir output: 0 4 : 1 7 PM 1 File
13 sec581.txt 13 bytes
Dir /R output: 04:1? PM 1 File(s>
13 s e c 5 0 1 . t x t 14 13 and R e m o v i n g Malware
How Do Y o u Identify an A D S ? (2) O n W i n d o w s 7, Microsoft included an extra option that can be used i n the already familiar dir.
W h e n using the dir command w i t h the option
i t also shows files w i t h the possible A D S present.
O n the slide, y o u can clearly see this i n the example used w i t h the sec501.txt. W h e n y o u use a simple dir w i t h no options, i t shows just the regular file; but w h e n y o u use the dir i t shows the regular file plus the file and the A D S attached to i t .
© 2 016
Pedro Bueno
143
MS Sysinternals Streams Tool (1) • Introducing Sysinternals Streams • Scans the system, recursively if needed, and shows all the ADSes on the system with full path. Can also be used to delete an ADS
Identifying and Removing Malware
M S Sysinternals Streams Tool (1)
Introducing Streams The Streams tool is another tool developed by Sysinternals.
This tool can be downloaded at
Streams is a C L I tool that can scan a single a directory, or the hard drive searching for ADSes. I t can also be used to delete those ADSes from the files and directories. I f an A D S is found, the output w i l l be the full path o f the regular file plus the A D S "attached" to i t using the as a delimiter.
Example: C:\windows\clock.avi:testADS.txt
This means that the file clock.avi, which is i n the c:\windows directory, has an A D S called testADS.txt.
144
© 2 016
Pedro Bueno
MS Sysinternals Streams Tool (2) • Scanning the system with streams: • Using command-line interface: •
To scan a single directory Example: C: \streams. •
exe c: |
windows\system32
To scan recursively all directories Example: C: \streams.
exe -s c: \
This command searches the entire hard drive c: for files with streams associated with them.
Identifying and R e m o v i n g Malware
M S Sysinternals Streams T o o l (2)
Streams Basic Usage Streams lets y o u scan a single file, a single directory, or a l l files and directories on the hard drive b y scanning all folders recursively. The basic usage to scan a single file is Streams.exe
To scan a directory w i t h all subfolders: Streams.exe -s
For example, scanning the W i n d o w s directory, including a l l subfolders: C:\streams.exe -s c:\windows
Streams
- Enumerate alternate N T F S data streams
Copyright (C)
M a r k Russinovich
Sysinternals -
: testADS.txt:
This shows the A D S testADS.txt on the A D S is 10 bytes.
clock.avi inside the folder c:\windows, and the
© 2 016
Pedro Bueno
size o f the
Hands-on
Identifying and R e m o v i n g M a l w a r e
O n the M S Sysinternals Streams part, w e start w i t h the f o l l o w i n g steps:
Revert the V M w a r e W i n d o w s 7 image to the Snapshot V M - > Snapshot - > Select Clean7 2.
Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.
3.
Open the Part6 folder.
4.
Right-click the badads.zip file, and then select Extract A l l . Enter the password training.
5.
Double-click the new created folder; right-click the badads.exe file, and select Run as Administrator.
6.
Run both tools and malware as Administrator!
N o w , continue to follow the slides doing the same on the V M w a r e W i n d o w s 7 image.
146
© 2 016
Pedro Bueno
MS Sysinternals Streams Tool • Using Streams.exe: -s v i . 5 3 - Enumerate a l t e r n a t e NIPS data streams Copyright 1999-2005 Mark Sysinternals 31 125
• Two files with streams found: • C:\windows\system32\putty.exe with ADS config2.txt • C:\windows\system32\wupdmgr.exe with ADS config.txt
Identifying and R e m o v i n g M a l w a r e
MS Sysinternals Streams T o o l O u r Learning Example I n this module, y o u look at examples o f t w o ADSes on the system, and y o u learn h o w to identify what they do and how to remove them i f y o u decide that they are malicious. Copy the streams.exe from the Part 6 folder to your desktop. Start w i t h streams doing a f u l l scan on the System32 folder looking for a l l ADSes:
-s c:\windows\system32\ Streams
1.56 - Enumerate alternate N T F S data streams
Copyright (C)
M a r k Russinovich
Sysinternals -
Error opening c:\pagefile.sys: The process cannot access the fde because i t is being used b y another process.
c:\WINDOWS\system32\putfy.exe: 129
:config.txt:$DATA 33 So, y o u
t w o ADSes attached to t w o legitimate files: • •
putty.exe w i t h the A D S Wupdmgr.exe w i t h the A D S config.txt
Pedro Bueno
147
HijackThis ADS Spy Tool (1) Another easy way to identify an ADS is with HijackThis The HijackThis misc. tool ADS Spy can search for an ADS on the system Be sure to uncheck: •
Quick Scan •
Ignore Safe ADS
|
[
Backups
j [
Misc Tools
scan Ignore safe system
: bytes)
Scan complete. Scan
log...
J
selected
[
Upload to I
Identifying and R e m o v i n g
H i j a c k T h i s A D S Spy Tool (1)
O u r L e a r n i n g Example The HijackThis tool also offers an easy w a y to identify and later remove an A D S from the system. O n the M i s c Tools section, i t offers a t o o l called HijackThis A D S Spy. I t also allows y o u to search a l l files and directories on the hard drive looking for A D S anywhere on the system.
B y default, the tool scans only the W i n d o w s folder and ignores a list o f ADSes that are k n o w n to be safe. So to get a complete v i e w o f the system, i t is recommended to uncheck these check boxes:
•
Quick Scan (Windows base folder only) •
Ignore safe systems info streams
A n d scanning the system, y o u
the same t w o streams that the Sysinternals tool found:
C:\WINDOWS\system32\putty.exe :
(33 bytes)
C:\WINDOWS\system32\wupdmgr.exe : config.txt (129 bytes)
148
Pedro Bueno
HijackThis ADS Spy Tool (2) Summary • Two ADSes were found attached to legitimate files: •
Looks like the SSH Client • Wupdmgr.exe: Looks like part of Windows Update
• Are they malicious? • Can you remove them?
Identifying and Removing Malware
H i j a c k T h i s A D S Spy
(2)
Summary A t this point i n the example, y o u scanned the system and found two ADSes attached to files that normally w o u l d have no reason to have an A D S hidden i n them:
•
Putty.exe •
Wupdmgr.exe
Also, the A D S names config.txt and make them at least somewhat suspect because they sound like configuration files. The next step is to identify whether they are malicious and, i f they are determined to be malicious, determine how to remove them from the system.
©2016
Pedro Bueno
ADS and TaskManager • Running putty.exe didn't show the ADS on Windows Task Manager Windows Task
)|
j-
View J Applications j
Help j Services
Image Name
Networking | Users
User
me
CPU
Memory
]
, .
X fc-ty
labOl labO A.
ra-jk-rrrgr •
labOl labOl
SSH , Most Pr
OO 1,62D 1,42-4 1 5,384 832
processes from all
P r o c e s s e s : 3S
Usage:
Process
Physical Memory:
I d e n t i f y i n g and R e m o v i n g M a l w a r e
A D S and TaskManager
H o w Does Windows See A D S ? O n this and the following slides, w e show h o w W i n d o w s sees the A D S . O n this slide, we opened the Putty.exe from the c:\windows\system32 folder, w h i c h has the A D S Then, w e opened W i n d o w s Task Manager to check h o w i t sees a fde that has an A D S attached to i t . W i t h Task Manager opened (shortcut y o u can check both the Applications and Process tabs.
O n the Application tab, y o u can see that a process called Putty running, w h i c h is normal because y o u just opened it. I f y o u click the Process tab, you can also see putty.exe running. I n neither case can y o u determine whether there is an A D S attached to i t .
150
© 2 016
Pedro Bueno
ADS and Command Prompt Dir • Using command line using the switch /r
help,
putty.exe i n drive C no l a b e l . S e r i a l Number i s 788B-2E07 D i r e c t o r y of PM i File 0 Dir
483,328 putty.exe bytes bytes free
/ r putty.exe Uolume in drive G bas no l a b e l . Uolume S e r i a l Number i s Directory of PM 1 0 Bir
putty.exe 483,328 bytes 57,404,989,440 bytes free
Identifying and Removing Malware
A D S and C o m m a n d Prompt D i r
How Does Windows See A D S ? I n an attempt to identify A D S w i t h built-in W i n d o w s tools, y o u can see that Task Manager doesn't show anything. N o w t r y to list the files to see whether y o u can determine the presence o f an A D S . Using the dir command doesn't help. I t shows only the regular files and filenames.
Fortunately, Microsoft improved the dir command w i t h new features, and since W i n d o w s Vista, the dir command offers a switch that shows the A D S .
As y o u can see i n the slide, using dir w i t h the /r switch shows the A D S for us. B u t remember that i f y o u are on W i n d o w s X P , there is no such option.
© 2 016
Pedro Bueno
ADS and Windows Explorer • Windows Explorer shows both files, but doesn't show the ADS!
Computer • [ J Open
Local
•
Windows
New folder Name
•
Desktop
System32 •
Type
Date
i
Size
DAT He
Downloads
PM
Recent Places
PM
sett,..
PM Libraries
PM
j
. raj
Application
oral
and Removing Malware
A D S and Windows E x p l o r e r
How Does Windows See A D S ? Our tests w i t h W i n d o w s TaskManager and dir d i d n ' t reveal any information on the A D S , so the next test is w i t h W i n d o w s Explorer. Opening W i n d o w s Explorer on the folder c:\windows\system32 y o u can see both files but still no trace o f the A D S .
© 2 016
Pedro Bueno
Working on the ADS Files • The two files identified by the ADS tools look suspicious by: • Their location (windows\system32) • Where they are attached: putty.exe and wupdmgr.exe • The ADS names config.txt and config2.txt
• But before you remove them, you need to be sure they are malicious I d e n t i f y i n g and R e m o v i n g M a l w a r e
W o r k i n g on the A D S Files
Identifying the A D S Content W e already have a lot o f information about the two ADSes:
•
They are located i n the
directory.
They are attached to two files on the Windows folder. •
They have suspicious names that look like configuration files.
Normally, this w o u l d be enough to warrant removing them from the system, but it w o u l d be better i f we could be totally sure first. So now y o u have to find out what those ADSes are.
© 2 016
Pedro Bueno
Accessing the ADS Files • Because you cannot see the ADS using Windows Explorer, you could try to access them directly from CLI: • Using Type: C:\windows\system32\type putty.exe:config2.txt
• Using More C:\windows\system32\more putty.exe:config2.txt
Identifying and R e m o v i n g
Accessing the A D S Files
Identifying the A D S Content Y o u already k n o w that y o u cannot see the A D S from W i n d o w s Explorer or from the dir command line. B u t y o u could try w i t h a couple o f other utilities from W i n d o w s such as:
more type
Usually to see a text file, y o u can use these two utilities to open them. The basic syntax for either o f the commands is:
•
•
type [filename] more [filename]
© 2 016
Pedro Bueno
Accessing the ADS Files: DOS Prompt • Type returns a syntax incorrect message • More returns a cannot access message • Looks like neither recognize ADS files! The
directory
or
label syntax is incorrect.
Cannot access f i l e
Identifying and R e m o v i n g Malware
Accessing the A D S Files: D O S Prompt
Identifying the A D S Content
Note that you may notice different behavior on Windows 7 32-bit and Windows 7 64-bit.
Neither o f the utilities produced a nice result. Type returned the following:
The filename, directory name, or volume label syntax is incorrect.
M o r e returned the following:
Cannot access
But that's because we were using it in the wrong way!
The more u t i l i t y can be used to read A D S content! The right syntax w o u l d be:
more < and more
resultADS.txt
© 2 016
Pedro Bueno
155
Accessing the ADS Files: Notepad • Notepad can do the trick! C:\windows\system32\notepad wupdmgr.exe:config.txt |j
- Notepad
j:
Format
fi--uuu,
The £
q
Hype put directory
qap
oo
. txt 1
is
. txt Cannot
C
exe :
ig2 ten32>
Identifying and Removing Malware
Accessing the A D S Files: Notepad
Identifying the A D S Content Another nice w a y to see the contents o f A D S is using the same Notepad. Notepad can understand the A D S and show y o u only the contents o f the A D S . For example, from the D O S prompt, y o u can call Notepad to show us the content o f both config.txt and using the following:
C:\Windows\System32\notepad
c:\windows\system32\putty.exe:config2.txt
and C:\Windows\System32\notepad
156
© 2 016
Pedro Bueno
Accessing the ADS Files • Checking the ADS contents: • Config.txt: From wupdmgr.exe gqggljgpg,vzv
• Config2.txt: From putty.exe Version=1.0.0-priv8 Both look strange. Config.txt looks obfuscated and config2.txt definitely looks suspicious.
Identifying and Removing
Accessing the A D S Files
Identifying the A D S content
Using both M o r e and Notepad, y o u retrieve the content o f both ADSes:
Config.txt
Config2.txt Update=Yes V e r s i o n = l .0.0-priv8
B o t h ADSes l o o k strange, b u t at least y o u can see something meaningful i n Config2.txt. I t looks like a configuration for something. The appears to have an update setting and the current version information. The version number is also suspicious due to the hacker style wording:
Priv8 = Private
The first looks like i t is protected b y some k i n d o f encoding to obfuscate the real content. Y o u probably could t r y to w o r k on this to out the real content.
©2016
Pedro Bueno
157
Working on the Obfuscated ADS • Working on the obfuscated ADS: • You can see the repetition of some letters, such as: -v -u (
)
• Maybe XOR encoding was used? I d e n t i f y i n g and R e m o v i n g
W o r k i n g on the Obfuscated A D S
Y o u can clearly see some repetition o f characters like:
v (on
for example)
(on uuu for example)
X O R encoding is generally used to encode text or binaries to flip the characters according to a given key. For example:
Given a key o f 5 to X O R the word: "http" I w o u l d get
To explain this ftirther, first y o u have to convert the A S C I I to H E X . F r o m the H E X , y o u get the binary representation. Then, y o u X O R i t w i t h the given key.
158
© 2 016
Pedro Bueno
h =
5
Result
= m
Binary
Binary
Binary
1
o
1
1
0
1
0
0
0
1
0
1
0
1
1
0
0
0
0
1
1
Following the same math, y o u have:
t = H e x 74 + key 5 = H e x 71 = q t = Hex 74 + key 5 = Hex 71 = q p = H e x 70 + key 5 = H e x 75 = u
A s a final result, y o u have:
h t
q
t
q
P
© 2 016
Pedro Bueno
Obfuscated ADS and XOR • Getting help from XORSearch to help with the config.txt • XORSearch: Created by Didier Stevens:
is a program to search for a given string in an XOR encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key)." Identifying and Removing Malware
Obfuscated A D S and X O R
W o r k i n g on the Obfuscated A D S The m a i n problem is to get the right key to use w i t h the X O R math. Fortunately, y o u have another option: Brute Force
Didier Stevens created a tool called XORSearch:
"XORSearch is a program to search for a given string i n an X O R or R O L ( R o l l to the Left) encoded binary file. A n X O R encoded binary is a file where some (or all) bytes have been X O R e d w i t h a constant value (the key). A R O L (or R O R - Rolled to the Right) encoded has its bytes rotated b y a certain number o f bits (the key). X O R and encoding is used b y malware programmers to obfuscate strings like U R L s . XORSearch w i l l try all X O R keys (0 to 255) and R O L keys (1 to 7) when searching."
This t o o l can be downloaded at
I t is located i n the same folder Part 6, created on your desktop, so y o u may need to copy your recovered A D S to this folder when running XORSearch.
160
Pedro Bueno
Obfuscated ADS and XORSearch (1) •
Because you don't know which strings to search for, you could try a single character and use a brute-force approach following these steps: 1. Copy the contents of config.txt to another file, say ads.txt 2. Run XORSearch on the ads.txt xorsearch ads.txt a / more
Identifying and R e m o v i n g Malware
Obfuscated A D S and X O R S e a r c h (1)
W o r k i n g on the Obfuscated A D S The problem is that y o u d o n ' t k n o w the key used and don't k n o w which string to give to XORSearch to let it brute force to the key and strings. W e need to start some place, so first copy the contents o f the config.txt A D S to another file for XORSearch to w o r k w i t h . This can be done w i t h the more utility:
more < wupdmgr.exexonfig.txt > ads.txt
Then, y o u can give it to XORSearch to try to brute force and find the most appropriate key:
xorsearch ads.txt a | more
This w i l l make i t brute force w i t h string "a." The pipe (|) command w i l l be useful because a lot o f output should come up because it is a common string.
Pedro Bueno
161
Obfuscated ADS and XORSearch (2) Output from xorseach looking for a encoded with XOR: Found XOR 00 position 007D: ap Found XOR 01 position 002D: Found XOR 01 position 006A: Found XOR 02 position OOOC: Found XOR 02 position OOOF: Found XOR 02 position 0014: Found XOR 02 position 0049: Found XOR 02 position 004C: Found XOR 02 position Found XOR 02 position 0059: ans.org/nothingtobeseenhere-update.scr Found XOR 02 position 0078: ate.scr Found XOR 04 position 0019: Found XOR 04 position 0022: XOR 02 got nice strings!! Identifying and Removing Malware
Obfuscated A D S and X O R S e a r c h (2)
W o r k i n g on the Obfuscated A D S This output o f XORSearch looking for string "a" is quite useful. There is some garbage w h e n i t is using key 00 key 0 1 :
Found X O R 00 position 007D: ap Found X O R 01 position 002D: Found X O R
position 006A: afpffmkfqf.vsgbwf-p'q
B u t interesting strings w h e n using key 02:
Found X O R 02 position OOOC: Found X O R 02 position OOOF: Found X O R 02 position
aining.sans.org/nothingtobeseenhere.txt..http://ww
Found X O R 02 position OOlC: Found X O R 02 position 0049: Found X O R 02 position 004C: Found X O R 02 position Found X O R 02 position 0059: Found X O R 02 position 0078: ate.scr
Lots o f meaningful strings!
162
©2016
Pedro Bueno
Obfuscated ADS and XORSearch (3) • Because we got meaningful strings with use one of them and repeat the search: xorsearch ads.txt http | more
let's
Found XOR 02 position 0000: lwaretraining.sans.org/not Found XOR 02 position 003D: http://www.malwaretraining.sans.org/nothingtobeseenhere-update.scr
• Two URLS!!
Identifying and R e m o v i n g Malware
Obfuscated A D S and X O R S e a r c h (3)
W o r k i n g on the Obfuscated A D S K e y 02 is the key and y o u get a lot o f useful strings! N o w , y o u can use XORSearch to brute force w i t h some strings that are more meaningful, such as http.
To use xorsearch to search specifically for the http string, use the f o l l o w i n g command:
xorsearch ads.txt http
Found X O R 02 position 0000:
Found X O R 02 position 003D:
A s the result o f the execution, y o u can identify two U R L s :
• •
Maybe another configuration and another updated version o f a possible malware? I t is possible, but w e already k n o w that they are h i g h l y suspicious.
© 2 016
Pedro Bueno
163
Removing the ADS Because you found out that both ADS files are suspicious, you can remove them from the system: • Using Sysinternals Streams.exe • Using HijackThis ADS Spy
Identifying and Removing Malware
Removing the A D S ! Right now, y o u k n o w that both ADSes are malicious or part o f a malware that was installed i n the system, making i t safe to remove them.
N o w y o u have t w o options to remove the ADSes using the same tools that y o u used to scan and search for ADSes o n the system. These are:
• •
164
HijackThis A D S Spy Sysinternals Streams
)2016 Pedro Bueno
Removing the ADS: Streams (1) Removing with Sysinternals Streams: • Can specify a whole directory or file • To avoid searching the entire hard drive and deleting legitimate ADSes, we delete only from the files: • putty.exe • Wupdmgr.exe Identifying
Removing Malware
Removing the A D S : Streams (1)
Removing the Malicious A D S Using Sysinternals Streams i t is quite easy to remove an A D S . Y o u have two options to remove them:
•
Remove them directly from the •
Scan a directory and delete a l l ADSes.
Because y o u already k n o w the files that y o u want to delete the A D S from, y o u can simply use the path o f the files to delete them. This can help avoid deleting legitimate ADSes b y mistake.
© 2 016
Pedro Bueno
Removing the ADS: Streams Removing with Sysinternals Streams Streams.exe -d c:\windows\system32\putty.exe Will search the ADS on the putty.exe
and delete it
-d Enumerate a l t e r n a t e NTFS d a t a s t r e a m s 1999-2005 Mark R u s s i n o v i c h c Deleted
Identifying and Removing Malware
Removing the A D S : Streams (2)
Removing the Malicious A D S ! Streams w i l l use basically one command line to delete the A D S :
streams.exe - d c:\WINDOWS\system32\putty.exe
Streams
- Enumerate alternate N T F S data streams
Copyright (C) 1999-2007 M a r k Russinovich Sysinternals -
c:\WINDOWS\system32\putty.exe: Deleted
streams.exe - d c:\WINDOWS\system32\wupdmgr.exe
Streams v l . 5 6 - Enumerate alternate N T F S data streams Copyright (C)
M a r k Russinovich
Sysinternals -
Deleted
166
© 2 016
Pedro Bueno
Removing the ADS: HijackThis • Removing with HijackThis ADS Spy
S •
-
Spy
•
scan
Simple as removing BHOs
•
Select and click Remove Selected button •
Confirm (in the latest version the confirmation pop-up is blank)
i of
: ji
j
j
One difference from removing BHOs: deletions are permanent, no backups! Identifying and Removing Malware
Removing the ADS: H i j a c k T h i s
Removing the Malicious ADS! Using HijackThis A D S Spy is even easier. O n the report screen, y o u can see the A D S that HijackThis found on the system. I f y o u check the box o f any A D S and click the Remove Selected button, y o u w i l l be prompted w i t h a pop-up screen asking:
"Are y o u sure y o u want to remove the selected A D S from your system? They w i l l be deleted permanently."
I f y o u click Yes, you w i l l remove a l l the selected ADSes.
Note: The screen shot o f the HijackThis on this slide is version 1.99.1. I n version 2.04 (which is the latest version and w h i c h most slides are based on), there is an error on the confirmation pop-up. I t is blank, w i t h just the Yes or N o buttons.
© 2 016
Pedro Bueno
Identifying and Removing Malware Identifying and Fighting Persistent Malware
I d e n t i f y i n g and R e m o v i n g M a l w a r e
This page intentionally left blank.
168
© 2 016
Pedro Bueno
What is Persistent Malware? • What is persistent malware? Malware that uses techniques to keep it running as long as possible on the system, avoiding all attempts to clean the system by removing the malicious entries or killing the process Identifying and Removing Malware
W h a t is Persistent M a l w a r e ? I n this module, y o u h o w to identify and remove persistent malware. A s y o u learned i n previous examples, it is quite simple to remove or k i l l a process using either G U I or command-line tools. However, some malware has a protection mode, which prevents y o u from k i l l i n g i t .
So y o u may define them as a malware that uses techniques to keep i t running as long as possible on the system, avoiding all attempts to clean the system b y removing the malicious entries or k i l l i n g the process.
© 2 016
Pedro Bueno
169
How is Persistent Malware Created? • Our example is a Remote Administration tool (RAT). A RAT is a Backdoor trojan used to remotely control the machine. • This one is called ApOcalypse RAT and is used by hackers to create their versions and R e m o v i n g
How is Persistent M a l w a r e Created? Before we actually play and learn h o w to identify and remove the persistent malware, i t is interesting to h o w the hackers actually b u i l d those pieces o f software.
The persistent malware is a R A T , w h i c h stands for Remote Administration Tool. I n other words, i t is a backdoor that can give the hacker remote access to the system.
R A T s are the preferred method used b y A P T groups, and most o f the recent public target attacks used one or another common R A T , such as Poison I v y or DarkCommet used i n the latest attacks i n Syria at the end o f 2012.
The R A T that we h u i l d is called ApOcalypse R A T and is the latest "stable" version released as the time o f this writing.
Pedro Bueno
Persistent Malware: ApOcalypse j
• The interface has six tabs:
3 ;
|
|
[
About | |
: f-
PC Information -
•-
_
_ |
Ports
i
-
Connections Broadcast Settings Builder Statistics About Identifying
Persistent
f
: •
!
Msc Passwords R i
Manager Download
i !
fiertst/y
;
frit
:
Process
Prompt '
• Remote Desktop
i
;
Removing
ApOcalypse
The main interface o f the ApOcalypse R A T has six tabs:
•
Connections •
Broadcast •
Settings •
Builder •
Statistics •
About
W e focus on Connections, Broadcast, and Builder tabs, w h i c h are more what we are looking for.
Settings and Statistics tabs are more related to the server side o f the R A T , than the client.
The A b o u t tab has the description o f it, w i t h this information:
Using: B o r l a n d ™ D e l p h i ®
7
Compiled at: 02:09 A M Saturday 29 August, 2009 Coded I n T U R K E Y
|
© 2 016
Pedro Bueno
Persistent Malware: ApOcalypse Server • Broadcast allows the hacker to execute commands, retrieve passwords, and change settings ;
.
|
|
Statistics )
Builder | ]
Pino
;
|
)
-----
-
-
-
-
•
—
Passwords
j; i
Explorer
-77 -777 -
• j: [ 1
Server
-
google
|
:: j
Internet :
: .
Set
|
Power j
Product Kays |
:
;• •
Identifying and Removing Malware
Persistent
ApOcalypse Server
The Broadcast tab has several options that allow the hacker to push instructions and commands to all the clients that i t has connected to its server.
These options are
Ping •
Password ( w h i c h allows i t to get passwords from Messenger, Browser, N o - I P , D y n D N S , Filezilla, and also Product Keys) •
•
Change Explorer Settings, like the Internet Explorer Start Page, and open a specific web page
•
Execute Commands on the client machine •
Change some server settings •
Power Settings •
Script Creator
© 2 016
Pedro Bueno
Persistent Malware: ApOcalypse Builder (1) The Builder tab allows the hacker to customize his new malware, first by selecting the icon to be used (in this case, an icon used by Flash files) Connections
Broadcast
IconSettlngs j
Builder j •
Icon Path :
Message Box
About | Binder |
•
]
and
jj Default Icon | Icon Hunter j Save Icon I
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Persistent
ApOcalypse Builder (1)
The sample application that has the server options and settings also allows the hacker to b u i l d its o w n customized client version.
The builder has several The first subtab is Icon Settings, w h i c h allows the hacker to change the icon that w i l l be used by its backdoor executable.
I n the example, y o u use an icon that is used b y Adobe Flash applications.
© 2 016
Pedro Bueno
Persistent Malware: ApOcalypse Builder (2) • The hacker can then customize things like Server ID, Password, and the server/port to which it should connect
Identifying and Removing
Persistent Malware: ApOcalypse Builder (2) The Basic Settings subtab enables the hacker to configure options for the server that i t w i l l connect when executed on the v i c t i m machine.
For example, i t is possible to define a Connection Password, w h i c h i n this case is sans501, and the address w h i c h the server w i l l be installed and the port number.
I n this case, the address is
174
and the port is 1453. (Note that this is not a v a l i d address.)
Pedro Bueno
Persistent Malware: ApOcalypse Builder (3) • The Builder also allows the option to create fake deceptive messages when executing the malware
|
| -y
| _..
_
__
_
_
i —
-
; ;
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Persistent
ApOcalypse Builder (3)
O n the Message B o x subtab, it is possible to configure a fake message to he shown when the malware runs on the system.
This message is sometimes used to make the user believe that maybe the application was corrupt and d i d n ' t w o r k , so that i n the background the malware can run and w i t h no worries about the user being suspicious, because apparently the application d i d n ' t run correctly.
I n the example, y o u selected the Attention message icon w i t h the message SANS_SEC_501_Malware_Day.
© 2 016
Pedro Bueno
Persistent Malware: ApOcalypse Builder (4) The Advanced settings show the main options for persistence, such as Inject into the Browser and a Watchdog option, called Persistence, as well Identifying
|:
|
About]
ttKu|
|
Browser Persistence
tup F
; •
rtdden
F F
Removing Malware
Persistent Malware: ApOcalypse Builder (4) On the Installation subtab, there is a box called Advanced Settings.
I n this box, i t is possible to select w h i c h Advanced options y o u w i l l use to b u i l d the malware.
The options are:
Into Default Browser: This option w i l l make the malware run i n a more stealthy mode because the malware w i l l not be seen on the process list, but w i l l r u n as an injected code into the system browser, such as I E or Firefox. I n this way, y o u can see the browser doing the malicious activities and not the executable. Persistence: This option creates a "watchdog" mode, w h i c h monitors when the process is running and the Registry entries are i n place. This makes i t m u c h harder to remove i t from the system. Offline K e y Logger: This means that even i f the client is not connected to the server, the key logger w i l l be running. Melt Server: This is an option that makes the executable disappear after run.
176
© 2 016
Pedro Bueno
Disable Safe Mode This option disables the W i n d o w s Safe M o d e . Some tools and techniques to remove malware require that y o u enter into W i n d o w s Safe M o d e . W h e n checking this option, the Safe M o d e w i l l not exist anymore.
Set File Older Date This option sets the to an older date than the date i t was copied/installed. One o f the techniques used to out i f new files are installed on the computer is using a simple D i r / 0 : d . This command lists all files and sort b y date, w h i c h makes i t easy to spot new files added to the folder, especially the Windows and folders.
© 2 016
Pedro Bueno
1
Persistent Malware: ApOcalypse Builder (5) • After the options are selected, the tab Build Server is used to define the filename used and the option to apply a packer (UPX) to make it smaller and attempt to bypass some antivirus | .
| Settings
Bidder |
|
About | Server |
RAT
v|
Apocalypse server RAT Server Editor vt.3
Compression
Identifying and Removing Malware
Persistent Malware: ApOcalypse Builder (5) The last step to b u i l d the malware is to select the name that w i l l be used b y i t and i f y o u want to pack i t .
I f y o u decide to pack it, i t uses the U P X packer. This is generally used to try to bypass antivirus and to make i t a smaller size.
A l t h o u g h most modern
can unpack U P X , i t is still a v a l i d technique.
W h e n ready, y o u just need to click the B u i l d Server to create the customized version.
© 2 016
Pedro Bueno
Persistent Malware: ApOcalypse Builder (6) Apocalypse Remote Administration Tool
When you click the Build Server button, it applies all changes and creates the executable ready to use
Corrections | Icon
Broadcast |
Bug fixed 1
Settings:
|
statistics |
Message Box)
About | /
J server via using UPX Apocalypse RAT Server server settings... settings... was recorded settings... alien was recorded server Icon and Server been
Beta
Stub Compressed Compressing server with
Removing
Created
and R e m o v i n g Malware
Persistent Malware: ApOcalypse Builder (6) W h e n y o u click the B u i l d Server button, the builder creates a customized executable.
W i t h no errors, the message box shows that the server was created successfully.
© 2 016
Pedro Bueno
179
Hands-on
Removing Malware
Hands-on To start the "Persistent Malware Hands-On" section, y o u need to revert to our V M Image and run the course.exe again.
O n the R A T Malware part, start w i t h the following steps:
Revert the V M w a r e W i n d o w s 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.
Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.
3.
Open the Part9 folder.
4.
Copy HijackThis.exe, Processexp.exe, and Tcpview.exe to the desktop. This can be done b y right-clicking and selecting Copy and going to the desktop and right-clicking and selecting Paste.
5.
Double-click the
N o w , continue to follow the slides doing the same on the V M w a r e W i n d o w s 7 image.
180
© 2 016
Pedro Bueno
Persistent Malware in Action (1) •
Monitoring the system with and TCPView and running the Malware created, it shows the deceptive message !
i -s i
i
!
ft
CPU
-
-
K
©
--
-
- -
'
I d e n t i f ' v i n g and R e m o v i n g M a l w a r e
Persistent Malware in Action (1) M o n i t o r the system w i t h Microsoft Sysintemals Process Explorer and T C P V i e w . Run both tools as Administrator and arrange them i n a way that it w i l l be possible to see both running.
N o w that they are ranning, let's ran the R A T Backdoor trojan. I t creates a folder called SANS_Day5_501_RAT. Double-click the folder, and i t opens the folder. N o w right-click the file
and select Run as Administrator.
Notice that when we ran it, the fake warning message appears. O n Process Explorer i t is also be possible to see that i t is running.
© 2 016
Pedro Bueno
181
Persistent Malware in Action (2) • After you click OK, you can see that the process disappears from the process list • You can see an Internet Explorer process trying to access a remote address at port 1453
.
E3 £3 £3 £3 :
UDP UDP UDP TCP UDP UDP TCP UDP TCP UDP UDP UDP UDP
1035 900
1" LISTENING LISTENING "7"
Option* View Process i CPU
m m Took . . Windows Explorer Microsoft
1456 704 164
In© In© 3-92 , -
:
Identifying and Removing
Persistent M a l w a r e in Action (2) After y o u click the O K button on the fake warning message, y o u can see that the SANS_Day5_501_RAT.exe exits, b u t a new process starts, the Internet Explorer process.
I f the system can resolve domains, y o u also notice that i t tries to connect to the remote server
port 1453.
I f your V M image cannot resolve domains, y o u cannot see this part, but y o u w i l l still see the Internet Explorer process.
Pedro Bueno
Persistent Malware in Action (3) • Windows Task Manager shows no Internet Explorer application running • It is probably running in the background with no visible window
Windows |
|
|
Task
Status Explorer -
|.
|
Identifying and Removing Malware
Persistent Malware in Action (3) Y o u can n o w open Windows Task Manager (using the shortcut
keys).
O n the Applications tab it is possible to see only two windows, Process Explorer and TCPView. Remember that the applications tab shows the processes that are i n the foreground, that means, w i t h Windows. So, w h y w o u l d an Internet Explorer process, w h i c h is an Internet browser, not have a visible window?
That means that i t is running i n the background and w i t h no visible window, w h i c h is highly suspicious.
Pedro Bueno
Persistent Malware in Action (4) On Windows XP, looking at the strings of the IE using Process Explorer, it is possible to see references to applications and passwords Not a typical IE behavior
|
Options View Process
|
i (he
Process System
0
CPU 99.01
OPCt
Ptoc 4
Windows ZrYd
.
889 980 1148
f Windows Services and Host 1 I Host)
spooky 1456 704 1080 164
B
VMware Tools
ft*-*-*N 200 User P 1464
and Removing Malware
Persistent Malware in Action (4) W e already k n o w that Process Explorer offers an option to check the strings o f any given process, being the strings from the image
o n disk, or on memory, w h i c h is always
w h e n dealing w i t h a packed
malware.
I f y o u come across this malware o n W i n d o w s X P , i t is possible to see some interesting strings. I n Process Explorer, double-click the Internet Explorer process and click the Strings tab. A t the bottom o f the Strings w i n d o w , be sure to select the M e m o r y option.
I f y o u go through all the strings, y o u find some strings that are not part o f a "clean" Internet Explorer process, such the following:
APPDATA
ZYYd Yahoo! Messenger YLoginWnd SVW3
ZYYd ZYYd ZYYd
184
Pedro Bueno
Software\DownloadManager\Passwords
EncPassword User
D u r i n g the previous phase, y o u saw that the ApOcalypse R A T gathered passwords from different applications, such as Messenger, FTP clients, and so on. Here, i t is clear.
Also, i n Advanced Settings, there was an option called Code into Default Browser. This option was the malicious code into the browser, so i t could run i n stealth mode, exactly what y o u see created to here.
© 2 016
Pedro Bueno
Persistent Malware in Action (5) •
Using the command ipconfig it is possible to see where it is trying to connect -> ipconfig
/dispiaydns
[
i Microsoft
Windows 2 0 0 9
fill
ij
rights
ig Windows
IP
naluareSQl.sans.org Name
does
not
Identifying and R e m o v i n g Malware
Persistent Malware in Action (5) Another w a y to verify where the malware is t r y i n g to connect or even w h i c h domains i t queried before is b y using the ipconfig command.
Open a D O S prompt. -> C l i c k Start; then click Run, type C M D , and press Enter.
O n the D O S prompt, type ipconfig and Press Enter. The output is the common output that shows the IP information for the interfaces installed. A n additional switch that can be used w i t h ipconfig is the option to display the D N S cache on the machine. This is done v i a the command: ipconfig /dispiaydns
/dispiaydns
W i n d o w s IP Configuration
Name does not exist.
A g a i n , this information is shown only i f the V M can resolve names.
186
Pedro Bueno
Persistent Malware: Actions Actions to take: -Kill the process -Clean the system
Identifying and Removing Malware
Persistent M a l w a r e : Actions N o w that we have the malware installed on the system, we need to get r i d o f it.
Our suggested actions w i l l be: K i l l the process. Clean the system.
Pedro Bueno
Persistent Malware: Process Explorer • Highlighting the process and clicking X button lets you kill it
704
g
UDP UDP
roartww-ivrisakmp V ":*
TCP UDP UDP TCP UOP TCP UOP UDP UDP
0 300
you
P1D
CPU
you
to HI
*
a 172
Persistent Malware: Process Explorer The first step is to k i l l the process v i a Process Explorer. A s y o u saw on previous modules, Process Explorer k i l l any process simply b y clicking to highlight i t and then pressing the X button. After that, it w i l l ask for confirmation.
I n this case, let's try i t w i t h the Internet Explorer process.
C l i c k once on i t i n Process Explorer, so i t w i l l be highlighted. Then, click the red X button. W h e n the confirmation pop-up appears, just click the Yes button.
88
© 2 016 Pedro Bueno
Persistent Malware: Cleaning Problems (1) • Problem: -As soon as you kill Internet Explorer with the injected malware, it restarts. This is part of the "watchdog" persistent method -This happens if you try with ProcessExplorer, Windows Task Manager, or even with WMIC Identifying and R e m o v i n g
Persistent Malware: Cleaning Problems (1) A s noted, Process Explorer k i l l s the Internet Explorer, but just after that a new Internet Explorer shows up there again. (Please note that y o u may notice different behavior i n W i n d o w s 7 32 b i t and W i n d o w s 7 64 b i t )
This is part o f the "watchdog" persistent method used b y the ApOcalypse R A T .
This is not a defect o f Process Explorer. Y o u can t r y i t w i t h Process Explorer, W i n d o w s Task Manager or even via command line w i t h W M I C . A l l these behave the same.
Y o u can go ahead and open W i n d o w s Task Manager again and try i t .
To open it, use the shortcut process, and click the E n d Process button.
key. Then click the Process tab, locate the Internet Explorer
Another option, via W M I C :
Open a D O S Prompt w i n d o w and type: -> w m i c process list b r i e f < - this w i l l list the processes ranning and the respective Process I D number The w i l l be necessary to k i l l the process. -> process delete processes again and i t w i l l be there.
< - this w i l l actually k i l l the process, but as noted, y o u can list the
Pedro Bueno
Persistent Malware: HijackThis • Another try with HijackThis • The scan shows two suspicious entries on the system •
Let's select and click the Fix button
.
-
-
•
-
-
-
fcftelated
02 -
Remote
*
This
[
delate and/or
j
Technologies •
what
refected,
j
Wo...
to |
to frwefct j
Identifying and Removing M a l w a r e
Persistent Malware: H i j a c k T h i s W e already tried to k i l l the process using several methods, but the watchdog method prevents i t .
N o w , y o u w i l l make another attempt w i t h the HijackThis tool and see what else can y o u find on this process.
Let's ran HijackThis and scan the system. This can be done b y double-clicking the that was copied to the desktop.
application
W h e n y o u double-click it, y o u can select the option D o a System Scan Only. The output w i l l be quite close to this:
F2 - REG:system.ini: 0 3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
0 4 - H K L M \ . . \ R u n : [ V M w a r e Tools]
ToolsWMwareTray.exe
0 4 - H K L M \ . . \ R u n : [ V M w a r e User Process] C:\Program F i l e s W M w a r e W M w a r e exe 0 4 - HKLMV.YRun: [apocalyps32] C:\WINDOWS\apocalyps32.exe 04 -
[MSMSGS]
0 9 - Extra button: Related C:\WINDOWS\web\related.htm
190
-
Pedro Bueno
0 9 - Extra
Show &Related Links -
-
0 2 3 - Service: Remote Packet Capture Protocol v.O (experimental) (rpcapd) - C A C E Technologies 0 2 3 - Service: V M w a r e Tools Service ( V M T o o l s ) - V M w a r e , Inc. ToolsWMwareService.exe
Y o u can n o w try to select and fix the suspicious Ap0calyps32.exe entries. Select the two/three entries and click the F i x Checked button.
I n theory, i t cleans those entries.
Pedro Bueno
Persistent Malware: Cleaning Problems (2) • Problem 2: -Another scan with HijackThis shows that the entries that were removed were added again -The "watchdog" process is preventing us from removing it
Malware
Persistent M a l w a r e : Cleaning Problems (2) Another problem w i t h the cleaning...
A s y o u rescan w i t h mechanism adds them again.
y o u can see that the results are not good. A s soon as i t removes i t , the watchdog
© 2 016 Pedro Bueno
Persistent Malware: Solution • Solution: -Manually remove the watchdog file, fix the entries, and kill the process -HijackThis shows where it is on the disk -
Identifying and Removing Malware
Persistent Malware: Solution Because the watchdog mechanism prevents us from removing the entries and k i l l i n g the process, w e need to follow w i t h another approach.
Remember that this malware also disables the W i n d o w s Safe Mode, so y o u cannot reboot the system and enter into Safe Mode to try something else. The approach n o w is to manually remove the watchdog
One good thing i n the
scan result is that we were able to see where i t is located:
0 4 - H K L M V A R u n : [apocalyps32] C:\WINDOWS\apocalyps32.exe
© 2 016 Pedro Bueno
193
Persistent Malware: Removing the Watchdog -> C:\>move
c:\virus.ex_
The reason for using move instead of Del is that with move you can send this file to your antivirus later. Now it is time to kill the process and fix the entries
I d e n t i f y i n g and Removing Malware
Persistent Malware: Removing the Watchdog There may be several ways to do so. The easiest w a y is simply to open Windows Explorer i n that location and drag the to some other place.
Another way is simply to open a D O S prompt w i n d o w and do it by hand.
Open the DOS prompt:
C l i c k Start, click Run, and type C M D . Right-click the C M D . E X E , select R u n as Administrator, and press Enter.
N o w let's move the files to C:\:
-> C:\>move c:\windows\apocalyps32.exe
Instead o f M o v e , y o u could simply use D e l and remove the The reason to use M o v e instead o f D e l is to preserve the and move i t to another location on the disk. I n this way, it w i l l be possible to send the to the antivirus for analysis.
After y o u are done w i t h this step, it w i l l finally be time to k i l l the process and
© 2 016 Pedro Bueno
the entries.
Persistent Malware: Killing the Process • The process can be terminated with either Windows Task Manager or repeating the same step with Process Explorer • A
version with WMIC would also works:
- >
process
brief
delete
Deleting instance Instance deletion successful.
Identifying and Removing Malware
Persistent Malware: Killing the Process The process n o w can be k i l l e d using any tool, from W M I C , to W i n d o w s Task Manager or Process Explorer.
Using the command line w i t h W M I C , open the DOS prompt: -> C l i c k on Start, then click on R u n and type -> c:\wmic process list b r i e f
Press Enter.
< - to list and get the P I D (process I D )
-> c:\wmic process < P I D > delete
Repeat the process listing step to verify that this time i t k i l l e d the process.
Pedro Bueno
195
Persistent Malware: Removing the Entries Trend Micro HijackThis of
HijackThis can now remove the entries safely
thing
is to
scan, Be not and
tfi the log fie To
you delete is
[VMware User Process] buttons Related - Extra - Service; Remote Capture Protocol v.O VMware Tools - VMware,
the The
VMware • (rpcapd) - CACE Technologies -
Pies'
fix stuff Save
| Fix checked | : on selected (tern.
Info...
Upload to Menu
I
j
Add checked to
Identifying and Removing Malware
Persistent Malware: Removing the E n t r i e s N o w that we removed the watchdog
and k i l l e d the process, we can delete the entries.
Just r u n HijackThis scan again, select the entries to be fixed, and click the F i x Checked button. Rescan and y o u see that this time, they have been removed.
196
Pedro Bueno
J |
Persistent Malware: Summary Result:
a Local Address
Protocol
Remote Address
.
-The system is now clean of this infection -And any new IE process will be safe to use
;0
System: 4
UDP UDP UDP UDP TCP UDP UDP TCP UDP TCP
) System: 4 ZD
UDP UDP UDP
dJ
1
5000
ma
0
ma
E E S Options
Find
•
Help
h i
Process
! CPU
752
m Description LSA Windows
2016 Pedro Bueno
F-Secure BlackLight: Checking the Results (1) When Blacklight finishes its system scan, it gives a basic report about the status. In this case, it reports: 2 items Now, you can try to clean them by clicking the Next button
1 - Scan far
Items •
-Scan
and Scan 2 hidden item: found.
: Show
Close
and Removing Malware
F-Secure BlackLight: Checking the Results (1) W h e n F-Secure Blacklight finishes the system scan, i t goes directly to the report screen where i t shows the status:
Scan complete 2 hidden items found
N o w that we are sure our computer has two hidden items, it is time to start the cleaning process by clicking the N e x t button.
© 2 016 Pedro Bueno
241
F-Secure BlackLight: Checking the Results (2) • The items found were the same ones from McAfee and Panda's anti-rootkits applications: • 9129837.exe • New_drv.sys
• F-secure chooses to rename them as a cleaning method. So we have to select and click the Rename button Identifying and Removing Malware
F-Secure BlackLight: Checking the Results (2) The cleaning method adopted b y F-Secure is the same used b y McAfee Rootkit Detective. I t renames the files after a reboot so that i t deactivates the rootkit but keeps the files so that y o u can share them or research them deeper.
F-Secure Blacklight found the same two files as Panda and McAfee:
• •
C:\WINDOWS\9129837.exe C:\WINDOWS\new_drv.sys
A s y o u can see from the log file:
08/17/07 11:53:45 [Info]: Hidden process: C:\WINDOWS\9129837.exe 08/17/07 11:53:52 [Info]: Hidden
C:\WINDOWS\9129837.exe
08/17/07 11:53:52 [Info]:
So we have to select the files and click the Rename button.
242
© 2 016
Pedro Bueno
F-Secure BlackLight: Renaming the Rootkits F-Secure
• Now that we renamed them, we can just click the Next button
LACKLIGHT ROOTKIT ELIMINATOR Slop 2 -
hidden name Rename
Identifying and R e m o v i n g Malware
F-Secure Blacklight: Renaming the Rootkits Note the rootkit components n o w show the w o r d Rename i n the action column.
The last step o f the F-Secure BlackLight cleaning procedure after renaming the files is to continue b y clicking the N e x t button. This reboots the system to clean up the rootkit files and processes.
© 2 016 Pedro Bueno
F-Secure BlackLight: Renaming the Rootkits (2) F-Secure BlackLight
Accept warning about the procedure
Renaming is recommendedfa users. The actions cause serious problems:
Click to restart the computer Files are renamed to make them unusable
• Renaming • Renaming unknownroalweieRes continue, the and
you have be renamed resistedYou should back up all
the warning
OK
Cancel
Identifying and R e m o v i n g
F-Secure B l a c k L i g h t : Renaming the Rootkits (2)
Before F-Secure BlackLight starts the shutdown process, i t prompts w i t h a last warning and asks for confirmation that y o u understand the warning. To continue we have to check the box I Understand the Warning, and then click the O K button.
The reason for this warning is that any application using a rootkit technique w i l l be renamed, making the application unusable.
244
© 2 016
Pedro Bueno
Anti-Rootkits: Advanced Tools • The tools used so far are great for fast detection of Rootkits • However, they offer little/no option for more in-depth check • IceSword and Rootkit UnHooker give plenty of information and actionable options Identifying and Removing Malware
Anti-Rootkits: Advanced Tools The Panda, McAfee, and F-Secure anti-rootkit tools are great tools, but they are restrictive about what they can do. They are basically point-and-shoot rootkit scanners. The McAfee tool still offers more options, such as renaming the files hidden by the rootkits, but that's i t .
Sometimes, y o u need additional options w h e n trying to identify and remove malware on the machine.
On the following slides, y o u w i l l be introduced to some basic usage o f two tools that offers more control o n what y o u can do when y o u suspect y o u have a rootkit on the machine.
These are powerful tools that should be handled carefully to avoid system crashes.
© 2 016
Pedro Bueno
245
IceSword Anti-Rootkit • Chinese Developed • Last development from 2007 on both English and Chinese versions • Not suitable for Vista or Widows 7, but extremely useful on Windows XP
Identifying
Removing Malware
IceSword Anti-Rootkit The IceSword tool is a powerful tool that enables y o u to inspect
•
Kernel Modules •
BHO • SSDT
•
Scan Modules •
•
Explorer-like view o f files, even files hidden by rootkits
I t can be downloaded at
246
© 2 016
Pedro Bueno
Rootkit UnHooker • Supports Windows 2k to Vista (not Win 7-compatible) • Latest Version from 2007 • Development Team is now at Microsoft • Allows Hook Restore
and R e m o v i n g Malware
Rootkit UnHooker L i k e various anti-rootkit tools, the Rootkit Unhooker was developed by a group o f users that are not publicly known.
The latest version is w h i c h added support to Vista OS i n 2007. The latest news about the development group is that i t moved to Microsoft and no longer supports it. However, i t is still one o f the best anti-rootkit tools available.
F r o m the website, the features described are: •
SSDT Hooks Detection and Restoring •
Shadow SSDT Hooks Detection and Restoring •
Hidden Processes Detection/Terminating/Dumping •
Hidden Drivers Detection and D u m p i n g •
Hidden Files Detection/Copying/Deleting
•
Code Hooks Detection and Restoring •
Report Generation
I t can be downloaded at
© 2 016
Pedro Bueno
247
Advanced Rootkits and Anti-Rootkits Windows XP: Examples
Identifying and Removing Malware
A l t h o u g h our training material is based on W i n d o w s 7, we decided to include this subsection o f tools specifically for W i n d o w s X P . The reason, as explained before, is that there is still a large user base o f W i n d o w s X P i n both the corporate and end-user w o r l d .
The following slides contain tools that are needed to fight rootkits on W i n d o w s X P systems, but don't w o r k on W i n d o w s 7. Although w e find few examples o f rootkits that w o r k on W i n d o w s 7, the same applies for the antirootkit tools. Most o f the tools from antivirus and security companies w i l l not w o r k under Windows 7 and 8.
I f y o u want to practice these examples o n a W i n d o w s X P system, we included the folder that y o u can use later.
248
Pedro Bueno
badkits2.zip i n the Part 7
Advanced Anti-Rootkit Tools for Windows XP Stinger
Rootkit Stinger
McAfee Rootkit tool detects a hidden file on Windows\system32 folder The file is called kdosz.exe
:
rteto!—
Identifying and Removing Malware
Advanced Anti-Rootkit Tools for Windows X P W h e n w e r u n the we can first r u n the M c A f e e tool to check the results. I n this case, i t shows that there is a hidden file o n the Windows\System32 folder called kdosz.exe.
Because the malware uses a random name every time i t runs, y o u may notice a different filename i n your exercise.
N o w , let's confirm i t uses W i n d o w s Explorer.
© 2 016
Pedro Bueno
249
Advanced Anti-Rootkit Tools: Using Windows Explorer The file is hidden by the rootkit and not viewable on Explorer Favorites Back
j.
lools
Search
|
•£/>:
Address Name
-
Type K B K B & 6
K B K B
6
K B
7
K B K B
44
K B
7
K B
KB 4 2 KB KB KB
Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application S y s t e m fife Device driver System Application
Date Modified AT* 4 : 0 0 AT* 4:00 4 : 0 0 AT* S / 2 3 / 2 0 0 1 4 : 0 0 AT* 8/23/2001 8/23/2O0I
AT* 8/23/2001 S/23/2001 8/23/2001 S/23/2001
4:00 4:00 4:00 1; 4:00 8/23/2001 4:00 S/23/2001 4:00
Identifying and Removing Malware
Advanced Anti-Rootkit Tools: Using Windows Explorer A s y o u can see on this slide, there is no hidden b y the rootkit.
called kdosz.exe on our
folder because i t is
For this lab, you have to check i n the Windows\System32 folder for the filename that was detected w i t h the M c A f e e tool because the name w i l l change.
N o w , let's check Rootkit UnHooker and see what we can do.
250
© 2 016
Pedro Bueno
Advanced Anti-Rootkit Tools: Rootkit UnHooker Opening Rootkit UnHooker and going to the File tab and selecting SCAN shows our hidden file. Setup
Language
Tools
Help
:: ! Suspect
Status Hidden
exe
.- -
;
Scan
|
r
Close
f
1/0
Going to the "Report" tab and pressing the Scan button lets you scan options. and R e m o v i n g Malware
Advanced Anti-Rootkit Tools: Rootkit UnHooker W h e n w e open Rootkit UnHooker, we can go to the File tab and ask for a Scan.
The result reveals the "suspect this case Hidden.
(the executable under the C:\Windows\system32\ folder) and the status,
Instead o f going to each tab for a Scan, we can n o w go to the Report and ask for a scan to reveal a more complete view o f the system.
Pedro Bueno
Advanced Anti-Rootkit Tools: Rootkit UnHooker (2) On the report tab, it is possible to run a scan The report shows a warning about rootkit infection Also, shows the hooks made by the rootkit to hide the file
Acton |
5SDT |
| Drivers J
Cod* |
|
Type: Type: Type: Type: Type: Type: Type: Type: Type: Type: -
.
Type:
ACTIVITY DETECTED!!
ALL ROOTKIT ACTIVITY
address address at address at address
at
in harder located in took, in ta&hvdw located
at address at address at at at address
j
Scan
.
took harder
at
-
.
Puled
at address at address
Type: Type: Type: Type: -
j locate) touted
-
-
Hooks
harder
[unknown
tockbaderboated n too*harder booted
|
CPs*
|
-)
Identifying and Removing Malware
Advanced Anti-Rootkit Tools: Rootkit UnHooker (2) The Report tab is useful to have a broad v i e w o f the system, and i n the end i t m a y even warn on what i t suspects. I n our case, after the scan i t shows the hidden file and a l l Hooks that i t found.
The warning is also clear: P O S S I B L E R O O T K I T A C T I V I T Y D E T E C T E D .
The fiinctions for hooked are basically the following four:
•
NtQueryDirectoryFile •
NtSetValueKey •
NtCreateThread •
NtDeleteValueKey
The hooks are always the same o n the report, i n most o f the running process. I n this case, i t is fairly safe to assume the consequences to force the unhook, using the option Code Hooks.
252
© 2 016
Pedro Bueno
Advanced Anti-Rootkit Tools: Rootkit UnHooker (3) • To the functions that prevent us from seeing the malware, we have to: -Go to the Code Hooks tab -Scan again -Select UnHook ALL button
and Removing Malware
Advanced Anti-Rootkit Tools: Rootkit UnHooker (3) On the Report tab, i t was possible to see the hooks that were preventing us from seeing the malware on W i n d o w s Explorer.
N o w , we can U n H o o k them. T o do this, we go to the Code Hooks tab, and click the Scan button again.
After i t is done w i t h the scan, we can simply click the U n H o o k A L L button because i n this case a l l hooks are related to the Rootkit. There may be some cases i n w h i c h y o u may go and manually select the hooks where y o u want to do the Unhook.
W h e n w e click the Unhook button, we w i l l be warned that i n some cases, when y o u unhook a function, the system may become unstable and you may get a B S O D (the infamous Blue Screen o f Death).
© 2 016
Pedro Bueno
253
Advanced Anti-Rootkit Tools: Rootkit UnHooker (4) After the UnHook, we can now see our hidden file on Explorer!
Favorites '
Tools
Help
V
Folders
(US-
Address Size 44 KB
Type
Date
Application Extension
8/23/2001 4:00 AM
KB Application Extension KB 905 KB
8/23/2001
Application
AM 4:00 AM
extension
0/23/2001 4:00 AM
Application Extension
4:00 AM
objects
4 Identifying and Removing Malware
Advanced Anti-Rootkit Tools: Rootkit UnHooker (4) After the U n H o o k , i f we go back to Windows Explorer, we have a nice surprise. Go to Tools and select Refresh. W e can now see the this previously was only possible w i t h other tools!
254
© 2 016
Pedro Bueno
Advanced Anti-Rootkit Tools: IceSword (1) File
Dump
Plugln
x I c e S w o r d on
Name File
6144 6144 6144
C D LastGc Media C D Micros'
5632 6656 44160 7040
C D
fib-CD Offline S3
C D
kernel32.dll 42809
C D
!•
repair
42537
ftesoui
,
_L Identifying and R e m o v i n g Malware
Advanced Anti-Rootkit Tools: IceSword (1) This is another example o f a great tool that works only on W i n d o w s X P . The following slides use the same badkits2.zip rootkit file used to create the previous slides.
After the badkits2 is executed, extract the IceSwordl22.zip and open IceSword.exe; then select the File section on the left panel.
Selecting our local driver C: and going to the to see our hidden malware on the Windows\System32 folder.
Pedro Bueno
folder, i t reveals a nice surprise: I t is possible
255
Advanced Anti-Rootkit Tools: IceSword (2) One of the good points on IceSword is the capability to copy a file that the rootkit is hiding to some other folder. In this way, you can examine it or send to an AV vendor or an online service.
Refresh Copy force delete
Identifying and
Malware
Advanced Anti-Rootkit Tools: IceSword (2) W e n o w k n o w that IceSword can show us the
that is hidden b y the rootkit.
That is already a good thing. N o w , another good thing from this tool is the ability to Copy the location on the hard drive.
to another
This is useful because sometimes we want to send this suspicious file to our antivirus vendor, simply run i t on one online service that offers a Sandbox, or just r u n several A V and see h o w they detect this suspicious
This is accomplished on IceSword b y right-clicking the file and choosing the Copy to option.
The right-click also offers the f o l l o w i n g options:
Delete •
Refresh •
•
•
256
to . . . Force delete
Pedro Bueno
Advanced Anti-Rootkit Tools: IceSword Functions
After we have found the suspicious file, we may want to copy it through IceSword, or go deeper and "unhide" the file.
j ;
SSDT
i
Message Hooks
Log •:
To do this, we click the Advanced button on the Functions tab on the left panel.
Log
Process:
Registry File
Identifying and
|
Malware
Advanced Anti-Rootkit Tools: IceSword (3) A s mentioned before, IceSword is powerful and has several
fiinctions.
Because we k n o w that we have a hidden file on our system, i t w o u l d be nice to find the hooks associated w i t h i t .
The Advanced button helps w i t h this, by offering the option to scan the system.
© 2 016
Pedro Bueno
257
Advanced Anti-Rootkit Tools: IceSword (4) j -7* i ! — . trine
On the advanced area, we click on the General Scan button
(ft
•
ttttffcd
rfC;[Wlfl>W^«trt37VC«tcrie> d
*),
d
-• teres (ft
iPAGE d
!—.
PAGE of
i-—
(tn PAGE d
ftb"i*
PAGE d of 4*4 4*4
:
: :
4*4
ffwdfied
(ft len:S (ft 4*4 d 77f •
(ft 4*4 rf
(ft (ft •
cods
(ft (ft 4*4 (ft
Irto* cod* Irto*
i
(ft
d of
:
Identifying and Removing Malware
Advanced Anti-Rootkit Tools: IceSword (4) W h e n we go to the advanced area, we can scan the system b y pressing the General Scan button.
The results come up quite fast and show the hooked functions.
I n this case:
•
ZwQueryDirectoryFile •
ZwCreateThread
• • Does this sound similar to Rootkit UnHooker? ©
258
Pedro Bueno
Advanced Anti-Rootkit Tools: IceSword (5) Select the modules that have the suspicious functions hooked
ten: :
tot (ft of (ft d (ft (ft of (ft PAGE
trite
of
:
te rf
Click Restore button "You should not do this!" Identifying and Removing Malware
Advanced Anti-Rootkit Tools: IceSword (5) W e can now select the hooked functions b y clicking them and holding the Shift key.
After we select all hooks o f interest, we can press the Restore button. Y o u w i l l see a warning w i n d o w , w i t h the message: " Y o u should not do this!" © This is i f we do something w r o n g (unhook something critical), we may get a B S O D .
because i n some cases,
Go ahead and restore the Hooks and see i f we can n o w see the hidden file i n Windows Explorer.
Pedro Bueno
259
Identifying and Fighting Rootkits (1) • Caveats: • Beware when cleaning the machine with antirootkit tools • Some Rootkits may hide in legitimate processes like iexplore or winlogon.exe • Removing legitimate files may result in failure to boot or failure of the system to run correctly
Identifying and Removing
Identifying and Fighting Rootkits (1) F o l l o w i n g are some caveats: • Beware when "cleaning" the machine w i t h anti-rootkit products; some rootkits may be tricky to remove.
• Some rootkits may hide i n legitimate processes such as Internet Explorer (iexplore.exe) and winlogon.exe. Removing legitimate files may result i n failure to boot or failure to run correctly. I n those cases, i t is recommended to follow these actions:
260
•
Get a more verbose program to check the hook and device drivers related to the legitimate application. •
Boot i n safe-mode to a l l o w y o u to manually delete the malicious device driver (preferably using tools). •
Restart the system and r u n the anti-rootkit application again.
© 2 016
Pedro Bueno
Identifying and Fighting Rootkits (2) Last tip: • When dealing with Rootkits, if you are unsure about the cleaning operation, make a backup of your files and rebuild the machine from scratch
Identifying and Removing Malware
Identifying and Fighting Rootkits (2)
Last Tip A l t h o u g h w e identified this rootkit i n our machine, and safely removed/renamed them, i n some cases i t may not be possible or i t may be too complex to do so without causing harm to the computer. I f y o u are unsure about cleaning the rootkit, back up the important files instead and rebuild the machine scratch. Be careful, as some malicious files may still be hiding i n the data y o u are about to back up.
Therefore, it's better to restore your system from a k n o w n clean previous backup i f y o u have one.
A n d remember, removing legitimate files may result i n failure to boot or failure to r u n correctly.
© 2 016
Pedro Bueno
261
Rootkits and Anti-Rootkits Windows 7 Hands-on Part 1
Identifying and
Malware
Rootkits and Anti-Rootkits O n the rootkits and anti-rootkits part, we start w i t h the following steps:
Revert the V M w a r e Windows 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.
Open the folder Course on the V M w a r e W i n d o w s 7 Desktop. Open the Part7 folder.
4.
Copy TDSSKiller.exe, mbr.exe and sanitySetup.exe to your desktop.
5.
Double-click the SanitySetup.exe file and click the Next button on the instructions screens to complete the installation.
6.
Right-click the badkit.zip file and select Extract A l l . Enter the training password when asked.
7.
Double-click the new created folder.
8.
Copy the badkit.exe to the desktop.
9.
N o w , right-click the badkit.exe file and select Run as Administrator.
Continue to follow the slides doing the same on your V M w a r e Windows 7 image. L E G A C Y INFO: I f plan to do this exercise on a W i n d o w s X P machine, you need to check: I f the machine is on Service Packl or less, y o u need to install the Service Pack2, WindowsXP-KB835935-SP2-ENU.exe. This process can take up to 20 minutes depending on your system. Restart your W i n d o w s X P (on V M ) after the SP2 installation. Take a new snapshot, called SP2, so we can revert later.
262
© 2 016
Pedro Bueno
Rootkits: Win 7 Example • In the following example we examine a machine that is acting strangely • Identify/verify malicious activity with Windows tools
I d e n t i f y i n g and R e m o v i n g M a l w a r e
Rootkits: L i v e Example
Our Learning Example I n our learning example w i t h Rootkits, we have the f o l l o w i n g scenario:
A machine was w o r k i n g okay, but the Incident Response Team identified that something was not quite right. That's not exactly the best thing to hear because no details were provided, yet we have to figure i t out.
First, we try to identify i f something is w r o n g using some o f the tools that we learned about so far such as Task Manager, Process Explorer, and TCPView.
©2016
Pedro Bueno
263
Rootkits: TaskManager View Checking for suspicious processes with Windows Task Manager didn't trigger any
File
Options
View
Applications i Processes
Help Services j Performance
Image Name
Name labOl
ond.exe labOl
[
labOl labOl labOl
processesfrom
00 00 00 00 00 00 00 00 00 00 00 00 00 00
K
Windows ... ...
K 4,999 K
K K K
Pros... ... ...
3,956 K K
T...
users
CPU Usage: 0%
Identifying
|
Physical Memory:
Removing Malware
Rootkits: TaskManager View
Using TaskManager The first thing we can do is use Windows TaskManager and visually try to identify anything that could be considered suspicious, any process that w o u l d not i n the machine configuration.
This is obviously not an easy task because a machine can have hundreds o f processes, and y o u may not always k n o w each o f the processes, and because a malicious process could choose a deceptive name to avoid visual detection.
I n our case, we could not see anything that triggered our "visual radar."
264
© 2 016
Pedro
Rootkits: Process Explorer View r
Using Process Explorer to look for suspicious processes didn't help either
PID CPU 1352
for
S.,
Service VMware, he,
Hod
for tabkUed Hod Process Software
1372 2052
5..
... Windows Search P... Hod
520 Local Server
Process
13 VMware
riSVMwseTrayane
Cere Service VMware,
3804
CPU
Commit
40
38.34%
Identifying and R e m o v i n g Malware
Rootkits: Process E x p l o r e r V i e w
Using
Process Explorer
We already tried to identify possible suspicious processes or services w i t h Windows Task Manager, but w e didn't have any luck. N o w w e t r y to see the same processes and services w i t h Microsoft tool Process Explorer.
Process Explorer can give a much more complete v i e w o f the processes and services o n the machine, including the description o f the process and service.
As y o u can see, y o u cannot spot any suspicious activities or processes. Process
PID
System Idle Process
0
Description
Company Name
98.02
Interrupts
Hardware Interrupts
DPCs
Deferred Procedure Calls
© 2 016
Pedro Bueno
265
Rootkits: TCPView Traces .
• TCPView shows interesting information!
a
*
i
TCP
i
TCP TCP
• process??? • Initiating connection to a remote site on http port?
' TCP
00.000
LISTENING US1EIIII.G LISTENING
i 3 i 3 3 i 3
U0FV6 TCP TCP
0.000(9153
LISTENING (..
F F
LISTENING
TCP LISTENING TCP
000.00
Identifying and
Malware
Rootkits: T C P V i e w Traces
Using Sysintemals T C P V i e w Because we already tried to get information w i t h W i n d o w s Task Manager and Process Explorer, and could not identify any suspicious processes or services, we can now try to use another w e l l - k n o w n tool: TCPView.
This time we got at least some suspicious activities.
T C P V i e w shows a bunch o f connections initiated b y a process, to a remote server on port 80.
266
Process
Protocol
Local Address
Remote Address
:744
UDP
Lab-machine: 1075
*.*
:744
TCP
Lab-machine:
LISTENING
:744
TCP
lab-machine: 1046
SYN_SENT
© 2 016 Pedro Bueno
State
Rootkits: SanityCheck (1) • Works on different versions of Windows, including 7, 8, and Server 2012 • Works on x32 and x64 • Great to not to "Fix"
Identifying and Removing Malware
Rootkits: SanityCheck (1) The tool SanityCheck works great i n different versions o f Windows, including W i n d o w s 7. Before y o u start to use i t , y o u need to have i t installed i n the system.
I t is a great t o o l to assist to y o u i n identifying suspicious rootkit activities; however, i t does not fix them.
I t can be downloaded at
The installation is simple; just double-click i t and follow the default options. Remember to check the box that creates a desktop icon, on the screen called Select Additional Tasks.
The last screen during installation lets you launch the tool after the Setup W i z a r d finishes. That's okay; just click Finish.
Before the t o o l actually starts, i t asks i f y o u want to change certain Registry settings to improve detection. Because we don't want to mess w i t h the Registry, select N o .
© 2 016
Pedro Bueno
Rootkits: SanityCheck (2) Hip '
Simple interface
J finals t
Welcome to
Just click the Analyze
This program viruses and other malware. drivers, hidden threads and
the of Toolkits, processes, hidden
kernel
Note certain because security software with malware. This is it software which may be
you have installed, This is normally associated and other security
In case any irregularities are found the report suggestions on how to proceed in the investigation.
tofind
process or module and offer
Note that although this software creates a comprehensible report it is not intended for absolute novice users not have not any type of idea about the software that is installed and on their systems. styling cur system please
this may
do
minutes
Identifying and Removing Malware
Rootkits: SanityCheck (2) The SanityCheck interface is simple. W e just need to click the Analyze button and wait for the results.
268
Pedro Bueno
Rootkits: SanityCheck (3) •
The result shows a hidden process detected running in the system • This is a good indication that a rootkit is installed • Now we need to find the driver that is preventing us to see and kill the process to clean our system
j bten detected One
is
fofa
or
be ft* ftjjisre^tffttxcat l\toy fc^jnes
prates.1
or
»
• to Processes
running no:
any
Identifying and Removing Malware
Rootkits: SanityCheck (3) After the scan finishes, i t shows y o u the results when y o u scroll d o w n the main window.
O n the results, y o u can see that i t detected a hidden process running on the system, called 9129837.exe. This is a good indication that there is a rootkit on the system that is intercepting the system calls and preventing a process to display.
This is usually done b y a low-level system driver installed i n the system. T o clean our system, we need to see the process. To see the process we need to delete what is preventing W i n d o w s to show it.
Pedro Bueno
269
Rootkits: TDSSKiller (1) Kaspersky TDSSKiller -Developed by AV Kaspersky in 2009 -Clear (command line available) -Supports 32 and 64 bits
Identifying
Removing Malware
Rootkits: T D S S K i l l e r (1) TDSSKiller, developed b y the A V vendor Kaspersky, can be downloaded at I t is a simple, yet powerful application, and i t runs smoothly on Windows 7, both 32- and 64-bit.
270
© 2 016 Pedro Bueno
Rootkits: TDSSKiller (2) • Starting the TDSSKiller tool Kaspersky TDSSKiller
Ready to scan designed to detect and
rootkits (such as TDSS, Stoned,
SST, reboot
after documents
'^>j
About
protection
scan.
Start scan
malware
and Removing Malware
Rootkits: T D S S K i l l e r (2) T o start the T D S S K i l l e r tool, simply double-click i t on the tdsskiller.exe on your desktop.
The application opens and asks i f y o u want to Start the Scan right away, or i f y o u want to customize i t . The tool offers y o u the option to select w h i c h objects y o u want to scan, such as System M e m o r y , Services and Drivers, B o o t Sectors and Loaded Modules. B y default the first three are checked to be scanned and i n general y o u should be okay.
P.S. The tool also offers some options that enable y o u to run on the command line. T y p i n g tdsskiller.exe - h shows a l l available options.
Pedro Bueno
271
Rootkits: TDSSKiller (3) • Delete the Suspicious Driver and Reboot
Identifying and Removing Malware
Rootkits: T D S S K i l l e r (3) A s y o u can see, the slide shows that the TDSSKiller found a threat. I t is a hidden w i t h the name new drv.
that works as a service,
T D S S K i l l e r offers three options for the suspicious hidden file: Skip, Copy to Quarantine, and Delete.
N o w let's delete the suspicious driver and reboot the system.
Note that on 64-bit Windows 7, after running TDSSKiller, new_drv is not detected, but 9129837 exists on the machine and may be ranning.
272
© 2 016
Pedro Bueno
Rootkits: Process Explorer (1) -
• Now you can see the process running! • It is time to remove it from the system
4
!
CPU
|
* ', S. S.
fi» 743
tt£re**Cawi* [c:\WinPE\Mount] Successfully mounted image (RW).
5.
A t the command prompt, type the following and then press Enter to access the following Registry subkey:
(The font size may break into two lines, hut i t is just one command line.)
reg
6.
load
A t the command prompt, type the f o l l o w i n g and then press Enter to create a 9 6 M B disk cache o f RAM:
(The font size may break into t w o lines, but i t is just one command line.)
reg
add
/v /t
7.
reg
/d
96
/f
A t the command prompt, type the following and then press Enter to exit this Registry key:
unload
HKLM\ WinPE SYSTEM
© 2 016
Pedro Bueno
345
8.
Create a directory for the malware-scanning tools under the M o u n t folder. (For example, y o u could use the name "Tools" for this folder.)
9.
Copy the tool files that y o u downloaded i n Task 2 to the tools directory that y o u just created. Example:
copy
c:\WinPE\mount\Tools
Y o u can also use Windows E x p l o r e r to do this task!
10. A t the command prompt, type the following, press Enter, type Yes, and press E N T E R again to continue the process:
/prep
Y o u should see the following message on your system:
Preinstallation Environment Image Setup Toolfor Windows Copyright (C) Microsoft Corporation. All rights reserved. The /prep command will permanently modify a Windows PE image, so that it can no longer be serviced. This means that operations including: • Installing or • Applying
or other servicing packages
• Installing language packs Will not be possible on the prepared image. To continue, enter "yes". Any other input will exit the program. Continue? Yes PEIMG completed the operation successfully. A t the command prompt, type the following and then press Enter to save your changes:
/unmount
346
c:\WinPE\Mount
© 2 016
/commit
Pedro Bueno
Y o u should see the following message on your system:
for Windows Copyright (C) Microsoft Corp. 1981-2005. All rights reserved. Unmounting:
\
Successfully unmounted image. 12.
A t the command prompt, copy the following, press Enter, and then type Yes to overwrite the existing
copy
13.
wim
A t the command prompt, type the f o l l o w i n g and then press Enter to create an PE image:
o f the
(The font size may break into two lines, but i t is just one command line.)
~n c: \
c:\WinPE\ISO iso
The message indicates that it was successful. Please note that the number o f files may vary depending on the tools y o u include. I n m y ease I d i d n ' t include Spybot Search & Destroy because i t w o u l d i t to installed on the machine; we w i l l do the offline analysis and i n most cases we w i l l not be able to install additional software the infected machine.
OSCDIMG 2.45
Utility
Copyright (C) Microsoft, 1993-2000. All rights reserved. For Microsoft internal use only.
Scanning source tree complete
in 8 directories)
Computing directory information complete fde is 205975552 bytes
Writing
in 8 directories to
100% complete
Final image fde is 205975552 bytes Done.
14.
The previous step created an I S O image for us. W e w i l l to a C D - R O M .
© 2 016
Pedro Bueno
the
located at
347
Booting with Windows PE Step 4: Use the Malware Removal Starter Kit to scan your computer • It is time to boot your system with the newly created Windows PE CD-ROM • Ensure that your BIOS is set to boot from CDROM!
Identifying and
Malware
Booting with Windows P E Some BlOSes are already set to put the C D - R O M boot i n first place, followed by hard disk and other medias.
Y o u may need to consult your B I O S documentation for instructions o n h o w to change the settings for Boot preferences.
I f your computer is already set to check C D - R O M first, y o u may be asked to press Enter to boot from the C D R O M and then start the W i n d o w s PE.
348
Pedro Bueno
On the System (1) • Tools will be on tools folder • Two options: • Check the known suspicious files or • Start with the antivirus/anti-spyware tools
O n the System (1) W h e n y o u first start on Windows PE, y o u are presented w i t h a D O S Prompt w i n d o w i n folder
Y o u r tools are i n folder x:\tools; then, y o u have to change directories:
X:\windows\system32\cd
x:\tools
y o u to the Tools folders, where y o u can
© 2 016
all the tools that y o u included i n the
Pedro Bueno
349
On the System (2) Check the known suspicious files • This option is for when you found suspicious files during the online analysis but could not delete them • Now you can find and delete them!
Identifying and Removing Malware
O n the System (2) N o w that y o u have access to the offline system, y o u can go after the suspicious files that y o u found during an online analysis but were unable to delete/remove them because o f a malware trick.
W h e n the boot process is finished, y o u w i l l be i n a D O S prompt w i n d o w on drive X : , but y o u can easily go through the actual hard drives and the suspicious file and try to delete it.
A simple command: cd c:\ w i l l take y o u to the drive C:\ and then y o u can navigate to any folder.
350
©
2016 Pedro Bueno
On the System (3) • All tools will be on X: drive in folder tools • Check your USB pen-drive drive letter with Drive Manager tool, from X:\tools
Identifying and Removing Malware
O n the System (3) A s y o u aheady explained, y o u w i l l be prompted to a DOS w i n d o w on the X:\windows\system32\ folder. The tools y o u put on w i l l be i n X:\tools; y o u can just cd x:\tools.
I f during the boot process y o u inserted your pen-drive, you can find i t . Usually the system w i l l assign the letter E: for it, but y o u might need to check i t w i t h the Drive Manager tool.
© 2 016
Pedro Bueno
351
On the System (4) • Using the AV/AS tools in offline mode: • This option is useful when you've already tried everything possible to uncover malicious files on a live system • It runs some antivirus and anti-spyware tools, looking for suspicious file/threats • This helps because some malware prevents them from running on live systems
Identifying and Removing Malware
O n the System (4) Y o u probably want to use the antivirus/antispyware tools, such as the Avast and M c A f e e Stinger, so they can scan the system looking for malicious software.
Some o f these tools are set to scan C:\, w h i c h is usually the common root drive for Windows systems, but y o u might want to use DriveMan.exe to see a l l disk drives on the system, and maybe reconfigure the scan tools to also check for additional drives.
352
© 2 016
Pedro Bueno
Cleaning the System • When your tools detect something malicious, you have a chance to remove it • Remember that removing legitimate files may result in failure to boot or failure to run correctly Identifying and Removing Malware
Cleaning the System When y o u decide to r u n an antivirus/antispyware, y o u must k n o w that some o f them w i l l automatically remove the virus from the system.
The Avast Cleaner w i l l proceed i n this way, but M c A f e e Stinger offers y o u four options on virus detection:
•
Report Only: Reports only the virus detection on the screen •
Repair: Tries to repair the virus infection •
Rename: Renames the infected file •
Delete: Deletes the infected file from the system
The default option is to repair the virus infection.
Remember that removing legitimate files may result i n failure to boot or failure to run correctly.
Note: I n some i t is not safe to remove a malware file i f the changes made b y i t are not remediated as well. For example, the malware could have been acting as an LSP, removing i t without reassigning the order i n the Registry keys w o u l d lead to a loss o f network connectivity. The same goes for other malware that hooks the initialization chain, w h i c h without removal o f all artifacts, may lead to an unbootable system. Therefore, it's better to rename the file so that y o u can revert the changes i f necessary.
Pedro Bueno
353
Restoring the System (1) • In case of failure, to restart the system after removing files during the offline scan, you have two options: • Restore the system • Rebuild the system
Identifying and Removing Malware
Restoring the System (1) W h e n y o u decide to remove some files, y o u might affect your system i n a way to prevent i t from restarting properly. W h e n that occurs, y o u have t w o options:
•
Restore the system. •
Rebuild the system.
W e see both options i n detail on the f o l l o w i n g pages.
354
Pedro Bueno
Restoring the System (2) • In some situations, Windows creates Snapshots of "safe" configurations, so if your system is booting, you may have a chance to restore it to a last good state • If it doesn't boot, you can also try to restore from the command prompt and R e m o v i n g M a l w a r e
Restoring the System (2) The first option is the System Restore. W i n d o w s usually creates snapshots o f safe configurations and calls them restore points. I n case something goes w r o n g y o u can choose to restore the system configuration to one o f those safe restore points.
I f y o u can boot the system, y o u can locate the system restore points by f o l l o w i n g these steps:
L o g on to Windows as Administrator. 2.
Click Start, point to A l l Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts. On the Welcome to System Restore page, click Restore m y computer to an earlier time ( i f it is not already selected), and then click Next.
4.
O n the Select a Restore Point page, click the most recent system checkpoint i n the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists make. C l i c k O K .
5.
changes that System Restore w i l l
O n the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows X P configuration, and then restarts the computer.
6. L o g on to the computer as Administrator. The System Restore Restoration Complete page appears. 7. C l i c k O K .
© 2 016
Pedro Bueno
355
I f y o u cannot l o g correctly, boot the system. Y o u can try to restore the system using the command prompt instructions: Restart your computer, and then press F8 during the initial startup to start your computer i n Safe Mode w i t h a command prompt. 2.
L o g on to your computer w i t h an administrator account or w i t h an account that has administrator
3.
Type the following command at a command prompt, and then press Enter: %systemroot%\system32\restore\rstrui.exe
4.
Follow the instructions that appear on the screen to restore your computer to an earlier state.
credentials.
356
© 2 016
Pedro Bueno
Rebuilding the System • If everything fails, you have to reinstall the system from scratch or from an image • Critical step when doing it: Remember to apply all patches; otherwise, you might be compromised quickly by one of the several Internet zombies ...
Identifying and Removing Malware
Rebuilding the System W h e n everything fails, and not even a system restore solves the problem, the only w a y to follow is to rebuild the system.
Some companies have hard-disk imaging software and that makes the w o r k faster.
I f y o u are not category, y o u have to install i t from scratch. I n this case, a critical step is to apply the security patches as soon as possible; otherwise, y o u may be compromised fast b y one o f the several Internet zombies that keeps scanning the Internet looking for vulnerable machines
Pedro Bueno
Summary • In this module, you learned: • What is the MS approach on removing malware • Building a special Windows PE CD-ROM • Offline scanning • System restore/rebuild
Identifying and Removing Malware
Summary I n this module, y o u learned about the M S approach for malware removal. Y o u also learned how to b u i l d a custom Windows PE C D - R O M that can be used for attempts to identify and remove malware on an offline system, using both commercial
tools and going directly to suspicious files that might may have been found
during live analysis.
Also, i f we accidentally remove a critical and the system refuses to behave normally, y o u learned h o w to use a W i n d o w s feature, called system restore, so y o u can go back to the last k n o w n good configuration. A n d i f even that doesn't w o r k , y o u learned that the best solution w o u l d be to reinstall the system from scratch.
358
Pedro Bueno
Identifying and Removing Malware Summary
Identifying and
Malware
This page intentionally left blank.
© 2 016
Pedro Bueno
359
What We Covered in This Course (1) • Usage of Basic tools from Windows to help spot and remove malware • Usage of WMIC to give us more power and information when dealing with malware
Identifying and Removing Malware
W h a t W e Covered i n This Course (1) D u r i n g this course, y o u learned h o w to use the D O S prompt to get the most already k n o w n tools, such as D I R and Netstat, which help identify and remove malware from the system. Y o u also learned about the advanced command-line tool, W M I C , w h i c h enables us to query the system for more complete information and to terminate processes and services that may be used by malware.
360
Pedro Bueno
What We Covered in This Course (2) Usage of HijackThis tools in different scenarios Usage of MS Sysintemals Process Explorer and TCPView to identify and remove malware Understanding BHOs and how to use ListDLLs and HijackThis to deal with them I d e n t i f y i n g and R e m o v i n g M a l w a r e
W h a t W e Covered in This Course (2) W e first used a Swiss knife tool called HijackThis, w h i c h enables y o u to do a system scan, clean malware traces, terminate malware processes, and identify auto-loading applications.
W e also introduced the Microsoft Suite, w h i c h contains a lot o f tools. W e started w i t h Process Explorer, an advanced version o f Windows Task Manager, and then we covered T C P V i e w , w h i c h can be also compared w i t h the Netstat tool.
The malicious usage o f D L L s as B H O was also explained, as w e l l the introduction o f M S Sysintemals L i s t D L L s to deal w i t h them.
©2016
Pedro Bueno
361
What We Covered in This Course (3) • Understanding ADS and how to get information about them • Examining rootkits and anti-rootkits technologies • Dealing with persistent malware • Analyzing different types of malware
Identifying and Removing Malware
W h a t W e Covered i n T h i s Course (3) Alternate data streams were covered, as w e l l as the tools that can be used to identify and remove them from our system.
Y o u learned about rootkit and anti-rootkit technologies, such as the tools that can be used to identify rootkit presence and h o w to use the anti-rootkit tools to remove them from our system.
362
Pedro Bueno
What We Covered in This Course (4) • Learning how to use protocol analyzers to identify malware traces on our network • Using Sandbox websites to help us identify possible malicious files, by examining the reports generated
and Removing Malware
W h a t W e Covered in This Course (4) Identifying the presence o f malware i n the network can help a lot to improve defenses. Y o u learned h o w to use a protocol analyzer tool, Wireshark, to identify the network traces left by malware, so y o u could better understand the purpose o f it.
The Sandbox technologies were also explained and y o u learned h o w to use them to identify i f a suspicious file is malicious by observing the reports generated.
© 2 016
Pedro Bueno
363
What We Covered in This Course (5) How to build a special version of Windows PE, used on Microsoft Malware Removal Kit, and how to use it
Identifying and
Malware
W h a t W e Covered in This Course (5) I n this course, y o u learned how to b u i l d a special version o f Microsoft Windows PE, w h i c h is used on the Microsoft Malware Removal K i t w i t h tools for an offline scan on the machine.
Y o u also learned how y o u can use the k i t to detect additional malicious software.
364
© 2 016
Pedro Bueno
Hands-on Answers
Identifying and Removing Malware
This page intentionally left blank.
Pedro Bueno
365
Lab 1: Part 1
Answers
Identifying and Removing Malware
1)
H o w many files were added to the directory? Files/directories that are created as a result o f running C:\WINDOWS\system32\0wned.log
Hidden files: 2\inetsrv\smc.exe 2) A r e any o f them running? Process that is running: 3) Can y o u identify any network connections associated w i t h those files? Using Netstat w i t h the parameters -ano, i t is possible to identify some network connections and the process I D o f each one. Because the malware rotates between a list o f hard-coded IPs, y o u may notice different being checked, such as 173.194.43.43 and 37.59.41.117. 4) H o w can y o u k i l l that connection? O n the previous question, y o u were able to see the SMC.exe process making network connections. Our material shows examples o f using taskkill.exe malware.exe, but i n this case y o u can notice that using only the parameter w o n ' t k i l l the process smc.exe. Sometimes y o u might need to force the k i l l . This can be done b y adding the parameter line.
366
Pedro Bueno
to the command
Lab 2: Part 2
Answers
Identifying and Removing Malware
H o w can y o u start W M I C console?
Open the command line and type wmic.
2. List a l l processes i n a b r i e f way. W h i c h command d i d y o u use?
list 3. List a l l instances
brief
processes. W h i c h command d i d y o u use?
where
list
brief
4. Use W M I C to k i l l a l l processes o f name malware.exe.
d e l e t e 5. Check Check the startup list.
or any suspicious
is configured to start w h e n the computer reboots. T i p :
list
full
This command w i l l show a l i s t o f t h e f i l e s ; n o t i c e t h e file.
©
Pedro Bueno
367
6. Generate the list o f all processes that start on boot time i n the H T M L format and open w i t h I E .
W m i c startup list f u l l
: startup.html
7. L i s t all services and see i f malware.exe or any suspicious
is running as a service.
Using the process described, malware.exe is not shown, hut i t is possible to see My_Love.exe.
368
Pedro Bueno
Lab 3: Part 3
Answers
Identifying and Removing Malware
This lab has the following questions:
W h a t do y o u see when y o u click "Do a system scan only?" Take note o f anything suspicious that w i l l be loaded at boot time.
2.
I f a suspicious process is running, t r y to kill/terminate it. Describe the process used to k i l l the suspicious process using HijackThis.
3.
I f the process was successfully terminated, i t is time to remove the malicious registry entries. Using the tool, w h i c h function w i l l allow y o u to remove the entries?
Because this is an interactive lab, the answers are included i n the slides f o l l o w i n g the original Hands-On questions.
© 2 016
Pedro Bueno
369
Lab 4: Part 4
Answers
I d e n t i f y i n g and R e m o v i n g M a l w a r e
D o y o u see any suspicious activity on the machine using both Process Explorer and TCPView? I f y o u keep T C P V i e w open for a few moments, y o u w i l l notice the machine attempting to connect to a remote website. 2. W h i c h remote ports are involved? 80 3. Is i t using any method to ensure that i t w i l l he loaded at boot time? Yes, by running HijackThis, i t is possible to see i t being loaded w i t h an A u t o r u n Registry key
4. What can y o u use to clean its traces? can delete i t h y checking the box that i t is and selecting the F i x button. However, i n some cases y o u need to make sure that the malware is not running. The solution i n this case is to rename the malware on this folder, reboot the system, and then r u n to fix i t . 5. W h i c h folder is the suspicious file installed in? On W i n d o w s 7, i t is installed i n the
logged>\AppData\Roaming\\.
370
Pedro Bueno
6.
y o u delete it? W i t h TCPView, y o u notice that the malware is making connections, hut the process that is doing i t is not the malware process. I t is a W i n d o w s process called TaskHost.exe. (Note that y o u might observe different behaviors on W i n d o w s 7 32-bit and W i n d o w s 7 64-bit.) This means that the malware analyst to it.
its code into a legit W i n d o w s process to make i t harder for the
W i t h the tools provided i n the folder, y o u can find the autostart mechanism and the folder where i t is located.
After y o u delete it, try to run the
and remove the autorun entry. Then, scan again.
7. D i d the Autorun entry get removed?
N o , w h i c h means that y o u need to reboot the system first.
N o w reboot the system and t r y to remove the A u t o r u n entry again.
©2016
Pedro Bueno
Lab 5: Part 6
Answers
and Removing Malware
Because this is an interactive lab, the answers are included i n the slides f o l l o w i n g the original Hands-on questions.
372
©2016
Pedro Bueno
Lab 6: Part 9
Answers
Identifying and Removing Malware
Because this is an interactive lab, the answers are included i n the slides following the original Hands-on questions.
© 2 016
Pedro Bueno
373
Lab 7: Part 7
Answers
Identifying and Removing Malware
Because this is an interactive lab, the answers are included i n the slides following the original Hands-on questions.
Remember that Rootkit_Detective, Panda anti-rootkit, and rku37300509 from the Part 7 course files do not on W i n d o w s 7. They are included to help y o u create your arsenal o f tools, w h i c h may r u n on different W i n d o w s versions.
374
© 2 016
Pedro Bueno
Lab 8: Part 7
Answers
Identifying and
Malware
Because this is an interactive lab, the answers are included i n the slides f o l l o w i n g the original Hands-on questions.
Pedro Bueno
375