SEC501.5: Malware [A12_02 ed.]

SEC501.5: Malware Analysis Overview Malicious software is responsible for many incidents in almost every type of organiz

231 63 29MB

English Pages 376 Year 2016

Report DMCA / Copyright

DOWNLOAD PDF FILE

Recommend Papers

SEC501.5: Malware [A12_02 ed.]

  • 0 0 0
  • Like this paper and download? You can publish your own PDF file online for free in a few minutes! Sign Up
File loading please wait...
Citation preview

SECSOl

| A D V A N C E D SECURITY ESSENTIALS - ENTERPRISE

DEFENDER

Malware

THE MOST TRUSTED SOURCE FOR INFORMATION SECURITY TRAINING, CERTIFICATION, A N D RESEARCH | s a n s . o r g

Identifying and Removing Malware

All Rights A12 02 and R e m o v i n g Malware

This page intentionally left blank.

© 2 016

Pedro

1

Course Outline (1) Our training will focus on two parts:

Using Microsoft Windows basic built-in CLI tools •

Using Microsoft Windows Advanced built-in CLI tools •

Using Microsoft Windows built-in GUI tools II





Using external tools to fight BHO •

Using Microsoft Windows external tools •

Fighting rootkits •

Using Network-based tools to identify malware traces Using online resources to get help Identifying and Removing

Course Outline Identifying and Removing Malware One o f the biggest challenges facing an enterprise environment today is to make sure that a l l its lines o f defense are actually effective against new threats. Sometimes, even w i t h several lines o f defense such as firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), antivirus gateways, host-Based firewalls, and host-based antivirus programs, a new threat may be occurring i n one or more machines i n the networked environment.

Using the B u i l t - i n Tools

I t is important that companies understand h o w to properly use certain tools that are already installed i n your system b y default, both command-line interface ( C L I ) and graphical user interface ( G U I ) tools.

There are three types o f b u i l t - i n tools: • •

Basic Advanced

• GUI

Basic tools such as D i r , Netstat, tasklist, taskkill, and are easily accessed because they are usually somewhere along the W i n d o w s path environment variable. Advanced C L I tools such as W i n d o w s Management Instrumentation Command Line, or simply W M I C , (an interface for the Windows Management Instrumentation) enables useful queries to be done o n the system to assist i n fighting malicious code. The basic G U I tools are utilities available i n Microsoft W i n d o w s , w h i c h help to track d o w n malware programs and remove them.

2

© 2 016

Pedro Bueno

Course Outline (2) Our training will focus on two parts:



Using Microsoft Windows basic built-in CLI tools •

Using Microsoft Windows Advanced built-in CLI tools •

Using Microsoft Windows built-in GUI tools

Part I I •

Using external tools to fight BHO



Using Microsoft Windows external tools •

Fighting rootkits •

Using Network-based tools to identify malware traces •

Using online resources to get help Identifying and Removing Malware

II A d d i t i o n a l tools exist and can be included i n our toolkit to identify and remove malware infections. These tools include B H O Tools Microsoft External Tools Rootkit Detectors A P T Style R A T (Remote Administration Tool) N e t w o r k Based Tools Online Resources F r o m "Browser Helper Objects" (BHOs) to rootkits, programs are available to help y o u determine the causes o f unexpected activity on your network. A Browser Helper Object is a D L L that allows developers to customize and enhance Internet Explorer. W h e n installed the B H O has access to a l l the events and properties o f the browser session. Rootkits are nasty pieces o f software that become so tied into the operating system that sometimes i t m a y be better to do a complete reinstall o f the system. Since we could see a lot o f target attacks usually referred to as Advanced Persistent Threats ( A P T ) . M o s t o f these attacks were performed w i t h the help o f the Remote administration tools, also k n o w n as R A T s , such as Poison Ivy, GhOst, and DarkCommet. Some malware m a y generate network activity, such as downloading an external component, posting information, connecting to command and control servers, etc. Packet capture trace tools help to identify this type o f traffic. M a n y additional resources exist on the Internet, providing tools and utilities that can help analyze malware and give y o u tips about where to look for i t o n your system.

Pedro Bueno

3

Tools for This Module • Dir: Windows built-in tool • Netstat: Windows built-in tool • Findstr: Windows built-in tool • Tasklist: Windows built-in tool • Taskkill: Windows built-in tool

Identifying and

Malware

Tools for This Module W i n d o w s b u i l t - i n tools include:



dir •

netstat •

findstr •

tasklist

• taskkill

W i n d o w s comes complete w i t h some o l d tools as w e l l as some new ones that have been added i n W i n d o w s X P and 2003. W i n d o w s 7, w h i c h is the base operating system o f our training, has all these tools. Using some new tricks w i t h the good, o l d D i r command, recently updated options o f Netstat, and understanding how i t can be usefiil for us, and some not so common C L I tools such as Findstr, Tasklist and Taskkill may help us get to the bottom o f a pesky malware problem. These tools are available at the command prompt, good o l d D O S . Each tool has a set o f options available, w h i c h can be listed b y using the /? switch. Sometimes, this is all y o u have to help y o u identify and remove malware infections on a system.

A l l o f these tools are n o w available on W i n d o w s 8, W i n d o w s 7, W i n d o w s X P , 2003, and Vista, and, some o f them were added i n resource kits for W i n d o w s N T and W i n d o w s 2000.

Pedro Bueno

Some Definitions and Terms • CLI: Command-line interface • GUI: Graphical user Interface •

WMIC: Windows Management Instrumentation Command Line • BHO: •

Browser Helper Objects

Key: Registry Key Identifying and Removing Malware

Some Definitions and T e r m s

C L I (Command L i n e Interface) •

G U I (Graphical User Interface)



W M I C ( W i n d o w s Management Instrumentation Command Line) •

B H O (Browser Helper Objects) •

K e y ( W i n d o w s Registry Keys)

I f the terms o n this page are not already part o f your day-to-day vocabulary, they w i l l be soon. They are critical tools and components o f the W i n d o w s operating system and w i l l be helpful as y o u begin to analyze and evaluate machines.



C L I ( C o m m a n d L i n e Interface): These are tools that are b u i l t - i n to W i n d o w s and that can easily he accessed from the D O S prompt (for example, dir, del, and such). •

G U I (Graphical U s e r Interface): These are tools that are accessible through W i n d o w s and use graphical elements such as w i n d o w s , icons, and buttons and allow the use o f a mouse for point-and-click navigation (for example, Regedit, TaskManager, and Windows Explorer). •

W M I C (Windows Management Instrumentation C o m m a n d L i n e ) : A powerful extension o f regular W i n d o w s C L I . Introduced on W i n d o w s X P and 2003, i t offers a powerful range o f tasks and has its o w n query language, called W Q L .

Pedro Bueno

B H O (Browser Helper Objects): Since Internet Explorer 4.x, developers got an opportunity to create special applications that can be loaded together w i t h the browser and have almost complete control over Internet Explorer. These help monitor activities such as download attempts and calls to a downloader manager. B u t these are also used b y malware to monitor browsing sessions, U R L s , passwords, and so forth. A l t h o u g h the term B H O applies to Internet Explorer only, y o u can the same type o f objects i n other browers such as Chrome or Firefox.

K e y (Windows Registry keys): Stores operating system settings, options, and most software and hardware used by the operating system (OS). Malware programs often change some o f these settings to hide themselves or to disable various operating system functionalities.

© 2 016

Pedro Bueno

Background (1) We can define malware as malicious software that performs actions that are not wanted/expected by the computer owner. The malware can: • Have a control channel • Replicate itself • Have network activities • Be installed silently • Be attached to another binary ...or not! © I d e n t i f y i n g and R e m o v i n g

Background (1)

Warm-Up Before starting w i t h the tools, y o u need to understand some o f the typical behavior o f malware and the tricks used b y some malware when installed on a computer, such as h i d i n g itself or configuring the system to load the malware every time the system boots, and the usual places that malware hides. This understanding can help y o u to determine the type o f malware y o u are dealing w i t h .

A malware program can be described as malicious software that performs actions that are not wanted or expected by the computer owner. I t can present different behaviors depending on its purpose. Today's malware falls into the following behavioral categories:





Control channel: This is the typical behavior o f B o t programs, robot programs that are controlled by a malicious third party. I t connects to a remote server, usually an Internet Relay Chat (IRC) server, to receive instructions such as scanning for vulnerable machines on the network, searching for documents on the hard drive, and more. A lot o f recent use H T T P as a command and control mechanism or even other Peer-to-Peer (P2P) protocols. •

Install as add-on or plug-ins from shareware applications and display unwanted advertising: A lot o f "free" applications w i l l install unwanted extensions and/or plug-ins for browsers. •

Replicate: Malware can copy itself to different folders/locations w i t h i n the OS and hard disk. These folders can be, for example; P2P shared folders, folders w i t h a random name, or may use names o f popular things such as a rock star video. Generate network activity: I t is typical behavior for a w o r m to infect a machine and then go looking for other machines to infect that have a similar vulnerability. The network traces for these worms can be similar to a Bot. The difference being a w o r m typically doesn't have a control channel whereas a Bot does.

© 2 016

Pedro Bueno

7

InstaUed silently: The binary may be installed silently, w h i c h means that when y o u try to run it, such as b y double-clicking i t , nothing visible happens. Or i t may use a deceptive trick, like opening a file in notepad or displaying a picture to hide the real intent, w h i c h is to install the malware i n the background.

Attached to another binary: This is a typical parasitic behavior whereby the malware attaches itself to other legitimate programs on the computer. For example, it can attach itself to the Notepad application notepad.exe, and while the notepad program still works as wanted, i t also performs other actions defined b y the malware author.

© 2 016

Pedro Bueno

Background (2) • Basic behavior of most malware: • Using the Windows environment and tools to hide itself: • Like using Attrib.exe • Adding itself to selected Registry keys so that it will reload on reboot • Copy itself to different directories to avoid "eye" detection! Identifying and R e m o v i n g Malware

Background (2) M o s t malware attempts to keep running undetected on a system for as long as possible, sometimes using the o w n system environment and its tools to accomplish it. I t uses various methods to avoid detection and makes removal extremely difficult. One clear example o f how effective some malware is at hiding is by looking at the w o r l d o f botnets. O n some communication channels that are used for command and control o f the bot malware, i t is possible to see the bots reporting their status as shown here: [17:11] [ M A I N ] : Uptime: 2d [17:11] [ M A I N ] : Uptime: Od 7h [17:11] [ M A I N ] : Uptime: 23d 8h 10m. [ M A I N ] : Uptime: Od 8h 8m. The third entry shows that a bot malware has been running on a machine for more than 23 days, presumably without detection by the machine owner! To achieve this objective malware tends to use some basic techniques. One trick being utilized is scripting to mask the software after installed b y changing the physical appearance o f the file i n the directory structure. A simple script may call the C L I tool attrib.exe to change the attributes o f the malware, such as:



Attrib.exe +h To put the filename.exe i n hidden mode and avoid i t being shown w h e n listing directories w i t h the dir command.

Pedro Bueno

9



Attrib.exe +r Jilename.exe: To put the Jilename.exe the del command. •

Attrib.exe +s Jilename.exe: To put the Jilename.exe i n System mode, preventing i t from being shown when listing directories w i t h dir and avoiding deletion w i t h del command.

in

mode, avoiding deletion w i t h

A l s o , most malware change some Registry keys to activate what may be termed the " I ' l l be back" mode. This means they have to make sure that w h e n the user reboots the machine, the program w i l l be loaded again.

A n d as a last common behavior, y o u can have multiple copies o f it i n different directories, always referenced i n the Registry keys. B u t i n almost 99% o f cases, the most common directory used b y malware is the windows\system32 folder, w h i c h is always i n the path for the user.

I n addition, they also t r y to use rootkits, w h i c h y o u learn more about later.

10

© 2 016

Pedro Bueno

Background (3) Most frequently used Registry keys: • • • •

Identifying and Removing Malware

Background (3) Windows Registry K e y s The W i n d o w s Registry stores operating system settings and options and settings for most software and hardware used b y the OS. These options control the behavior o f the computer hardware and software both at system startup and during system operation. M a n y programs that are started at boot time are configured using Registry keys. For example, y o u may have a Registry key w i t h the name ITunesHelper, and the value o f the key could be Files\iTunes\iTunesHelper.exe. W h e n malware infection takes place on a computer, entries or modifications may be made to those keys that allow the malicious program to take control o f the computer. Using Regedit.exe, the Registry editing program that comes w i t h Windows, y o u can quickly determine applications that are running at system startup b y checking the entries i n the locations described here. For the newer version o f W i n d o w s ( X P , 2003, Vista, and 7 ) 1 the following four keys can perform this action: • • • • On Windows 7, the standard user does not have permission

to run

from

For older versions o f Windows Microsoft specifies seven Registry keys that make software run automatically when the system starts, ensuring the " I ' l l be back" mode.

Pedro Bueno

• • • • •

RunServices



RunServicesOnce •

© 2 016

Pedro Bueno

Background (4) Most frequently used directories: • %windir% (\windows\) • %systemroot%\system32 (\windows\system32\) • \Documents and Settings\\StartMenu \Programs\Startup • \Users\\AppData\Local\ (Windows 7)

Identifying and Removing

Background (4) Most Frequently Used Directories M o s t malware programs tend to copy themselves to the W i n d o w s and/or Windows\System32 directories. The main reason for this is that these directories are i n the users P A T H environment variable, and the programs can be started or r u n without having to be i n the actual directory. This means that most o f the time y o u can

the

malware program b y searching those directories for anomalies. This is not always the case, o f course, and malware can reside i n any folder and can be accessed either b y adding the folder to the P A T H environment variable or b y referencing the malware application w i t h a complete path such as

malware

folder\bad_app.exe

Another option that the malware author has is to use the computer startup folder to initiate and

the program

each time W i n d o w s starts. A l l files or shortcuts that are i n the startup folder w i l l be executed each time Windows starts. The folder is usually at:

\Documents and

One disadvantage to the malware author is that i t is visible b y looking i n Start

Programs

StartUp. This is

probably w h y this is the least preferred o f the methods used. This folder has the same meaning as the " I ' l l be back" mode Registry keys because a l l programs i n i t w i l l be loaded each time the user logs i n to the system.

© 2 016

Pedro Bueno

1

Preparing the Environment (1) • Turn on VMware • Disable Windows Defender • Open the training CD and copy course.exe to the VMware Windows 7 desktop • Course.exe

Options

fcy

to

j

j

Identifying and R e m o v i n g Malware

Preparing the Environment (1) I n this step, you prepare the training environment. There are just a couple o f steps i n this phase:

Turn on your 2.

Load the W i n d o w s Image that y o u

3.

Disable W i n d o w s Defender: • •

C l i c k the Start Button, type "Windows Defender," open it, click on Tools, and then click Options. Go to Administrator options and the box "Use this program."

14

This step is necessary to run some o f the exercises that have real malware code.

4.

Open the training C D that y o u received and copy course.exe to the V M w a r e Windows 7 desktop.

5.

Double-click course.exe

to complete the extraction o f the files needed for the training.

© 2 016

Pedro Bueno

Preparing the Environment (2) • Create a Snapshot of your clean Windows 7 install and call it Clean7 • Important: Run both tools and malware as Administrator • Remember that the answers for all hands-on labs can be found in the end of the module. Identifying and Removing Malware

Preparing the Environment (2)

6.

Create a Snapshot o f your clean W i n d o w s 7; install, and call i t Clean7.

7.

O n the V M w a r e menu, select V M , Snapshot, and then select the Take Snapshot option.

These steps prepare your system so you can follow the examples demonstrated i n the course.

Important: W h e n a malware gets installed on the system, i t may be installed as Administrator. I t depends on several aspects, such as the use o f exploit, elevation o f privilege, etc. For this reason, to m i m i c the worst scenario, y o u always run the malware as Administrator. The same rule applies for the tools y o u use to get most o f them; y o u also run them as Administrator.

For the command-line tools, y o u open the CMD.exe as Administrator as w e l l .

For CMD.exe, click Start - > Type C M D on the search box. Right-Click the C M D . e x e and select Run as Administrator.

For Tools and Malware: Right-click and select R u n as Administrator.

A l l answers for the Hands-On Labs can be found i n the last section o f today's module i n the section "Hands-On Answers."

© 2 016

Pedro Bueno

1

Using Windows Basic Built-in CLI Tools to Identify and Remove Malware

Identifying and Removing Malware

Using Windows Basic B u i l t - i n C L I Tools to Identify and Remove N o w that we have identified some o f the behaviors and tricks used b y most malware programs, we look at h o w to use the basic DOS tools to assist i n identifying the malware and removing it. The basic C L I tools are already installed i n your system. These tools D i r , netstat, tasklist, taskkill and findstr, can help us track down malware w h e n i t has damaged the W i n d o w s interface, and the only w a y to boot the computer is i n Safe Mode Command Prompt Only. I n this mode, the G U I tools are unavailable so a l l that may be available is the Basic C L I tools.

16

© 2 016

Pedro Bueno

MS Windows CLI Tools: DIR (1) • Introducing: Dir • Basic function: List files and directories • Old time tool! • Introduced on DOS 1.0 in 1981! • Still a valuable tool for looking for files!

I d e n t i f y i n g and R e m o v i n g Malware

M S Windows C L I Tools: D I R (1) Remember dir? Yes, i t is an o l d t o o l introduced w i t h the first version o f D O S , i n The basic purpose o f the dir command is to show the files and directories on a system. This command is still one o f the most-often used C L I tools. M o s t people use i t to show only the basic characteristics o f the files i n a specific date, time, length, filename, and < D I R > i f i t is a directory. For example:

01/16/2012 04:16 P M

pedro

AM

Public

07/03/2011 0 File(s)

0 bytes

4 Dir(s) 206,438,273,024

free

W h e n y o u make use o f the different options i t offers, i t can search for files flagged as Hidden or System. These attributes are often used b y malware programs and may be indications o f a malware program installed on the system. A s y o u w i l l see, there are some helpful options and switches that can be used w i t h the dir command to provide some valuable information about the characteristics o f the files listed.

©2016

Pedro Bueno

17

MS Windows CLI Tools: DIR (2) • More options on DIR: • • • •

/a: show files with attributes -Useful and you can search the entire hard drive /s: Scans the current directory and all subdirectories /o: Sort the way the files display. I like the /0:d option, which sorts by date, so you can see the last files added! /t: sort by (Creation, Last Access, Last Written). It is also useful to use with scripts and finds recently accessed files!

Identifying and

Malware

M S Windows C L I Tools: D I R (2)

More Options on dir I n addition to the regular and common usage o f the dir command, i t also offers some more advanced and useful options that can make your life easier w h e n looking for suspicious files. There are many •

options:

/a: W i t h this option, used i n combination w i t h a and the file attribute y o u are looking for, it also lists the files that have any attribute set such as hidden files (a:H", read-only files (a:R) and system files (a:S). Some malware can set the attribute o f files as hidden, + h , to hide files from a normal dir listing. Using this option, y o u can list all files regardless i f an attribute is set. Example: dir /a:R lists the files that are read-only



Is: This option enables y o u to search for a file i n a recursive way. This means that i t searches for the requested filename i n the current directory and a l l subdirectories. So, i f y o u are on the root o f C:\ i t searches for the file i n all the folders and subfolders o f the C drive. Example: dir * . d l l /s searches for all files i n the target folder and all its subfolders and that have an extension



18

/o: The sort option offers different ways to sort the w a y the files display. I prefer to sort b y date. This allows me to see the last files added, w h i c h makes i t easy to spot recently added files.

© 2 016

Pedro Bueno



It: I f y o u want to k n o w w h e n a file was last accessed, y o u definitely need this option. I t can show when a file was last accessed or created, for example:

putty.exe

Results in the following

being

displayed:

Volume in drive C has no label. Volume Serial Number is xxx-xxxx

Directory

of C:\

05/06/2007

20:01 421.888

bytes

0 Dir(s)

bytes free

C:\dir /t:c putty.exe

Results in the following

being

displayed:

Volume in drive C has no label. Volume Serial Number is xxx-xxxx

Directory

05/22/2006

of C:\

21:13 421.888

0 Dir(s)

bytes bytes free

T o find out what other options are available w i t h this helpfiil DOS command, y o u can get a complete list b y using the /? switch.

C:\>dir/?

Pedro Bueno

Uncovering Hidden Files with DIR • Good old Dir • Looking for something new! • CD c:\windows\system32 • DIR/0:d DIR/0:d/a 01/03/2013 01/03/2013 01/03/2013 01/03/2013 01/04/2013 01/04/2013 01/04/2013

08:15 08:21 08:21 11:29 03:17 11:33 02:46

PM PM

PM AM AM PM

Tasks 1,221,389 64,858

02:46 PM 02:47 PM 80 60

PFRO.log inf

.

Prefetch 17,055,359 bytes 206,424,956,928 bytes

01/03/2013 01/03/2013 01/03/2013 01/03/2013 01/03/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013 01/04/2013

PM PM 08:21 PM PM 11:29 PM 03:17 AM 11:33 AM PM PM PM 02:48 PM 02:48 PM 83 64

537,108 PFRO.log

Tasks 133,644

. ..

17,257,336 bytes bytes free

Identifying and Removing Malware

Uncovering Hidden Files with D I R

O l d and Good dir W h e n a malware program is installed o n the system, i t can use some techniques to hide itself from detection such as using the attrib.exe tool. W h e n using the dir command w i t h the different switches, y o u can sort the directory v i e w b y date (dir / 0 : d ) , w h i c h shows the oldest first, making it easy to see the latest files added to that directory. Y o u can combine sorting b y date w i t h other attribute filtering such as:

(hidden) dir / 0 : d /a:s (system file) dir / 0 : d /a:r (Read-Only)

A s shown i n this example, using dir / 0 : d /a i t is possible to see that the mal.exe was recently added on the system and that i t was not visible using the plain dir command o n the left versus using the /a option i n the second dir command (example o n the right). That makes i t suspicious!

20

© 2 016

Pedro Bueno

MS Windows CLI Tools: Tasklist (1) • Introducing: Tasklist.exe -Basic function: List running processes on a local or remote system -Introduced in Windows XP -Useful to list applications when you have limited GUI access to the system, such as malware that blocks access to some GUI tools Identifying and Removing Malware

M S Windows C L I Tools: Tasklist (1)

Introducing tasklist.exe The program tasklist.exe is a great C L I tool added i n Windows X P and is present i n W i n d o w s 7 and 8. W i t h this tool i t is possible to list the standalone processes and services running on the computer directly from the DOS prompt, even remotely.

Remember that malware can be running on your computer as:



A single process • M u l t i p l e processes •

A service •

Injected into an existing, legitimate process or service

© 2 016

Pedro Bueno

MS Windows CLI Tools: Tasklist (2) • More options of Tasklist: •

/v: for verbose info. Useful because you can get extra information such as and the Window Title of the process •

/svc: Shows the services as well. A lot of times a malware can be executed as a service instead of a simple process!



/fi: Perhaps the most powerful option. It enables you to filter by any specified information shown with the /v option like Status,Imagename, Services, and Modules. And can be used with operators such as eq, ne, gt, It, ge and •

For example, to list any process in which the username is not equal to "NT Authority System" and the PID is greater than 2000, you could use: TASKLIST /FI "USERNAME ne NT /FI "PID gt 2000" Identifying and R e m o v i n g Malware

M S Windows C L I Tools: Tasklist (2)

Using Options with tasklist.exe Tasklist is a powerful t o o l that enables y o u to combine different options to get the information that y o u need about the programs, processes, or services running on the system.

The tasklist.exe program has several built-in operators for filtering the information: • E q : equal •

Ne: not equal •

G t : greater than L t : less than



Ge: greater than or equal •

L e : less than or equal

Some other options: The filtering option: Enables y o u to filter the output based on username, that is: •

Tasklist /svc •

" U S E R N A M E eq pbueno"

This command lists a l l processes that are running w i t h the username o f pbueno

The format option allows y o u to get the output i n the default 'table', The

w i l l show something like: •

22

or list format:

"tasklist.exe","2280","N/A": respectively process, P I D , Service

© 2 016

Pedro Bueno

The list w i l l show something like: Image Name:

tasklist.exe

PID:

2280

Services:

N/A

To find out what other options are available w i t h this helpful D O S command, y o u can use the /? switch to get a complete listing.

C:\>tasklist/?

Pedro Bueno

23

MS Windows CLI Tools: Tasklist (3) Introducing: tasklist.exe •

On a previous slide we saw that a new file was found. Now, let's see if it is running on the system. •

Basic raw usage gives you the Image Name, Process ID, Session Name, Session ID, and Memory usage:

Image Name

PID

System Idle Process

0

Session Name

Mem Usage

Console

28 K

Console

K

3332

Identifying and R e m o v i n g Malware

M S Windows C L I Tools: Tasklist (3)

Introducing Tasklist.exe Entering the command tasklist.exe w i t h no options lists the Image Name (program), Process I D (PID), Session Name, Session*, and the amount o f memory i n use b y the program ( M e m Usage). The good thing is that y o u can see all running processes on the machine. The downside is that y o u can easily get lost w i t h the amount o f information provided to you.

A better solution ( i f y o u already k n o w the specific filename that y o u are looking for) w o u l d be:

tasklist /svc / f i "imagename eq mal.exe"

This w o u l d give information related to only the processes that are running as a result o f the program specified. I n this example, i t shows the mal.exe file w e found i n the directory is running and has the process I D ( P I D ) o f 3332.

24

© 2 016

Pedro Bueno

MS Windows CLI Tools: Netstat and FindStr • Introducing: Netstat.exe •

For protocol statistics and listing TCP/IP connections • Useful options added in Windows XP version of Netstat • Now it's possible to see the process ID associated with a connection

• Introducing: Findstr.exe • Allows searching for text strings in files • Introduced in WinNT 4.0 Resource Kit • Native to Windows 2000 and later

Identifying and Removing

M S Windows C L I Tools: Netstat and F i n d S t r

Introducing netstat.exe and findstr.exe T w o additional tools that may be o f value i n tracking d o w n malware programs are Netstat and Findstr.

Netstat is a useful tool i n the U N I X w o r l d , and over the past years i n the W i n d o w s w o r l d as well. I t helps y o u to identity the established network connections, as w e l l as the ports and protocols your machine is serving to the outside w o r l d and locally.

Findstr is another interesting application that was added since W i n d o w s 2000. This application is equivalent to Grep i n the U N I X w o r l d . I t is useful when searching for specific strings inside o f files, as w e l l as for searching the output information generated b y other applications.

© 2 016

Pedro Bueno

Useful Options of Netstat •

More options with Netstat: •

-a: Shows you all running processes, which is what you want to see most of the time



-n: Does not try to resolve names. It is faster, and if you are in a hurry, is the option that you want to use •

-o: Cool option added on recent versions of Windows XP, Vista, and 7. It also displays the Process ID (PID) associated with the connection. Useful to track any suspicious process

Identifying and Removing Malware

Useful Options of Netstat

Using Netstat and Its Options When using netstat, two o f the most used options are

• •

-a: The most common option shows y o u a l l the processes and enables y o u to see a l l the connections on your machine. -n: This option displays the addresses and port numbers i n numerical format. I t also displays the information faster because i t doesn't have to resolve the IP to D N S names. I f y o u are i n a hurry, this is the option that y o u want to use.

So using these options y o u w o u l d have an output that looks something like:

Proto Local Address

Foreign Address

TCP

0.0.0.0:0

0.0.0.0:80

State LISTENING

This indicates that there is a process/application listening on port 80, but y o u don't k n o w w h i c h one i t is.

One missing option on Netstat prior to Windows X P that was present i n the U N I X version was the ability to see the process I D associated w i t h the connection. I n the U N I X version the switch - p w o u l d show a l l associated processes. Starting w i t h Windows X P , Microsoft decided to add this as a Netstat option as w e l l . N o w using the - o option, i n Windows, allows y o u to see w h i c h process I D ( P I D ) is associated w i t h that connection. This option is still v a l i d i n W i n d o w s 7 and 8.

26

© 2 016

Pedro Bueno

Another useful option is the - o option. This option according to the Netstat help:



-o: Displays the o w n i n g process I D associated w i t h each connection.

So the output o f netstat - a o n w o u l d result i n something like:

Proto

L o c a l Address

TCP

0.0.0.0:80

Foreign Address 0.0.0.0:0

State LISTENING

PID 1832

N o w y o u can do a specific query w i t h task list, as discussed earlier, and identify this process!

To help

out what other options are available w i t h this helpful D O S command, y o u can get a more by using the switch.

C:\>netstat/?

© 2 016

Pedro Bueno

Using Findstr to Search the Output • More options with findstr: •

The simple usage of findstr is already useful, for example, to search for "URL" inside the mal-strings.txt you simply use: Findstr "URL" mal-strings.txt



findstr can search for strings directly from the output of another application like this: Dir | findstr •

Shows you all files that have the string

in the filename.

-i option makes it case-insensitive: Dir | findstr - i "mal": Displays both MALware.exe and malware.exe

Identifying and Removing Malware

Using Findstr to Search the Output

Using findstr.exe and Its Options I f y o u have a large text simply do:

and want to k n o w i f there is a string

C:\ more

inside this text

y o u can

| findstr " U R L D O W N L O A D "

This command shows a l l instances o f " U R L D O W N L O A D " that appear i n the

Maybe the best usage o f findstr is the ability to use i t to search the output o f the information generated b y another application, such as:

| findstr "malware.exe"

I n this example, the output from the dir /s command w i l l be sent as the input to the findstr command, w h i c h then searches for filenames that have "malware.exe" i n their name!

To make i t

To help

just add the - i (or / i ) and i t is done!

out what other options are available, w i t h the helpful little DOS command, y o u can get a more complete b y using the /? switch:

/?

28

© 2 016

Pedro Bueno

Netstat and FindStr Together • • •

Introducing: netstat.exe and findstr.exe On previous slides, we noticed that a suspicious file was running on the system. Our next step is to identify if it has any kind of network traffic associated with it. Using netstat with options -ano and findstr, it is possible to query for our specific process ID (3332): C:\netstat -ano

findstr 3332

Proto

Local Address

rCP

192.168.0,12:1081

Foreign Address xxx.34.124.34:6667

State

PID

ESTABLISHED

3332

and

Malware

Netstat and FindStr Together

Using Netstat.exe and Findstr.exe A s we have discussed, y o u can use a combination o f netstat and findstr to the information y o u need to track d o w n a process. Y o u have already found the process I D (PID) o f the running process, a netstat listing o f the process IDs o f all connections and a findstr to show only the process I D . That information is then quite useful to speed up the process o f finding the malware!

I n this case, y o u can see that the suspicious process had an established connection w i t h a foreign address o n remote port 6667! This makes this process even more suspicious because 6667 is the common port for the I R C service and is w i d e l y used by hots and botnets! This fact can lead to further investigation leaning i n the direction o f an bot infection.

Pedro Bueno

MS Windows CLI Tools: Taskkill • Introducing: Taskkill.exe • Basically used to end a running process id (PID) or image name, forcefully or not • Introduced on Windows XP • Can be used remotely -> Run the CMD.exe as Administrator! Identifying and Removing Malware

M S Windows C L I Tools: T a s k k i l l

Introducing Taskkill.exe N o w y o u can query the system and get a l l the information regarding a malicious process such as the image name and/or process I D ( P I D ) ; however y o u still lack a w a y to terminate i t . I n the U N I X w o r l d whenever y o u want to terminate a process, forcefully or not, y o u can use an application called k i l l .

Microsoft decided to create a similar useful tool and introduced Taskkill i n W i n d o w s X P . This C L I tool makes it possible to k i l l standalone processes and/or services running o n both the local computer and on a remote computer i f y o u provide the proper domain username and password.

A s w i t h many o f the commands executed i n this course, i t is recommended that y o u open the command prompt as Administrator. To do this on W i n d o w s 7, go to start, type on the search box, and wait for i t to appear on the search results. N o w , right-click and select R u n as Administrator.

30

© 2 016

Pedro Bueno

Killing Processes and Services with Taskkill • More options on taskkill: •

A "tasklist" to kill processes: Basically, same options as tasklist, but to kill a process



Nice option to choose to kill by Process ID (PID) number or ImageName! •

Can also use operators: • eq, ne, gt, It, ge, and le • And kill with a combination of Status,Imagename, PID, Session,SessionName, CPUTime, Username, Services, and Modules •

Most common usage: • Kill by PID: taskkill /PID 2000 • by ImageName: taskkill

Identifying and Removing Malware

Killing Processes and Services with T a s k k i l l

More T a s k k i l l Options One o f the basic features o f this program is the ability to k i l l a process/application using either the Image Name (that y o u get from tasklist, for example) or b y process I D (PID). taskkill.exe taskkill.exe

malware.exe 1234

But i t also allows y o u to combine different filtering options to k i l l the exact process using both operators like: E q : equal Ne: not equal Gt: greater than L t : less than Ge: greater than or equal L e : less than or equal .. the regular filtering names such as Status, ImageName, P I D , Session, CPUTime, M E M U s a g e , UserName, Modules, Services, and W i n d o w T i t l e .

© 2 016

Pedro Bueno

So y o u could get a command like:

TASKKILL

putty.exe — Force to

k i l l the process w i t h image name putty.exe

TASKKILL " I M A G E N A M E eq putty.exe" — Force to filtering criteria where imagename equals putty.exe

k i l l a l l the

that match the

T w o different ways to k i l l the same process using the ImageName!

To find out what other options are available w i t h this helpful D O S command, y o u can get a more complete listing b y using the /? switch.

C:\taskkill.exe /?

32

© 2 016

Pedro Bueno

Taking Action • Taking action: • Recent file added on windows\system32 folder • The suspicious file is running on our computer • The suspicious process has an active connection to a foreign address on IRC port (port 6667)! So, it is time to take an action! I d e n t i f y i n g and R e m o v i n g M a l w a r e

T a k i n g Action I f y o u remember the steps followed so far, y o u can see that y o u have learned h o w to:

• Identify a recently added file on the system. •

See what is running on the system. •

See what has a network connection (on port 6667!).

Putting a l l these pieces together, i t may be necessary to stop this running process so that y o u can actually remove i t .

© 2 016

Pedro Bueno

Killing the Process with Taskkill • Introducing: taskkill.exe • To get rid of our suspicious process, you need to terminate it and all its related processes and threads •

To do this, you pass the PID as an argument to taskkill so that it can "kill" our suspect process: C:\taskkill.exe

SUCCESS: •

The process

/PID

3332

with PID 3332

/F

has been

terminated

The / F argument Is to force it to be terminated!

and Removing Malware

K i l l i n g the Process with T a s k k i l l

Using Taskkill.exe I n the previous slides, we identified the running process and got the process I D , (PID 3332). W e also learned that there is a tool i n W i n d o w s X P that allows the termination o f a process and/or service.

U s i n g taskkill w i t h the

C:\taskkill.exe

switch, w e can k i l l this process like this:

3332

SUCCESS: The process w i t h P I D 3332 has been terminated

To be sure that y o u are successful i n your attempt to stop the process, i t is recommended that y o u use the switch to force i t to be terminated. This allows the process to be terminated while the program is running, without getting a message that the process could not be terminated.

34

Pedro Bueno

Using Windows Basic Built-in CLI Tools to Identify and Remove Malware

Hands-on - Lab 1

Identifying and Removing Malware

Basic C L I Tools H a n d s - O n I n this module, y o u learn about some basic C L I tools provided o n W i n d o w s 7. Y o u can follow these examples on your V M w a r e W i n d o w s 7. To make i t possible, open the Course.exe on the desktop o f your V M w a r e W i n d o w s 7. Then, open the Part 1 folder, right-click the and select the option Extract A l l to extract the contents. Because i t was compacted w i t h a password, y o u w i l l he prompted to enter this password. A l l files on the C D are protected w i t h the password training, w h i c h y o u should enter w i t h o u t quotes. N o w open the new folder created, called and execute the as administrator. Go to the D O S command prompt and to the windows/system32 directory: ->

c:\windows\system32

Questions: H o w many files were added to the Windows System32 directory? (Tools o f interest: dir) 2.

A r e any o f them running? (Tools o f interest: tasklist) Can y o u identify any network connections associated w i t h those files? (Tools o f Interest: netstat)

4.

H o w can y o u k i l l that connection? (Tools o f interest: tasklist, taskkill)

© 2 016

Pedro Bueno

35

Identifying and Removing Malware Using Windows Advanced Built-in CLI Tools to Identify and Remove Malware

and R e m o v i n g Malware

This page intentionally left blank.

36

Pedro Bueno

Microsoft Windows WMIC • Introduced in Win XP Pro and Win 2k3 • Interact with Microsoft WMI (Windows Management Instrumentation) framework • No more complex scripts • WMI gives direct access to configuration and settings

Identifying and Removing Malware

Microsoft Windows W M I C

Introduction I f y o u are one o f those people frustrated w i t h not having a more advanced w a y to perform tasks at the Windows command line, y o u w i l l be happy to hear about W i n d o w s Management Instrumentation Command Line ( W M I C ) , w h i c h was introduced i n W i n d o w s X P Pro and W i n d o w s 2003. A l l the W i n d o w s advanced built-in C L I tools can be found i n one utility: W M I C .

I f y o u k n o w the U N I X w o r l d , y o u k n o w that y o u can have several scripting languages such as Python, T C L , and so on, so y o u can create scripts to perform various actions that y o u want. W i t h W M I , y o u can also create scripts to access configurations and settings, but Microsoft creates an easier w a y to do i t directly from the command line w i t h W M I C .

© 2 016

Pedro Bueno

37

Microsoft Windows • Introducing WQL: WMI query language! • ANSI-like query language • WMIC Console versus DOS prompt

Identifying and Removing

Microsoft Windows

Introducing W Q L N o w that y o u k n o w there is a more advanced way to perform tasks from the command line, y o u learn h o w this can he accomplished. I f y o u use the U N I X w o r l d example again, taking either Python or T C L , running the executable displays the version information.

Python example:

lab2:~# python Python 2.3.5 (#2, Oct 16 [GCC 3.3.5 (Debian 1:3.3.5-13)] on linux2 Type "help", "copyright", "credits", or "license" for more information.

»> T C L example: lab2:~# %

Those examples show the Python and T C L languages ways to access the console, and from the console execute the programs, which is pretty much what y o u w i l l do w i t h

38

Pedro Bueno

Windows WMIC: Console • Firing up WMIC console: w m i c • The WMI console prompt: • A simple /? switch gives you the help file • Unfortunately, Microsoft documentation is not informative about WMIC!

I d e n t i f y i n g and R e m o v i n g Malware

Windows W M I C : Console

I f y o u remember the previous slide, about the U N I X T C L and Python, y o u are familiar w i t h the w a y to call the W M I C tool. Simply typing W M I C at the D O S prompt gives y o u the W M I C shell, so y o u can start to use i t :

C:\Users\pedro>wmic wmic:root\cli>

Or i f y o u prefer y o u don't have to enter into W M I C console, just type on the Dos prompt: wmic as y o u w i l l see.

I prefer to use the console mode, but i f y o u like to use from the Dos prompt.

To get complete help, you can

or pipe, y o u may want to use it directly

use:

C:\wmic /?

This command w i l l generate a large output w i t h a lot o f helpful information for you.

Unfortunately, Microsoft doesn't provide adequate help information i n either its Help file or online. A s y o u can see at the Microsoft website, i t provides o n l y basic information about i t

© 2 016

Pedro Bueno

Remembering SQL • Query languages are usually intuitive • Simple basic ANSI-SQL s e l e c t query is powerful • No need to understand advanced SQL queries

Identifying

Removing

Remembering S Q L

S Q L Queries For people that never played w i t h databases, the SQL language may he a little difficult to use and understand. For this reason, y o u do not go into an advanced SQL example. Advanced S Q L is not needed to accomplish our basic tasks w i t h W M I C .

I n the example, imagine a fictitious database called Corporate that can have multiple tables.

Our boss w o u l d like to k n o w w h o inside the SANS organization has admin access to the system. A basic S Q L query o n the database can check the SANS table only and ask w h i c h users have the admin access field set. The resulting output w o u l d show the users that have A d m i n rights.

Our SANS table has the f o l l o w i n g fields:

Username

40

- The username used on the system

City

- Location o f the user

Date o f B i r t h

- User's date o f birth

E-mail

- U s e r ' s e-mail

Admin

- I f the user has A d m i n rights

© 2 016

Pedro Bueno

Our SANS table is populated w i t h the following data:

Username

| City | e-mail

of Birth | Admin

Jbrain

| Portland | [email protected]

|03/04/73 | no

Boston | [email protected]

| ok

| Washington | [email protected]

| ok

Norain

Then using the following, query on the preceding table:

>Select username from SANS where admin = ' o k '

w o u l d return the following information:

odeman

| Boston

| [email protected]

norain

| Washington

|07/10/78

| [email protected]

| ok | ok

This is a basic example o f SQL language but helps us to understand h o w the W M I C and W Q L applications work!

© 2 016

Pedro Bueno

Windows WMIC x Regular DOS Tools • Basic CLI tools versus WMIC/WQL T • asklist T • askkill

and Removing Malware

Windows W M I C x Regular D O S Tools

Basic C L I tools Versus W M I C can provide a number o f different actions to the user, such as the ones performed b y some o f the actions that y o u saw i n the previous module: listing the processes w i t h the tasklist.exe tool and terminating a process w i t h the taskkill.exe tool.

To better understand h o w W M I C works, we start w i t h a comparison between those standalone tools and

42

© 2 016

Pedro Bueno

Windows WMIC: An Advanced Tasklist Command (1) • The basic CLI tool tasklist shows the processes running on the machine • Listing processes running with WMIC: - While in the WMIC console, simply ask it to list the process in a brief way: list brief - This command shows the following fields: HandleCount, Name, Priority, and WorkingSet Identifying and R e m o v i n g

Windows W M I C : A n Advanced Taskkill C o m m a n d (1)

W M I C Versus Tasklist One favorite use o f W M I C is to list processes. I t can give y o u different ways to see a l l the processes running o n the machine. I n our example, we use the output view called brief, w h i c h shows the most important fields i n a malware analysis perspective, such as the name and P I D .

HandleCount

Name

0

System Idle Process

Priority Processld ThreadCount WorkingSetSize 0

0

1

28672

1936

System

8

4

78

253952

25

smss.exe

11

1412

3

372736

1061

csrss.exe

13

1508

13

5111808

533

winlogon.exe

13

1532

21

5795840

B u t there are other views o f listing the process, such as:



BRIEF •

FULL •

INSTANCE • •



MEMORY STATISTICS



STATUS •

SYSTEM

The syntax is the same, but instead o f brief, y o u can choose among the preceding ones. © 2 016

Pedro Bueno

43

Windows WMIC: An Advanced Tasklist Command (2) • As with most of WMIC commands, the processes can also be seen with WQL • To list all processes that have the name you could use: where l i s t brief

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Windows W M I C : A n Advanced T a s k k i l l C o m m a n d (2)

W M I C Versus Tasklist I n this slide, y o u see how to query the system to list a l l processes that have the name svehost.exe and list them a b r i e f way:

Remember that there are t w o ways to get the W M I C commands to be executed; one is entering the w m i c console, typing wmic ; the other is simply adding the wmic w o r d before the command.

wmic:root\cli>process where name-svchost.exe' list b r i e f

HandleCount

Name

259

svehost.exe

8

1752

19

4747264

540

svehost.exe

8

1844

10

4153344

1980

svehost.exe

8

440

81

27172864

8

640

6

3387392

338

svehost.exe

8

1096

18

6955008

107

svehost.exe

8

1932

3

3182592

161

svehost.exe

8

812

5

3305472

134

44

Priority Processld

© 2 016

ThreadCount WorkingSetSize

Pedro Bueno

Windows WMIC: An Advanced Taskkill Command (1) • Using the taskkill.exe to terminate a process by name taskkill

/ f /IM " m a l . e x e "

• Using the taskkill.exe to terminate a process by Process ID (PID) taskkill

/ f /PID

• Using WMIC/WQL to terminate a process:

Identifying

delete

Removing

Windows W M I C : A n Advanced Taskkill C o m m a n d (1)

W M I C Versus T a s k k i l l I n this slide, y o u see how to terminate a process using the ImageName o f "mal.exe." To do exactly the same thing w i t h W M I C , ask i t to delete a process w i t h the specified P I D :

wmic:root\cli> process 584 delete Delete want to really terminate the process I D 584.

< - Here i t asks for confirmation

I f y o u press Y y o u get the following message: Deleting instance Instance deletion successful.

That means that y o u successfully terminated the process mal.exe!

© 2 016

Pedro Bueno

y
process where name='mal.exe' delete Delete y o u want to really terminate the process I D 584.

< - Here i t asks for confirmation i f

I f y o u press Y y o u get the f o l l o w i n g message: Deleting instance Instance deletion successful. Delete I f y o u press Y y o u get the f o l l o w i n g message: Deleting That means that y o u successfully terminated all the processes mal.exe!

46

© 2 016

Pedro Bueno

Windows WMIC: Listing Auto-Loading Programs (1) • Some programs modify Registry keys to allow a restart on reboot • This mode, called be back," may be complicated to identify • WMIC provides a way to query the system for all programs that will be loaded on each l i s t

f u l l

Identifying and R e m o v i n g

Windows W M I C : Listing Autoloading Programs (1)

Listing Auto-Loading Modules I n the previous module, y o u learned that some malware registers itself to ensure that the system runs i t i f the user decides to restart the machine. This is called " I ' l l be back" mode because even i f the user decides to reboot, thinking about i t as a cleaning mode, i t w i l l be executed again.

W M I C provides a w a y to query the system for w h i c h programs w i l l be loaded at startup.

I n the W M I C console, simply type:

list

This command generates a lot o f output. For learning purposes, w e use the Google Update example:

Caption=Google Update /c

< - the

command line to r u n this program Description=Google Update < - < - The registry key! SettingID=

© 2 016

Pedro Bueno

47

Windows WMIC: Listing Auto-Loading Programs (2) • Using the s t a r t u p l i s t

f u l l you get

a list of all startup programs in your system and even which Registry key it is associated with! • The fields: Caption, Command, Description, Location, and User

Identifying and

Malware

Windows W M I C : Listing Autoloading Programs (2)

Listing auto-loading Modules The startup command is interesting because y o u can see a l l the programs that w i l l be loaded o n the system, and in this case, y o u may want to r u n i t outside the W M I C console, so y o u can redirect the output to another to examine it later!

C:\Users\pedro>wmic startup list foil >

48

© 2 016

Pedro Bueno

Windows WMIC: Listing Auto-Loading Programs (3) • Text is good but what about a good html format? • WMIC provides different kinds of formats to work with • For example, to get an html formatted report, the command line will be wmic s t a r t u p l i s t

full

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Windows W M I C : Listing Autoloading Programs (3)

Listing Auto-Loading Modules in Other Formats W h e n doing an analysis on a machine, y o u probably want to w o r k w i t h the data later, and sometimes text files can be quite hard to w o r k w i t h , especially i f there is a lot o f data.

W M I C provides the f o l l o w i n g formats to w o r k w i t h :

• • HFORM • HMOF • HTABLE • • LIST •

RAWXML

I f y o u decide to get a p l a i n C S V , y o u j u s t have to specify i t :

W m i c startup list full

I prefer the Table format

but y o u have to choose one that works i n your environment.

© 2 016

Pedro Bueno

Windows WMIC: Listing Auto-Loading Programs (4) Process List

List ft

Toois fcleJp ;

|

;.

-

:

[Name

I

126

..



(Caption

4436 11 4399104 fait

.

. -1 fitesUava\}re&\bin\Jusch«J.fci process.html

For the Startup list:

W m i c startup list

50

/format:hform : startup.html

© 2 016

Pedro Bueno

Windows WMIC Listing Shared Drives • Sometimes, malware tries to spread through shared drives • Identifying these shared drives is essential in determining possible infection vectors used by the malware • Net share usually shows you this information but WMIC can provide even more information and in different formats: wmic s h a r e l i s t

full

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Windows W M I C Listing Shared Drivers Malware can behave i n different ways, as y o u saw previously. One way is copying itself i n all shares that i t can

I f y o u are trying to identify and track a malware, one usefiil w a y is to also identify w h i c h shares the computer has, so y o u can investigate further. One commonly used command is net share, w h i c h shows y o u the shares i n the f o l l o w i n g way: S h a r e name

Resource

C$

Remark

C:\WINDOWS

Remote Admin

C:\

Default

IPC$ The

Share

Remote I P C command c o m p l e t e d

Using W M I C , you can also use i t and export the output using one o f the several formats available. Y o u can choose between full or b r i e f description. The brief description shows y o u the same information as net share, whereas full can give y o u plenty o f details: Wmic s h a r e l i s t

full

© 2 016

Pedro Bueno

51

Windows WMIC: Listing Services (1) • How to identify and list the services on the machine after a malware registers itself as a service • Knowledge of services is essential • WMIC provides a comprehensive way to list those services: • wmic

service l i s t

full

• Always suspect blank or weird service descriptions

Identifying and

Windows W M I C : Listing Services (1)

It is interesting to note that sometimes malware can register itself as a service on the system. There is actually no accredited reason for this, but i t is k n o w n that a service is more difficult to terminate than a process, so this may be a reason.

Listing the services i n a friendly w a y is also essential to quickly identify a possibly malicious one.

To list a l l services w i t h full information i n h t m l format y o u can use

Wmic s e r v i c e l i s t

full

>

services.html

N o w y o u can open services.html i n your browser and look for suspicious services.

52

Pedro Bueno

Windows WMIC: Listing Services (2) A friendly way to see the services frobrarfc;

mam

Help v •

FALSE.

FALSE.

TRUE.

FALSE.

Provides support for out-of-process session states for Is stopped, out-of-process requests be FALSE. processed. this service Is disabled, any services that explicitly depend on it will fall to start..

State Service.

ASP.NET State Service.

Identifying and Removing Malware

Windows W M I C : Listing Services (2)

Listing Services in H T M L I n this slide, y o u can see an excerpt o f the H T M L output generated b y the W M I C command:

W m i c service list full

I n the graphic, note a service called ApacheServ. This can be suspicious because there is no web server on the machine and no description about it! For comparison, right below is the State Service w i t h a nice description.

© 2 016

Pedro Bueno

Windows WMIC: Listing Services (3) • As you will notice, in the output there are a lot of services but not all are running • It is interesting to determine which ones are actually running! • Again, we will use a SQL-like query to list only the running services: • w m i c

s e r v i c e

w h e r e l i s t

b r i e f

Malware

Identifying and

Windows W M I C : Listing Services (3) A regular computer w i t h W i n d o w s OS can have multiple services, but not all w i l l be running: only those specified by you, the administrator, or the default services.

T o get a cleaner v i e w o f the services, y o u may choose to list only those that are actually running, doing a simple query:

Wmic s e r v i c e

where

list

brief

W h i c h w o u l d give y o u a cleaner output like the raw format excerpt:

54

ExitCode

Name

Processld

StartMode

State

0

6to4

440

Auto

Running O K

0

ALG

3916

Manual

Running O K

0

ApacheServ

1300

Auto

Running O K

0

AudioSrv

440

Auto

Running O K

© 2 016

Pedro Bueno

Status

Windows WMIC: Manipulating Services • The ApacheServ service is suspicious so we would like to terminate it. Using WMIC is quite easy: • w mic s e r v i c e where delete Or stop it! • wmic s e r v i c e where c a l l stopservice •

Pretty much like terminating a process! and Removing Malware

Windows W M I C : Manipulating Services

Listing Services As y o u saw on the previous slides, the ApacheServ became suspicious for a number o f reasons. N o w , y o u have decided to terminate it. W M I C offers two ways to do it: The first way is using the common delete, as when terminating a process.



W m i c service where

delete

Delete

Y

Deleting

The second w a y is simply stopping it! Y o u already saw that i t was running, so b y preventing i t from running, y o u can stop the malware:

Wmic s e r v i c e

where name='ApacheServ'

Call

stopservice

Execute (Y/N/?)? Y

A n d i f you ask to list this service again, y o u get the information that i t was stopped:

where

© 2 016

list

Pedro Bueno

brief

ExitCode

Name

Processld

StartMode

State

0

ApacheServ

8080

Disabled

Stop

I f you decide to restart i t later, simply change the stopservice for startservice!

For a process, just change the "service" w o r d for "process."

C:\wmic process where name-'bad.exe" delete

© 2 016

Pedro Bueno

Status Pending

Degraded

Using Windows Advanced Built-in CLI Tools to Identify and Remove Malware Hands-on

Identifying

Malware

Advanced C L I Tools: Hands-on I n the Advanced C L I Tools Hands-On part, y o u start w i t h the following steps:

Revert the V M w a r e Windows 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.

Open the folder Course on the V M w a r e W i n d o w s 7 Desktop. Open the Part 2 folder.

4.

Right-click the malware.zip password training.

and select the option Extract A l l to extract the contents. Enter the

5.

Double-click the n e w l y created folder called Malware.

6.

Right-click the malware.exe

and select R u n as Administrator.

Answer the following questions:

H o w can y o u start W M I C console? (Tools o f interest: cmd.exe, w m i c ) 2.

List a l l processes i n a b r i e f way. W h i c h command d i d y o u use? (Tools o f interest: w m i c w i t h the keyword process)

© 2 016

Pedro Bueno

57

3.

L i s t all instances

processes. W h i c h command d i d y o u use? (Tools o f interest: w m i c w i t h

the keywords process and where)

4.

5.

Use W M I C to k i l l all processes o f name malware.exe. (Tools o f interest: w m i c w i t h the k e y w o r d delete)

Check

is configured to start w h e n the computer reboots. (Tools o f interest: w m i c w i t h

k e y w o r d startup)

6.

Generate the list o f all processes that start on boot time i n the H T M L format and open w i t h I E . (Tools o f interest: w m i c w i t h keywords startup and format)

7.

L i s t all services and see

is running as a service as w e l l . (Tools o f interest: w m i c w i t h

k e y w o r d 'service')

58

© 2 016

Pedro Bueno

Identifying and Removing Malware Using the HijackThis Tool

Identifying and Removing Malware

This page intentionally left blank.

© 2 016

Pedro Bueno

What is the HijackThis Tool • Free tool created by Merijn • Acquired by AV • Multi-purpose tool • List processes • Checks for ADS (Alternate Data Streams) • Verify hosts file • Kill processes/services

• Mainly used to uncover and identify malicious BHO (Browser Helper Objects) and autoloading binaries! Identifying and Removing Malware

W h a t is the H i j a c k T h i s Tool? HijackThis is a popular tool used to fight malicious software.

I t was originally created b y M e r i j n Bellekom, and i n M a r c h 2007, i t was acquired b y the antivirus vendor TrendMicro and continues to be available at no cost, and included as an open source project at

The tool can be downloaded at

HijackThis is a multipurpose tool because i t can be used to list the processes a la Task Manager, open the hosts file o f your machine, and enables y o u to see i f there is a strange entry, k i l l processes and/or services, check for A D S (Alternate Data Streams) besides the most used feature, and find malicious software installed as Browser Helper (BHOs) i n the computer.

A B H O may be a legitimate or malicious piece o f software installed i n the computer, used to customize and/or control the Internet Explorer Browser.

Since version 2.0.4, i t also supports W i n d o w s 7.

60

© 2 016

Pedro Bueno

Are All BHOs Dangerous? • Why are BHOs dangerous? • Not all BHOs are dangerous • Adobe Acrobat has BHOs... • Apple iTunes has BHOs... • Microsoft MSN has BHOs... • Oracle Java has BHOs... • But you can also find: • Password Stealers as BHOs! • Spy Agents as BHOs! • Spyware BHOs! Identifying and

Malware

A r e A l l B H O s Dangerous?

Are BHOs? HijackThis is a multipurpose tool, but y o u can notice that most o f time y o u use i t to scan your system trying to identify malicious entries i n the system, such as malicious B H O s . The reason is that those D L L s , used as B H O s , are quite difficult to spot without appropriate tools, such HijackThis.

In and 2012, one o f the most common payload distributed b y the BlackHole Exploit k i t was a B H O to capture the search queries from common search engines.

W h e n scanning your system y o u may notice a lot o f B H O s because they are w i d e l y developers for a more complete approach w i t h Microsoft Internet Explorer.

b y software

Examples o f legitimate B H O s are:



Adobe Acrobat B H O •

A p p l e iTunes B H O • Microsoft



BHO

Oracle Java B H O

However, malware writers also learned about that feature o f and created malware to be included as B H O s , so they can monitor the U R L s visited or passwords typed on the machine and send them to a remote site.

© 2 016

Pedro Bueno

HijackThis Tool Main Interface Trend Micro HijackThis -

The Interface: • Main menu with six buttons: • System Scan • Log • No Log • Backup items • Misc. Tools • Online guide • Go to Scan mode

Welcome to and fit software.

What

program s o n your PC and generate a log commonly manipulated try good

of

you fte to Do a

save a togfle

Do a system scan only

backups

the

section

onine HijackThis

None of the above, Just start the program

I start

Identifying and Removing Malware

H i j a c k T h i s Tool M a i n Interface There are six main buttons on the HijackThis interface: D o a System Scan and Save a L o g File D o a System Scan O n l y The first t w o refer to the most-used tools o f HijackThis, the System Scan, w i t h w h i c h y o u can choose hetween saving a log file or not. V i e w the List o f Backups I t is about the list o f items that y o u deleted and that i t created a backup, so y o u can choose to restore them later. Open the

Tools Section

This leads to another menu, w i t h additional tools, such as a custom Task Manager, a process/services terminating application, and more useful tools. Open Online HijackThis Go to online tutorial about h o w to use i t None o f the above, just start the program

W i l l go directly to the System Scanning mode; however, without an actual scan.

62

© 2 016

Pedro Bueno

HijackThis Scanning Options Trend Micro HijackThis -

Getting started with HijackThis:

Welcome to and

program

you ||

• Scanning the system • Option to Save the generated • Logfile can be useful when sharing info • Scan only is straight to the point

your PC and by as

settngs

Do a

a as good

of

to do? and

a

|

Do a system scan only

j

backups

j

|

HijackThis Quicks

start

R

show

program

|

j

1 start

Identifying and Removing

H i j a c k T h i s Scanning Options

Getting Started with H i j a c k T h i s When you up the HijackThis software, y o u are prompted w i t h Trend M i c r o ' s E n d User License Agreement, and i f you agree, y o u are presented to the slide's window. W e start w i t h the System Scanning mode.

The difference between the first two options is that the first one enables y o u to save a l o g file w i t h the results o f the system scanning plus a list o f all processes running at that moment, so y o u can send i t over a security help forum or share w i t h another person/group asking for help.

© 2 016

Pedro Bueno

63

HijackThis Scan Results Info generated by the scanning: Registry changes StartPage changes MSIE Toolbars Autoloading entries

Trend Micro HijackThis the of the careful what you delete the button. Scan resuis do not whether an is bad or not. The to and show the tog to folks.

best

F -

BHO 2 SSV Helper -

03

04 OA 04

-

/STANDALONE {Adobe Reader Speed launcher] {Adobe ARM]

04 _ 04 04 : -

Task] GUI]

04 -

[Exodus]

Save

All bad stuff??

Browser -

BHO: BHO: BHO; BHO:

tog

[

Fix

|

Info...

Info on

Add checked to

Identifying and Removing Malware

Scan Results

Understanding the

Report

HijackThis Scanning generates a report w i t h a lot o f information, such as all Internet Explorer BHOs, enumerate the Toolbars, Suspicious Autoloading Registry Entries, and extra tools and buttons, among other information.

A g a i n , the first important thing to notice here is that not all information generated represents bad or malicious stuff i n the computer or w i t h Internet Explorer.

For example: 02 - BHO:

-

-

This line shows a B H O (or type 02, that means Enumeration o f existing M S I E BHOs), w h i c h is named A c r o I E H l p r O b j Class. I t also shows the component object I D , the path o f the D L L .

64

© 2 016

Pedro Bueno

HijackThis Basic Usage Trend Micro HijackThis -

Basic usage •



Select the item you want more info on

best thing) 0 3 - T o o l b a r Foxit T o o l b a r -

Rt

- C:\Program -



D e t a i l e d information on

H*

Click for Selected Item ...

- RE

Get info on selected item

OS:

IE T o o l b a r s a r c part of (Browser O b j e c t s ) like the G o o g l e T o o l b a r that are helpful, but c a n also b e and malicious by tracking y o u r behaviour a n d displaying p o p u p ads. (Action

Registry value is deleted.)

EST



Fix (delete) it •

Put on (ignore list)

-

ram



[BCSSync] CM -

"C:\Program

/STANDALONE

Scan

Other I Scan

Fix c h e c k e d

Conrg... Add checked to

item.

Removing

Malware

H i j a c k T h i s : Basic Usage The basic and most common usage o f HijackThis is to identify malicious software that can be injected together w i t h M S I E and then monitor the user activities without consent.

When

shows the system scan results, it also presents y o u w i t h the possibility o f checking any item.

W h e n an item is checked, y o u have the following options:





F i x the item: HijackThis removes that entry f r o m your system.

Get info on the selected item: I t shows what the item does i n your system.

A d d the checked item to a whitelist: This is also k n o w n as ignore list and it prevents from showing it on next system scan.

© 2 016

Pedro Bueno

Removing Suspicious Entries with HijackThis Trend Micro

Removing an entry:

- v2.0.4

are the of the button. Scan best thing to do is to

Be careful what you the 'Fix do not determine whether an tern Is bad or not- The and the log ft* to foks.

-

-

RO



*

Page = -H

Check the item

fc?Untdd=S



Click Fix checked •

Scan the system again to ensure deletion! •

But when should you do it?

1 what you selected.

RO • H RO - H F2 R 02 -B

This

delete and/or repair

fr02 • BHO 102 - BHO: Java(tm) Rug-In SSV Helper • • Scan stuff

on

-

/StartedF

Add

to

and Removing Malware

Removing Suspicious E n t r i e s with H i j a c k T h i s

Removing Entries Some malware adds itself as B H O s . I t is not easy to spot them simply by looking at the report generated b y HijackThis.

I n general they follow one o f t w o options:



T r y to appear as legitimate software; this is more difficult to spot. •

Load the B H O noisily; this is easier.

© 2 016

Pedro Bueno

HijackThis Usage in Malicious BHO Example Suspicious BHO 002 • example

EM):



Class -



02 - BHO: What makes it suspicious? 1. Name 2. path Name 3. Google them

-

on Obejc)t a crafted po rga rm that n itegrates n i to access rg i hts on your syse tm, Though can be htem pup roses etc.

A 8H0 and has

Regsirty

dee lted, BHO i !

is dee lted,)

j

and Removing Malware

Usage in Malicious B H O E x a m p l e

Spotting a Suspicious B H O W h e n the system scan is done, a large number o f items may be reported. Focusing on the possible BHOs, y o u may notice that some appear to be legitimate, whereas some may appear malicious.

O n the slide example, y o u have a B H O (type 02) called Internet Security Class, a C L S I D , and the path where it is being loaded

N o w y o u have to remember some deceptive tactics used b y the malware: They try to look like some "security" component, usually using some antivirus vendor name. 2.

They try to look like a Microsoft Windows component, usually taking the name o f a legitimate Windows process/service, or something related to Windows.

I n this case, we have both: a B H O w i t h the suspicious name o f Internet Security Class (note that Norton Antivirus has a B H O called Norton Internet Security and the D L L called which would suggest that it is trying to look like an M S Windows Update component!

Suggested actions: • •

F i x it! (Delete i t by clicking the F i x Checked button.) your system to see whether i t was actually deleted!

Remember that y o u can always restore a deleted item because HijackThis keeps a backup o f all deleted items!

© 2 016

Pedro Bueno

Using the HijackThis tool Hands-on

Identifying and R e m o v i n g M a l w a r e

Using the H i j a c k T h i s tool - H a n d s - O n I n the "Using the HijackThis T o o l " section, we start w i t h the f o l l o w i n g steps:

Revert the V M w a r e W i n d o w s 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.

Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.

3.

Open the Part 3 folder.

4.

Right-click the the password training.

and select the option Extract A l l to extract the contents. Enter

Start HijackThis by right-clicking HijackThis, selecting R u n as Administrator, and answer the f o l l o w i n g questions and follow the next slides to see the answers.

After y o u try to answer the following questions, continue for an interactive r u n o f the lab.

W h a t do y o u see w h e n y o u click D o a System Scan Only? Take note o f anything suspicious that w i l l be loaded at boot time.

68

2.

I f the suspicious process is running, t r y to kill/terminate i t . Describe the process used to k i l l the suspicious process using HijackThis.

3.

I f the process were successfully terminated, i t is time to remove the malicious Registry entries. Using the tool, w h i c h function enables y o u to remove the entries?

© 2 016

Pedro Bueno

© 2 016

Pedro Bueno

Hands-on: Checking the Report Generated Micro H i j a c k T h i s -

Malware in Action: • Change in IniFile to autoload a file called SSVICHOSST.EXE • Change on the computer policy to disable access to RegEdit: DisableRegEdit =1 • Check the log

Below the results of the ttJackThts checked button. do not

Bo

what you delete the an Is bad or not. The knowledgeable

Toolbar: -

Plus] [VMware [VMware User Process]



DNS

-s

[Yahoo

CM - Startup; Shortcut to Related 0 9 - Extra Show

Links - 192.168 !



023 * Packet Capture Protocol (experimental) 023 Service: VMware Service • VMware, -

-

. log

|

[

j |

Identifying and Removing Malware

Checking the Report Generated

M a l w a r e in Action A system scanning w i t h

shows a nice report.

The first thing i t shows is an F2 entry. F2 - REG:system.ini: Shell=Explorer.exe SSVICHOSST.EXE

F entries, according to the HijackThis Info button mean IniFile value, mapped to Registry. This means that the SSVICHOSST.EXE.

Autoloading entries, and F2 means Changed was changed to load the file

I t makes i t highly suspicious because usually SVCHOST.exe is loaded as a service, and not as a process called b y autoloading. Also note, i t is not S V C H O S T . E X E , but S S V I C H O S S T . E X E , trying to l o o k like S V C H O S T (a legitimate Windows system process)!

This was the first deceptive tactic o f the malware. The second one is right below i n the report:

04 -

[Yahoo Messengger] C:\WINDOWS\System32\SSVICHOSST.exe

I t is a type o f entry. A c c o r d i n g to the HijackThis info the entries means Other, several sections. A n d 0 4 means Enumeration o f suspicious autoloading Registry entries.

70

© 2 016

Pedro Bueno

This means that there is a Registry entry that autoloads the process from Windows\System32\SSVICHOSST.EXE, the key name is [Yahoo Messenger] (notice the Messenger w i t h 2 Gs). So, this is the second deceptive tactic o f the malware, trying to l o o k like a Yahoo Messenger process, w h i c h w o u l d autoload every time W i n d o w s restarts. The third suspicious entry from this report is a System Policy change: 07 -

DisableRegedit=l

I t is Type again. Type 0 7 means Disabling RegEdit w i t h Policies. So, even i f y o u d i d n ' t get it from the report w o r d DisableRegedit=l, the info file tells you exactly the same thing: The malware changed the policy to prevent y o u from opening the Registry Editor (regedit.exe) and seeing the keys/entries added to them. For your reference, here is a portion o f the log generated b y Logfile o f Trend M i c r o HijackThis v2.0.4 Scan saved at 5:43:13 A M , on Platform: W i n d o w s X P ( W i n N T 5.01.2600) M S I E : Internet Explorer v6.00 (6.00.2600.0000) Boot mode: N o r m a l Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE and and and and and - REG:system.ini:

SSVICHOSST.exe

0 3 - Toolbar: & R a d i o -

-

04 -

[MSMSGS]

04 -

[Yahoo Messengger]

/background C:\WINDOWS\System32\SSVICHOSST.exe

07 -

DisahleRegedit=l

0 9 - Extra button: Related 0 9 - Extra 'Tools'

of

Show &Related Links - {c95fe080-8f5d-lld2-a20b-00aa003cl57a} -

bytes

© 2 016

Pedro Bueno

Hands-on: HijackThis Misc Tool Section ; fi Trend

Actions to take: • Open the Misc Tool Section from the Main menu • Find out where the SSVICHOSST.exe process is • Terminate it • the system and fix the changes

Welcome lo registry and software.

Thts

What would you

scan your PC and generate tog manipulated by as as good

of

to do?

Do a s y s t e m s c a n a n d s a v e a Do a s y s t e m s c a n only

View the

Open the

of backups

Took section

HijackThis Quick

None of the above, just start the program

Do not show

window

ten 1 start

Identifying and Removing Malware

H i j a c k T h i s Misc Tool Section

Taking Action Because we have information regarding the malware, i t is time to take action.

First, go to the M a i n menu and select the Open the Misc Tools Section button, so we can use the customized Process Manager tool.

Then, t r y to

the location o f the SSVICHOSST.EXE process and terminate it.

A n d to finish, rescan the system and

72

the changes!

© 2 016

Pedro Bueno

Hands-on: HijackThis Process Manager fi

Trend

-

The Misc. Tools: • HijackThis offers some other tools to help you • This time, use the Open Process Manager to determine what the suspicious process is and where the file is located

Main

|

|

Backups

| |

vi.52) Generate

fog

also

sections sections

tools process manager

j a i much

hosts fie manager

|

on reboot...

fcd w

«

If a Delete

process manager. the Task Manager.

|

Delete an NT service

cannot be Windows can be setup to when the system restarted. Windows NT Service USE

WITH open A D S Spy...

Open

i

the totegrated A D S scan for hidden date streams.

[

to

to manage the Jems in the

other stuff

|1 |

Malware

H i j a c k T h i s Process Manager

The Misc Tools A s mentioned before, HijackThis offers some additional tools to help identify suspicious activities o n the system.

One o f the best tools is the Process Manager, w h i c h reminds y o u o f the W i n d o w s Task Manager, but w i t h some more advanced functions, such as listing the D L L s o f each process.

Pedro Bueno

73

Hands-on: HijackThis Process Manager View Micro

HijackThis Process Manager:

-

-

1 |

j

Backups

| ]

Misc Tools

Running processes; •

(show

F

)

\

• Shows the complete PATH • Allows you to terminate any process with the Kill Process button • Just select the chosen process and click Kill Process!

932 1004 1272 1492

,

\

\

|

|

|

|l j

Identifying

| •

|

,

1 s

Removin g Malware

H i j a c k T h i s Process Manager V i e w

The H i j a c k T h i s Process Manager The HijackThis process manager is quite easy to understand.

O n the first one-half o f the w i n d o w , y o u can see all processes running on the machine w i t h the associated process I D (PID).

I f the

Show D L L s is marked, i t also shows each

that is associated w i t h the process.

I n this case, y o u can see that the process I D 248 is the one y o u are looking for. I t shows the path o f the process as (or the path where the malware was executed). O n some systems, y o u might need a reboot to see the exact screen as displayed on the slides

Also, remember that the Process I D (PID) may be different on your computer.

74

© 2 016

Pedro Bueno

Hands-on: Killing a Process with HijackThis Killing the process: • To terminate the suspicious process, you have to select it from the process list and the Kill process button • Refresh and check again

| j

|

Backups

| j

Misc Tools

Manage*|7 i

s

ff\

Any

lost.

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Killing a Process with H i j a c k T h i s

Killing the Process To terminate the suspicious SSVICHOSST.exe process, y o u have to select i t h y clicking i t and pushing the K i l l process button.

Another w i n d o w pops up asking i f y o u are sure about terminating that process. I f i t is the process y o u want to k i l l , just confirm by selecting Yes.

After that, y o u can click the Refresh button and see i f it was actually terminated.

© 2 016

Pedro Bueno

Hands-on: Rescanning the System Trend Micro HijackThis

Fixing the changes: • Clicking Main menu gives the option to rescan the system • Now it is time to fix the changes made by the malware • Select, Fix, Rescan!

Below thing to

resits of the Be you delate the Scan resAs do not whether en Item bed or not. The to end show the log

-

-

DM5 Plus]

DNS

-s

(Yahoo - Extra button: Related • - Extra Tools' Show 77 77 3 - Service: Packet Capture 3 - Service: VMware

ft fir

• -

- 192.168, 192.168 CACE Technologies VMware, Inc.

log

|

-

Other Flu c h e c k e d |

Info...

j

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Rescanning the System

Fixing the Changes After terminating the process, y o u need to fix the changes caused by the malware. Returning to the M a i n menu, y o u can ask HijackThis to do a System Scan again, and this time, the changes.

That is an easy task because y o u j u s t have to check the item y o u want to button.

and click the F i x Checked

The reverts the change on the Regedit Disable, letting y o u access RegEdit again, and remove the autoload entries from the SSVICHOSST.exe file.

76

Pedro Bueno

Identifying and Removing Malware Microsoft Sysinternals Process Explorer and TCPView

Identifying and R e m o v i n g Malware

This page intentionally left blank.

Pedro Bueno

Microsoft Sysinternals Suite • Large suite of free tools for Windows Platforms including Win95, WinXP, Win2k3, Windows 7, and Windows 8 • Acquired by Microsoft in 2006 • Supports 64-bit versions! • Caveats: Some tools need SP2 on Windows XP

Identifying and Removing Malware

Microsoft Sysinternals Suite

I s Sysinternals? I n this module, y o u learn about the Sysinternals w o r l d . Sysinternals was created i n b y M a r k Russinovich and Cogswell. For a long time, its website was a source o f excellent free tools for W i n d o w s systems. They provided free tools for System Information, Security, File and D i s k Information, N e t w o r k , Processes, and more.

One o f the reasons they became so popular is they provided tools that could help to see information on W i n d o w s systems, and Microsoft d i d not provide these tools.

Some examples o f popular tools are: •

Process Explorer: A n advanced Task Manager •

T C P V i e w : For viewing networking activities •

L i s t D L L : Enables the user to list a l l the D L L s that are currently loaded on the system, associated w i t h each process, and their version numbers



RegMon: Enables the user to see the Registry activities i n real time •

Streams: Enables the user to see the Alternate Data Streams ( A D S ) i n the

system

Another advantage o f these tools is that most r u n on a l l versions o f W i n d o w s , from W i n d o w s 95 to W i n d o w s 7, and even w o r k on 64-bit versions. Because o f advances i n the W i n d o w s kernel, some tools w i l l not be f u l l y functional, and some o f the more recent tools need the installation o f some Service Packs, such as the Process M o n i t o r tool, w h i c h needs Service Pack2.

78

© 2 016

Pedro Bueno

MS Sysinternals Process Explorer Introducing: Process Explorer Aka Advanced Task Manager In fact, much more than that! Allows you to view processes, services, threads, strings...

Identifying

Removing Malware

M S Sysinternals Process E x p l o r e r Introducing: Process Explorer I n this module, y o u learn h o w t w o tools from Sysinternals can w o r k together: • •

Process Explorer TCPView

B o t h tools were developed b y Sysinternals, w h i c h was acquired b y Microsoft i n 2006, but remains available free o f charge. The only stipulation is that n o w y o u have to agree w i t h Microsoft's End User License Agreement ( E U L A ) when first running the applications. Process E x p l o r e r The first tool, Process Explorer, can be downloaded at This is one • • • • • •

o f m y preferred tools because i t gives y o u a complete v i e w o f the system, such as: A l l running processes A l l running services Threads associated w i t h the above Strings w i t h i n the running processes/services C P U and M e m o r y usage Path to the running process/service program files Command line used b y the process/service

This is important w h e n analyzing a system and searching for malware activity because i f y o u can get a l l this information, y o u can start to solve the puzzle o f what could be happening i n your system.

© 2 016

Pedro Bueno

79

MS Sysinternals Process Explorer Toolbar Process

Understanding t h e toolbar: Shows system performance •

Save the results to a text file Force refresh (default is 1 second) •



Shows more system performance information Displays processes in tree format • •

Splits the window in two panels. First panel shows the Processes & Services, PID, CPU usage, description, and company name • •



Users



Second panel shows the Handles and DLLs Kill the process/service

Spooler VMware Tools Generic Host

1280 1180 758 1840 108 124

B

Explorer Microsoft,. VMware,.,. VMware/...

4 £ 8 1032 Type Desktop (cry Directory Evert Evert Evert Fie Fie Fie Fie

Windows

fou Usage:

fcorwr*

Event SGS vert and Common-..

Search for any DLL/Process Identifying and Removing Malware

M S Sysinternals Process E x p l o r e r Toolbar

T h e Process Explorer Toolbar The Process Explorer offers an easy w a y to w o r k w i t h its options. The m a i n interface offers a number o f buttons on its toolbar to make i t easier and faster for the user to take the most common actions. •



The floppy disk icon lets you save the results that are shown i n a text file. I f y o u select a process first ( w i t h one click o f the mouse) and then save the result, a l l the processes and services plus a l l D L L s associated w i t h the selected process, showing the D L L name, Description, Company Name, and Version Number w i l l be saved to a



The commonly k n o w n Refresh button means that y o u can force an update o f the view. The default update is 1 second but can also be configured to be 2, 5, and 10 seconds. •

The next icon is the System Information button that can show information like the Performance tab on W i n d o w s Task Manager but w i t h more information, including information about a specific process i f y o u select i t first. The next icon is the Show Process Tree button. This is the default v i e w o f Process Explorer. F r o m the Process Explorer Help File:

"By default, Process Explorer sorts processes into the system process tree. The process tree reflects the parent-child relationship between processes, where child processes are shown directly beneath their parent and right-indented. Processes that are left-justified are orphans; their parent has exited."

The next icon is the one that enables y o u to split the v i e w into t w o panels, leaving the Processes and Services on the top panel and showing the Handles/DLLs on the lower panel.

80

© 2 016

Pedro Bueno

The f o l l o w i n g icon is the one that enables y o u to see the handles or the D L L s associated w i t h each process/service.

The next icon is the Properties icon. I t is the same as double-clicking on a process. W h e n showing the properties, Process Explorer opens another w i n d o w w i t h eight different tabs:





Image •

TCP/IP •

Security •

Performance •

Environment •

Performance Graph •

Threads Strings

The Red X icon is the one that lets y o u k i l l a process or service. Just select the process and click the red X button. Another w a y is to right-click the selected process/service and choose either K i l l Process or K i l l Process Tree. A third option is given to terminate a process/service; just select the process and then press the D E L key.

The binoculars icon enables y o u to search for a Handle or D L L to see w h i c h process/service is using i t .

The last icon is a Target icon. Y o u can drag i t onto any open application w i n d o w and i t shows the Process Explorer information about i t .

© 2 016

Pedro Bueno

MS Sysinternals TCPView • Introducing: TCPView • Aka Advanced Netstat • Allows you to view current processes that have network connections, the protocols used, and terminate them

and Removing Malware

M S Sysinternals T C P V i e w

Is TCPView? The T C P V i e w tool is also produced b y Sysinternals (Microsoft Sysinternals since 2006) and can be downloaded at

82

© 2 016

Pedro Bueno

MS Sysinternals TCPView Capabilities -

Like a GUI Netstat Shows the Processes, Protocols, Local and Remote Address and ports, and connection state Updates the info in real time Allows the user to close an on-going connection Allows the user to terminate a process

Ne CI

Process View Help

. TCP .

• 3 3 3 3 "

V

TCP TCP TCP

LISTENING

LISTENING V

LISTENING LISTENING

Identifying and Removing Malware

M S Sysinternals T C P V i e w Capabilities

T C P V i e w Capabilities Y o u can think o f this tool as the graphical and advanced version o f W i n d o w s C L I t o o l Netstat. It shows the same information as Netstat, plus provides some advanced functions such as:



Shows the connections i n real-time w i t h the protocols, port numbers and connection state. •

Enables y o u to close an on-going connection •

Enables y o u to k i l l a process that has network connectivity, for example, a malicious backdoor program listening on a port.

©2016

Pedro Bueno

MS Sysinternals Process Explorer and TCPView • Using both Process Explorer and TCPView together gives a better view of the scenario • In the following example, a computer was identified as generating lots of network traffic!

Identifying and Removing Malware

M S Sysinternals Process Explorer and T C P V i e w

Process Explorer W h e n dealing w i t h malware that makes use o f networking, the use o f Process Explorer together w i t h T C P V i e w gives y o u a more complete view o f the problem and increases your chances o f identifying and removing the malware.

I n the next few slides y o u see an example o f such usage. W e image a computer on the network that has been identified as being responsible for generating a lot o f network traffic, and your j o b is to t r y to identify and remove the malware that may be causing such behavior.

84

Pedro Bueno

MS Sysinternals Process Explorer in Action -

Viewing all processes and services running on the machine Suspicious sslms.exe process: • No Process description • No Company name Is network activity associated with this process?

Be

Sew

CPU | B

95

033

Hardware Interrupts .

4 Microsoft,

672 700 744

0 98 Services Generic Host Generic Host

1148, 1280 1484 756

Microsoft, Microsoft., Microsoft., Microsoft.. Microsoft,

VMware Tools SR.. Windows

Microsoft,. Microsoft,

108 Microsoft.. 648 1032 Usage:

j

Malware

Identifying

M S Sysinternals Process Explorer in Action Process Explorer: Putting I t to Use When firing up Process Explorer on the computer, y o u can see the default Windows processes and services plus some additional processes such as Microsoft Messenger Client, our Process Explorer, TCPView, and so on. W e also see another process called sslms.exe w i t h no description or company name. That, and the fact that i t is not a k n o w n process name, makes it suspicious.

Process System

PID Idle

Description

0

94.12

n/a

1.96

Company Name

Process Interrupts

Hardware

Interrupts

DPCs

n/a

Deferred

Procedure

smss.exe

436

Windows

NT Session

csrss.exe

680

winlogon.exe

708

services.exe

752 956

0.98

Client

Server

Windows 0.98

Calls Manager

Microsoft

Corporation

Process

Microsoft

Corporation

Application

Microsoft

Corporation

Microsoft

Corporation

Microsoft

Corporation

Runtime

NT Logon

Services

and Controller

Generic

Host

Process

app for

Win32

Services

2016 Pedro Bueno

85

svchostexe

1044 Generic Host Process for Win32

Services

1236 Generic Host Process for Win32

Services

1248 Generic Host Process for Win32 spoolsv.exe

Spooler Subsystem

App

Services

Microsoft Corporation Microsoft Corporation Microsoft Corporation Microsoft Corporation

VMwareService.exe lsass.exe

VMware

Tools

Service

764 LSA Shell (Export

explorer.exe

252

Windows

472 VMwareUser.exe

VMware,

492

Version)

Inc.

Microsoft Corporation Microsoft

Explorer

Corporation

VMwareTray

VMware,

Inc.

VMwareUser

VMware,

Inc.

msmsgs.exe Messenger

Microsoft

Client

Corporation procexp.exe TCPView.exe sslms.exe

86

1996 1032

1.96

Sysinternals TCP/UDP

Process endpoint

1816

© 2 016

Pedro Bueno

Explorer viewer

Sysinternals Sysinternals

MS Sysinternals Process Explorer: Properties • Double-clicking a process in Process Explorer shows the properties of the selected process including important information like the location of the binary and the command line used • This shows that the malware is running from: C:\windows\system32\sslms.exe

|

| Performance

|

|

Graph

|

| Threads

j

••

Version: Time: Path (Image • '•\ '. j .

.

.

"

i

. "- :

.

:

.

-

AM 8/2/2007

firmg

|

I d e n t i f y i n g and

to

|

fclPioccst

j

|

Malware

M S Sysinternals Process Explorer: Properties

Process Properties W h e n double-clicking any process or service, another w i n d o w that has the properties o f the process or service w i l l pop up.

The Image tab is important because it can give y o u information such as the path where the file is located and the command line used to load the process or service i n case y o u need to check to see i f any option is used b y the process. I n our case this process is not invoking any special attribute on the command line, but for example i n the S V C H O S T . E X E service, y o u can see something like:

Command line:

-k L o c a l S e r v i c e

© 2 016

Pedro Bueno

MS Sysinternals TCPView in Action TCPView shows information regarding the suspicious process: •



A ! Protocol TCP

3 3

Connections from our lab-machine to nastyserver

foea*KJitl032

TIME_WAIT

TCP

TCP

3

Connection to port 6667

Local

LISTENING

8., TCP TCP

LISTENING -5vr

LISTENING

3

6667 is the standard IRC port number!

3 3

UOP LISTENING LISTENING

TCP 3 3

UDP UDP

I d e n t i f y i n g and R e m o v i n g Malware

M S Sysinternals T C P V i e w in Action

Using T C P V i e w N o w i t is time to use T C P V i e w to see i f this process has any network connections. W e could use Process Explorer to g this information, hut T C P V i e w is better to give us this information:

Our suspicious process sslms.exe has an established connection to "nasty-server" on port 6667!

I t could be that i t is just a coincidence, but port 6667 is the standard port for Internet Relay Chat (IRC), an Internet cha service that is the main method used to b u i l d and control Bots and Botnets!

88

Process

Protocol

lsass.exe:764

UDP

sslms.exe:1816

TCP

sslms.exe:1816

TCP

nasty-server:6667

sslms.exe:1816

TCP

Lab-machine:0

sslms.exe:1816

TCP

Local Address

Remote Address

Lab-machine:1074

lab-machine:1075

Pedro Bueno

State

LISTENING

ESTABLISHED

LISTENING

ESTABLISHED

TCP

Lab-machine:1025

UDP

Lab-machine: 1026

1044

UDP

Lab-machine: 1028

1044

UDP

svchost. exe: 1044

UDP

svehost.exe: 1236

UDP

svehost.exe: 1248

Lab-machine:0

LISTENING

TCP

Lab-machine:0

LISTENING

svehost.exe: 1248

UDP

*:*

svehost.exe: 1248

UDP

*:*

svchost.exe:956

TCP

svehost.exe:

UDP

svchost.

6

Lab-machine:ntp

1ab-machine:ntp

Lab-machine: 1027

Lab-machine:0

LISTENING

*:*

System.4

TCP

Lab-machine:microsoft-ds

Lab-machine:0

LISTENING

System: 4

TCP

lab-machine:netbios-ssn

Lab-machine:0

LISTENING

System: 4

UDP

Lab-machine:microsoft-ds

System:4

UDP

lab-machine:netbios-ns

System:4

UDP

lab-machine:netbios-dgm

© 2 016

Pedro Bueno

*: *

Process Explorer and TCPView Example • Summary of information collected: • Suspicious process called sslms.exe • Process connected to strange server on IRC port number (6667)

• Questions to Answer: • What is this process? • How to get rid of it? Identifying

Removing Malware

Process Explorer and T C P V i e w E x a m p l e S u m m a r y

S u m m a r y of the C u r r e n t Status: •

Y o u found a process called sslms.exe. •

The process has an established connection to a remote server. •

The remote server is listening on port 6667, w h i c h is the standard TCP port number for Internet Relay Chat (IRC), used b y legitimate chat users hut also used b y malware authors as the main Command & Control method for Botnets!

A n d y o u still have the f o l l o w i n g questions to answer: •

W h a t is this process? Is i t suspicious? Besides the lack o f process information and the network connection to a remote server, y o u are still not sure about i t . • I f you decide that i t is indeed suspicious, what should y o u do to remove i t from the system?

90

© 2 016

Pedro Bueno

Process Explorer: Strings View (1) • One of the nicest things about Process Explorer is the ability to show the strings within a selected process: • From physical image or from memory • Strings can reveal a lot of information!

• Advantages of memory view: • Even if the malware is packed, it will be unpacked in memory revealing its secrets! Identifying and R e m o v i n g Malware

Process Explorer: Strings V i e w (1) Process Explorer offers a nice w a y to get into the process and read the character strings that are present inside the process binary. This is important because sometimes we can identify the purpose o f the malware b y reading the strings inside it.

For example, an online banking password stealer program might contain references to a bank website U R L , the bank's names, and usernames and passwords.

One problem when reading strings o n the binary is that the strings may be obfiiscated i n the binary w i t h the use o f programs called Packers and Protectors. Packers are easily available on the Internet and examples o f popular packers are: • • •

Petite • •

Yoda

That is w h y Process Explorer offers an option to read the strings directly from memory, too. Most runtime packers decrypt the binary into memory w h e n i t is running. This gives Process Explorer the chance o f reading the unpacked strings contained w i t h i n it. Even i f the binary is packed, when i t is running i n memory i t has to unpack itself, making i t possible to read the strings contained w i t h i n i t !

Pedro Bueno

91

Process Explorer: Strings View (2) • On the Strings tab, you can go to the Strings of the selected process letting the user select between Image or Memory views • In memory view, you can see the strings in the process running in memory and search for useful words that can help to identify the malware • Words of interest: PASS, NICK, USER, PING, and JOIN

Image

|

j

Pedoimance

| found

rem

. PASS '4s HICK

JOIN Z%

OK

|

|

Identifying and Removing Malware

Process Explorer: Strings V i e w (2)

The Strings T a b O n the Properties dialog's Strings tab, y o u have the option o f seeing the process strings from the image on the hard drive or from the process running i n memory, w h i c h makes i t possible to the strings i n most cases even i f the executable has been packed. The default view o f the strings is from the image, so y o u have to select the M e m o r y option to let Process Explorer show the strings from memory. Strings of Interest W h e n viewing the strings from a file, y o u are presented w i t h a l o t o f data and many o f them w i l l be garbage. Searching for strings o f interest is not a quick task and demands some time to complete especially i f i t is a large I n this example, y o u can see b y the vertical scrolling bar that there are many strings i n the

selected.

W e found strings o f interest close to halfway through the list. They are strings found i n typical Bot and I R C commands, such as: •

PASS • NICK



USER • PING •

PONG

• JOIN •

92

USERHOST

Pedro Bueno

Process Explorer and TCPView Analysis Summary • A process that is connected to a server on port 6667 (IRC port) • The same process has the words PASS, NICK, USER, PING, and JOIN in its strings. • Putting it all together we appear to have a malicious and nasty bot! • so 2006... NOT! • As of 2012, several still use IRC as a C&C method, like W32/Autorun worms ... Identifying and Removing Malware

Process Explorer and T C P V i e w Analysis S u m m a r y

New S u m m a r y So far we have the following information:





A suspicious process was found on a system.



I t is located i n c:\windows\system32\ folder. •

The process is connected to a remote server.



The remote server is listening on TCP port 6667 ( I R C TCP port). I t was possible to find strings o f a typical I R C session.

W e have a bot connected to a botnet!

W h e n a system has a bot connected to a botnet, the system control n o w belongs to the bot master and she can send commands to our system to make i t perform various functions. One o f these is scanning large blocks o f IP ranges looking for other vulnerable machines, so i t can exploit them and get another bot installed. That may be the cause o f the large amount o f network traffic originally detected from our investigated system.

A l t h o u g h the explosion o f bots and botnets happened i n 2004/2005, there are still several different bot families i n the w i l d , and to make things even more nasty, other malware families are also adopting I R C as a Command and Control ( C & C ) method. One example is the family that spreads using network, thumb drives, open

N o w that we have identified the offending process, h o w can w e remove i t from our system?

© 2 016

Pedro Bueno

93

Cleaning the Bot from the System • Next steps: Terminate it and clean the system! • Terminate the process • Look for auto-loading traces • Delete the file

Identifying and Removing Malware

Cleaning the Bot from the System

Next Steps So n o w y o u have three steps to remove the malware from the system:

1.

Terminate/kill the process. This is the first step because sometimes the system does not let y o u delete the i f the process is running. A l s o any attempts to clean the system Registry can fail because the malware can possibly prevent changes to the Registry.

2.

Check the Registry looking for Registry entries that may be doing the " I w i l l be back mode," also called auto-loading. Y o u can do i t manually or using our friend HijackThis. After terminating the process and cleaning the traces, y o u should delete i t from the system.

94

© 2 016

Pedro Bueno

Process Explorer: Killing a Process (1) • Process Explorer also enables you to easily kill any process or service running • Basic operation: • Select the process • Click the red X on the toolbar

Identifying and Removing Malware

Process Explorer: Killing a Process (1)

Killing a Process with Process Explorer One o f the functions o f Process Explorer is to allow an easy way to kill/terminate a process. There are three ways to do it:





Select the process and click the red X button on the toolbar. Select the process and press the D E L key. • Right-click the process, and select K i l l Process from the pop-up menu.

© 2 016

Pedro Bueno

Process Explorer: Killing a Process (2) j System Interrupts System 3

UDP

Server Run., NT Log... Con, Host Pro.., Host Host Pro,,

Host Explorer

1,38 2.97%

j

Process

Charge:

Processes:

J

-

Removing

Process Explorer: K i l l i n g a Process (2)

Killing a Process with Process E x p l o r e r I n the slide, notice Sslms.exe is active i n the T C P V i e w window. Select and click the Red X button on the toolbar asking for Process Explorer to k i l l i t . Then, get a pop-up asking for confirmation.

"Are y o u sure y o u want to k i l l sslms.exe?"

Y o u bet!

© 2 016

Pedro Bueno

Process Explorer: Killing a Process (3)

Identifying and Removing Malware

Process Explorer: K i l l i n g a Process (3)

Killing a Process with Process E x p l o r e r Right after clicking Yes from the Process Explorer pop-up asking for confirmation for k i l l i n g the sslms.exe process, notice that there is no more activity from the process i n T C P V i e w or i n Process Explorer. This is a clear indication that y o u were successful i n terminating the process!

© 2 016

Pedro Bueno

Cleaning the Bot from the System Next steps: Terminate it and clean the system! • Terminate the process • Look for auto-loading traces • Delete the file

Identifying and

This page intentionally left blank.

98

©2016

Pedro Bueno

HijackThis: Checking Autoloading Entries Cleaning the

Malware

traces



Bringing to the Scene: •



System Scan shows three occurrences



Select all instances Click Fix Checked •

Confirm!

Below are the of the button. Scan best thing to is to

CM ! • CM •

you delete the To. bad or not. The

do and

log

to

[VMware User Process) sslms.exe

[] sslms.exe button; Related - Extra Show links - Service: Remote Packet Capture Protocol Service: Service - VMware, Inc. -

-



fix Save

j

i

checked j

en selected item...

I d e n t i f y i n g and

j

i

|

j |

Malware

H i j a c k T h i s : Checking Autoloading Entries

Cleaning the

Traces

N o w i t is time to check for any traces left b y the malware. Right now, we are sure only that we killed the malicious process that was running but we cannot guarantee that i t w i l l not run again when the system reboots. There are alternatives for checking the traces:

One is to manually check w i t h regedit, w h i c h can take a long time because there are often many entries to be checked and the Registry is a large place to hide things i n . Still, when y o u k n o w the filename o f the malware, y o u can search the Registry for any pointers to it. The other is to use our friend HijackThis.

Running

y o u can see some interesting entries:

0 3 - Toolbar: &Radio 04 -

-

[ V M w a r e Tools]

F i l e s W M w a r e W M w a r e ToolsWMwareTray.exe

0 4 - H K L M \ . . \ R u n : [ V M w a r e User Process]

FilesWMwareWMware

exe 0 4 - H K L M \ . . \ R u n : [Windows Services Layer] sslms.exe 04 -

[ W i n d o w s Services Layer] sslms.exe

04 -

[MSMSGS]

/background

04 -

[Windows Services Layer] sslms.exe

© 2 016

Pedro Bueno

99

0 9 - Extra button: Related 0 9 - Extra

-

menuitem: Show &Related Links -

-

W i t h this log from y o u can see three Registry entries from the malware that allows i t to r u n time the system. 2 on H K E Y L O C A L J V L A C H I N E and 1 on is restarted.

100

© 2 016

Pedro Bueno

HijackThis: Removing Autoloading Entries Below

Bo button. Scan to to



:

do not

whether an Is bad or not. The knowledgeable

Process] [Windows Services [Windows Services layer)

[Windows - Extra button: roemitcm: Show feReiated D Remote Packet capture • 023 VMware Tools Service

- CACE

Other stuff kg

checked |

on

I

:

Upload to I

to

Identifying and Removing Malware

H i j a c k T h i s : Removing Autoloading Entries

Cleaning the M a l w a r e Traces N o w that w e have identified the traces left b y the malware, w e have to clean them. W i t h HijackThis, simply have to check all items that apply and click F i x Checked button. This removes a l l the entries created b y the malware on the system. T o ensure y o u were successful, y o u need to do another scan and verify all the selected entries are gone.

© 2 016

Pedro Bueno

101

Cleaning the Bot from the System • Next steps: Terminate it and clean the system! • Terminate the process • Look for auto-loading traces • Delete the file

I d e n t i f y i n g and R e m o v i n g M a i w a r e

This page intentionally left blank.

102

© 2 016

Pedro Bueno

Deleting the Malicious File (1) • From Process Explorer it was possible to see that the malware was running from: C:\windows\system32\sslms.exe • From the DOS prompt, you can go to the directory and delete it from the system Identifying and Removing

Deleting the Malicious File (1)

Removing the Because we terminated the malware process and fixed the Registry entries, i t is time to remove the malware application from the system.

F r o m the process properties on Process Explorer, i t is possible to see that the malware path is

This is usefiil information because y o u can go to the Windows\System32 folder and delete the sslms.exe file. A l t h o u g h y o u can do i t using W i n d o w s Explorer, i t is better to do i t fiom the command / DOS prompt because y o u have more options i n case something goes w r o n g w i t h the file deletion.

© 2 016

Pedro Bueno

1

Deleting the Malicious File (2) Using dir to show the file may be frustrating on the first try: in Serial Directory Not

C h a s no l a b e l , Number i s 5 8 F 7 - E C 7 C

of

Found

But why? I d e n t i f y i n g and R e m o v i n g M a l w a r e

Deleting the Malicious

(2)

Removing the Malware Although removing a file can be trivial most o f the time, sometimes i t can simply go wrong. I n this case, something has happened. A s y o u can see on the slide, a dir command to list the sslms.exe file failed.

But why? There could be many reasons, such as:

• Was this

deleted already?

• Is it hidden? • Is some rootkit hiding it?

104

© 2 016

Pedro Bueno

Deleting the Malicious File (3) • A dir/a can show the answer sslms.exe drive no l a b e l . Volume S e r i a l Number i s D i r e c t o r y of 05:00 1 0 Dir

sslms.exe 265,216 b y t e s 2,251,980,800 b y t e s f r e e

• The file was set with attributes to hide it! Showing all attributes revealed it. Identifying and Removing Malware

Deleting the Malicious

(3)

Removing the Malware Because apparently i t cannot

the

y o u cannot delete it. B u t w h y d i d i t happen? What could be wrong?

© 2 016

Pedro Bueno

105

Deleting the Malicious File (4) • The use of attributes can also prevent the deletion of the file

Could

Not

Find

Identifying and Removing Malware

Deleting the Malicious File (4)

Removing the M a l w a r e A s y o u have seen, malware writers use a lot o f different techniques to prevent a file from being shown on the system and to prevent the user from seeing or deleting them. One o f these techniques is to set some file attributes, such as Hidden and System File, using for example the attrib.exe W i n d o w s C L I tool.

B y using the D I R command w i t h the option /a i t makes D I R display a l l files no matter w h i c h attribute is set on the

N o w y o u can see the sslms.exe

106

w i t h a size o f 265,216 bytes.

© 2 016

Pedro Bueno

Deleting the Malicious File (5)

• Attrib.exe can solve the problem by resetting the attributes -s in drive Serial

- r sslms.exe

sslms.exe C h a s no is

of 265,216 s s l m s . e x e 265,216 b y t e s bytes free

1 File(s) 0 Dir

I d e n t i f y i n g a n d Removing M a l w a r e

Deleting the Malicious F i l e (5)

Removing the Malware Because you k n o w that this

has some attributes set preventing us from seeing and deleting the file, y o u

need to reverse the changes done. The easiest w a y to do i t is to reset all attributes that could prevent us from seeing and deleting the

I n this case, y o u use attrib to remove the attributes S (System File), R (Read-only),

(Hidden).

This can be accomplished w i t h the command:

C:\windows\system32\attrib

—s

sslms.exe

N o w a simple D I R w i l l show the file:

C:\windows \system32 \dir

08/23/2001

05:00AM

exe

265,216

sslms.exe

This also means that n o w y o u can remove i t from the system.

Pedro Bueno

107

Deleting the Malicious File (6) Now that you can see the file and it is no longer a system file, you can safely delete it

Identifying and R e m o v i n g

Deleting the Malicious File (6)

Removing the Since y o u were able to reset the attributes that were preventing y o u from seeing and removing the file, y o u can safely remove the malicious binary w i t h the D E L command:

:\windows\system32\del

exe

I f y o u d o n ' t get any error messages, y o u can assume that y o u are done. I f y o u want to ensure that the been removed, r u n another D I R on the file to verify that y o u were successful i n deleting the

has

Y o u can also search the hdd for any other occurrence o f the filename anywhere on the h d d w i t h the D I R /s command.

C:\dir /s sslms.exe

Note that some malware w i l l use names o f real W i n d o w s processes/files, but w i l l save them i n other directories, so while a search on the entire hdd is a good idea, y o u have to be extra carefiil w i t h the files i n c:\windows directory since they may be legitimate.

© 2 016

Pedro Bueno

MS Sysinternals Process Explorer and TCPView Hands-On

Identifying and R e m o v i n g Malware

I n the M S Sysinternals Process Explorer and T C P V i e w section, w e start w i t h the following steps: Revert the V M w a r e Windows 7 image to the Snapshot Clean7. V M -> Snapshot - > Select Clean7 2.

Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.

4.

Right-click the nasty.zip file and then select Extract A l l . Enter the password training without quotes.

5.

Double-click the new created folder; right-click the nasty.exe Administrator.

6.

R u n both tools and malware as Administrator!

Open the Part4

folder.

and select R u n as

N o w i t is your turn! 1. D o y o u see any suspicious activity on the machine, using both Process Explorer and TCPView? 2. W h i c h remote ports are involved? 3. Is i t using any method to ensure that i t w i l l be loaded at boot time?

4.

aces?

5. 6.

o u delete it?

Pedro Bueno

W i t h T C P V i e w y o u can notice that the malware is m a k i n g connections, but the process that is doing i t is not the malware process, but a W i n d o w s process, called TaskHost.exe. (Note that y o u may observe different behaviors on W i n d o w s 7 32 bit and W i n d o w s 7 64 bit).

This means that the malware injected its code into a legit w i n d o w s process to make i t harder for the analyst to find it.

W i t h the tools provided i n the folder, y o u can

After y o u delete it, t r y to r u n the

the autostart mechanism and the folder where i t is located.

and remove the

7. D i d the Autorun entry get removed?

N o w reboot the system and try to remove the A u t o r u n entry again.

10

© 2 016

Pedro Bueno

entry. Then scan again.

Identifying and Removing Malware Microsoft Sysinternals ListDLLs

and R e m o v i n g Malware

This page intentionally left blank.

Pedro Bueno

Microsoft Sysinternals ListDLLs (1) Introducing: ListDLLs Shows the DLLs loaded on the system, the processes associated with them, and the command line used by the process

Identifying and R e m o v i n g Malware

Microsoft Sysinternals L i s t D L L s

Introducing L i s t D L L s The L i s t D L L s tool is another tool developed b y Sysinternals, acquired b y Microsoft i n 2006. This tool can be downloaded at

L i s t D L L s is a command-line interface ( C L I ) tool that offers a simple and easy w a y to v i e w a l l D L L s loaded b y a process or service running on the system.

A s an output o f L i s t D L L , y o u can get:



Process name •

Command line used by the process/service • D L L s loaded b y the process/service

• F u l l path o f the D L L loaded

112



Version number o f the D L L •

Base Address

© 2 016

Pedro Bueno

Microsoft Sysinternals ListDLLs (2) • Some malicious software may inject a DLL into other processes and will not appear in a regular process listing application like Windows Task Manager •

e.g.: BHO (DLL injected on IE)

• ListDLLs can be helpful to identify injected DLLs on systems Identifying and Removing Malware

Microsoft Sysinternals L i s t D L L s (2)

Understanding L i s t D L L s The usual problem w i t h malware D L L s is that they are more difficult to than a regular process or service because they do not appear on a regular process listing application such as the W i n d o w s Task Manager.

The malicious D L L can be into a legitimate process or service, and then the malicious activity appears as coming from that process or service. The most common list o f services and processes used by malware for this purpose follow:

• •

Explorer.exe



Services.exe •

Winlogon.exe •

Iexplore.exe (Microsoft Internet Explorer)

O n Internet Explorer, the most common type o f D L L s injected are the Browser Helper Objects ( B H O ) . A l t h o u g h there are several B H O s , the malware may use them to include their malicious code inside I E .

L i s t D L L s can be used to identify malicious D L L s injected into a process or service while giving us a l l the information regarding the loaded D L L s .

Pedro Bueno

1

Malicious DLLs: Process Explorer View Fit

Process Explorer doesn't show any process or service that looks suspicious This may indicate one of two things: • A rootkit is hiding a process from us • A DLL was injected into a process, so you can't see all the processes

ftacess

Users

j|

53 ®

Process 0 •

interrupts

Interrupts .. 4 540 640

NT Log.. Microsoft.. Generic Host Pro.,. Microsoft,.: Generis Host Pro... Host Microsoft...

704 164 172 200

Can you see the threads in IE?

VMware Toots St.. She* Windows

Messenger Comma... Proa..

364

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Malicious D L L s : Process E x p l o r e r View

Process E x p l o r e r Results Running Process Explorer i n this case was not o f much help. A l l processes shown seem to be normal. Besides the regular default services and processes from Windows X P , y o u have the f o l l o w i n g processes running:



VMware •

Messenger



TCPView •

Cmd.exe •

Process explorer •

Internet Explorer

For clarity, y o u can see the report generated b y Process Explorer (see next page).

114

© 2 016

Pedro Bueno

Process

PID

System Idle

0

Description 93.07 0.99

Interrupts DPCs System

Company Name

Hardware Interrupts Deferred Procedure Calls

4

0.99

540

Windows NT Session Manager

Microsoft Corporation

616

Client Server Runtime Process

Microsoft Corporation

winlogon.exe

640

Windows NT Logon Application

Microsoft Corporation

services.exe

684

Services and Controller app

Microsoft Corporation

Generic Host Process for Win32 Services

Microsoft Corporation

980

Generic Host Process for Win32 Services

Microsoft Corporation

svehost.exe

1148

Generic Host Process for Win32 Services

Microsoft Corporation

svehost.exe

1160

Generic Host Process for Win32 Services

Microsoft Corporation

spoolsv.exe

1292

Spooler Subsystem App

Microsoft Corporation

VMwareService.exe

1456

VMware Tools Service

VMware, Inc.

svehost.exe

1876

Generic Host Process for Win32 Services

Microsoft Corporation

lsass.exe

704

L S A Shell (Export Version)

Microsoft Corporation

explorer.exe

1860

Windows Explorer

Microsoft Corporation

VMwareTray.exe

164

VMwareTray

VMware, Inc.

VMwareUser.exe

172

VMwareUser

VMware, Inc.

msmsgs.exe

200

Messenger Client

Microsoft Corporation

Tcpview.exe

360

0.99

endpoint viewer

1636

procexp.exe

1832

IEXPLORE.EXE

364

3.96

Sysinternals

Windows Command Processor

Microsoft Corporation

Sysinternals Process Explorer

Sysinternals

Internet Explorer

Microsoft Corporation

© 2 016

Pedro Bueno

115

The Internet Explorer process that is running is the one the user is using to browse the Internet, so i t is a legitimate process.

Because we are still watching the unwanted pop-up dialog activity and we cannot see any obviously suspicious process or service running, i t may indicate one o f two things:



A rootkit may be installed on the system, preventing us from seeing the malicious process running •

A D L L may be injected into a legitimate process and is w h y i t is not showing up on any process listing software such as Task Manager or Process Explorer.

A good start is verifying the individual threads o f Internet Explorer to see i f y o u can identify anything suspicious.

16

© 2 016

Pedro Bueno

Malicious DLLs: Process Explorer: Threads View Double-clicking any selected process or thread in Process Explorer shows the properties of the file

|

| Graph

]

On the Threads tab it is possible to see all threads associated with that process Hard to know all drivers and on the system to tell which one may be malicious: WebAssist.dll, IEXPLORE.EXE, WININET.dll, ntdll.dll, kernel32.dl, RPCRC4.DLL, mshtml.dll, and WINMM.dll

Thread Start

AM:

Staler

Time:

car

|

Identifying a n d Removing Malware

Malicious D L L s - Process Explorer: Threads V i e w

Listing Threads with Process E x p l o r e r Process Explorer is a great and useful tool. One great feature from Process Explorer is the capability to show the various threads spawned from a process or service. Simply double-clicking a selected process or service shows its properties w i t h several tabs. Choosing the Threads tab shows all threads associated w i t h the selected process.

A l t h o u g h i t is useful information, i t can sometimes be hard to identify suspicious information based o n the Threads report alone because i t is hard to k n o w w h i c h dlls and drivers are malicious.

O n the Internet Explorer process, y o u can see the f o l l o w i n g threads:

• • IEXPLORE.EXE





WININET.dll •

ntdll.dll •

kemel32.dll •

RPCRC4.DLL •

Mshtml.dll •

Wdmaud.drv WINMM.dll

So unless y o u are the Microsoft developer or an Internet Explorer expert, i t is not easy to say i f something is malicious based only on the preceding report.

© 2 016

Pedro Bueno

117

Malicious DLLs: HijackThis View Micro HijackThis -



Process Explorer wasn't of much help • A system scan with HijackThis might shed some light •

of

Be

button. do Is to

best 02 -

no** The and

the

to

WebAssist -

-



[VMware Took] CM • -

button: Extra - Service;

-

-

Packet Capture Protocol v.O

-

1 BHO called WebAssist

Is it injected only into Internet Explorer?

Upload to to

|

I d e n t i f y i n g and R e m o v i n g

Malicious D L L s :

Bringing

View

to the G a m e

Process Explorer wasn't o f much help because we could not see any suspicious process or service, and the I E threads information also d i d n ' t show much information that could lead to the culprit.

Another shot that we can try is w i t h HijackThis, and this time we get more usefiil information.

HijackThis reports 1 Browser Helper Object ( B H O ) called WebAssist WebAssist.dll. I t is also one o f the threads from Internet Explorer that Process Explorer showed. N o w i t is possible to understand what i t was doing here. Because i t is a B H O , i t w i l l always be loaded w i t h Internet Explorer!

The

report:

0 2 - B H O : WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} -

0 3 - Toolbar: & R a d i o -

04 04 -

[ V M w a r e Tools]

-

F i l e s W M w a r e W M w a r e ToolsWMwareTray.exe

[ V M w a r e User Process] ToolsWMwareUser.exe

FilesWMwareWMware

0 4 - HKCU\..\Run: [MSMSGS]

/background

0 9 - Extra button: Related -

118

-

© 2 016

Pedro Bueno

0 9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-lld2-a20b-00aa003cl57a} 0 2 3 - Service: Remote Packet Capture Protocol v.O (experimental) (rpcapd) - C A C E Technologies 0 2 3 - Service: V M w a r e Tools Service ( V M T o o l s ) - V M w a r e , Inc. F i l e s W M w a r e W M w a r e ToolsWMwareService.exe

So n o w y o u k n o w that this WebAssist.dll is injected into Internet Explorer, hut can y o u be sure that i t is injected only i n Internet Explorer? This is important information because y o u need to k n o w this when t r y i n g to remove i t from the system.

© 2 016

Pedro Bueno

1

Microsoft Sysinternals ListDLLs: Listing the DLLs • Time to get more info with listdlls.exe • Best to redirect the output to a text file for later processing: • Basic usage of ListDlls.exe



>

Take your time to carefully read it!

Identifying and R e m o v i n g Malware

Microsoft Sysinternals L i s t D L L s : Listing the D L L s

Using L i s t D L L s Sometimes, y o u may need to get information about the D L L s loaded on a system, and Windows does not offer a w a y to get this information. U s i n g the Microsoft Sysinternals L i s t D L L s tool can give y o u a complete v i e w o f the processes and D L L s loaded w i t h them.

The basic usage o f listdll is

C:\listdlls.exe

This command line generates the output directly on the screen making reading the information quite difficult. One option is to use the pipe "|" option and the more command: C:\listdlls.exe | more

This option still generates the output o n the screen but pauses w h e n the information fills the screen so that y o u have time to read it before going to the next screen.

The other option is to redirect the output to a text file, so y o u can read i t w i t h a text editing application like notepad.

Another possibility is to use the

120

function o f Process Explorer to search for a

© 2 016

Pedro Bueno

Microsoft Sysinternals ListDLLs: Results (1) Excerpt from listdlls.exe result.txt output: 828 Command

line:

"C: \Program

Base

Size

0x762a0000 0x76f90000 0x76620000 0x76600000 0x76670000

OxfOOO 0x10000 0x4e000 OxlbOOO 0xe4000

Files\Internet

Version

Explorer\IEXPLORE.EXE"

Path

5.01.2600.0000 C:\WINDOWS\system32\MSASNl.dll C:\WINDOWS\System32\Secur32.dll 5.01.2600.0000 C:\WINDOWS\System32\cscui.dll 5.01.2600.0000 C:\WINDOWS\System32\CSCDLL.dll 5.01.2600.0000 C:\WINDOWS\System32\SETUPAPI.dll 2.01.0000.0000 0x760f0000 0x78000 6.00.2600.0000 C:\WINDOWS\system32\urlmon.dll

I d e n t i f y i n g and

Malware

Microsoft Sysinternals L i s t D L L s : Results

L i s t D L L s Output The output generated h y L i s t D L L s is quite simple to understand:

For each Process and Service i t gives the process name and process I D (PID), the command line used to load it, and the list o f D L L s loaded w i t h it. For each D L L i t gives the f o l l o w i n g information: Base Address Size ( i n hexadecimal) Version Number DLL

Here is an excerpt o f the L i s t D L L s output from Internet Explorer:

I E X P L O R E . E X E p i d : 828 Command line: Base

Size

Version

0x00400000 0x19000

6.00.2600.0000

0x77f50000 0xa9000

5.01.2600.0000

0x77e60000 0xe5000

5.01.2600.0000

0x77d40000 0x8d000

5.01.2600.0000

Path

C:\WINDOWS\system32\USER32.dll

© 2 016

Pedro Bueno

0x77c70000 0x40000

5.01.2600.0000 C:\WINDOWS\system32\GDI32.dll

0x77dd0000 0x8b000

5.01.2600.0000

0x77cc0000 0x75000

5.01.2600.0000

0x772d0000 0x63000

6.00.2600.0000

C:\WINDOWS\system32\SHLWAPI.dll

0x771b0000 OxllaOOO 5.01.2600.0000 C:\WINDOWS\system32\ole32.dll

122

0x75f80000 OxfcOOO

6.00.2600.0000

0x72430000 0x12000

6.00.2600.0000 C:\WINDOWS\System32\browselc.dll

0x76200000 0x97000

6.00.2600.0000 C : \ W I N D O W S \ s y s t e m 3 2 \ W I N I N E T . d l l

0x10000000 0x35000

2.01.0000.0000

0x760f0000 0x78000

6.00.2600.0000 C:\WINDOWS\system32\urlmon.dll

Pedro Bueno

Microsoft Sysinternals ListDLLs: Results (2) From the report, you can see three things that make the WebAssist.dll file suspicious •

The Base address The Version number • •

Path

To check if it is injected in any other process, you can search for its dll name: •

exe -d webasslst. dll >

txt

IEXPLORE.EXE pid: 828 Command line: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" Base Size Version Path 0x10000000 0x35000 2.01.0000.0000 •

It shows that this DLL is part only of Internet Explorer I d e n t i f y i n g a n d Remolding M a l w a r e

Microsoft Sysinternals L i s t D L L s : Results (2)

L i s t D L L s Output U s i n g the L i s t D L L s tool y o u can see three things that make WebAssist.dll suspicious when compared w i t h the other loaded D L L s :

Base Address Version Number Path

Base Address

F r o m the f o l l o w i n g excerpt, notice that most D L L s are loaded on base address:

0 x 7 X X X X X X X range w h i l e the WebAssist.dll is on base address

0x00400000 0x77f50000

0xa9000

0x19000

6.00.2600.0000 5.01.2600.0000

0x77e60000

0xe5000

5.01.2600.0000

Explorer\IEXPLORE.EXE

0x77d40000

0x8d000

5.01.2600.0000

C:\WINDOWS\system32\USER32.dll

0x771b0000

OxllaOOO

5.01.2600.0000

C:\WINDOWS\system32\ole32.dll

0x75f80000

OxfcOOO

6.00.2600.0000

0x72430000

0x12000

6.00.2600.0000

C:\WINDOWS\System32\browselc.dll

Pedro Bueno

0x76200000 0x97000 6.00.2600.0000 C : \ W I N D O W S \ s y s t e m 3 2 \ W I N I N E T . d l l 0x10000000 0x35000 2.01.0000.0000 C:\WINDOWS\WebAssist.dll 0x760f0000 0x78000

6.00.2600.0000 C:\WINDOWS\system32\urlmon.dll

Version Number

I n addition, from the same excerpt, notice that most version numbers are 6.00.2600.0000 or 5.01.2600.0000. has the version number 2.01.0000.0000. Usually the Microsoft D L L s tend to follow the format: . < M i n o r Version For example, the Kernel32.dll has the version number o f 5.01.2600.0000, w h i c h means: 5.01 - W i n d o w s X P , 2600 means the released W i n d o w s X P . W i n d o w s X P SP2 has a b u i l d number o f

Path

As y o u can see from the excerpt, most D L L s loaded are from the default system directory (c:\windows\system32). The WebAssist.dll is loaded from the W i n d o w s directory (c:\windows).

Note: These are usually just indicators that something might not be right according to the default system behavior, but they cannot be seen as definitive checks to identify malware!

Another good search was performed w i t h L i s t D L L s to search a l l processes and services that may have W e b A s s i s t d l l loaded. Usually searches for specific D L L s can be done w i t h C:\listdlls.exe - d .

I n this case, y o u can see that i t returned only Internet Explorer.

© 2 016

Pedro Bueno

Getting Information About the DLL • •

What does Windows have to say about this DLL? Every DLL usually has this information: •

Company •



File Version Internal Name Language Product Name

• • •

Product Version •

Copyright Description •

That is not the case with the DLL! Also, doesn't show Microsoft Copyright OK

Identifying and R e m o v i n g Malware

Getting Information about the D L L

Using Windows E x p l o r e r to See Missing Points W i n d o w s Explorer can also be used to try to identify missing aspects or attributes from the suspicious D L L . Usually, a D L L w i l l have the f o l l o w i n g fields filled w i t h information:





File version •

Description o f the D L L •

Copyright from the company Internal Name



Language •

Product Name •

Product Version

W h e n going to the C:\Windows folder and right-clicking the WebAssist.dll, y o u can see that i t has an incomplete version o f 2.1.0.0 and an empty Description and Copyright messages. Also, i t has only the fields File Version, Language, Product Name, and Product Version.

These are good indications that this is not something legitimate and that it can be safely removed without crashing the system.

© 2 016

Pedro Bueno

ListDLLs and HijackThis Summary Summary: • Computer browsing showing undesired popups • HijackThis found a BHO called WebAssist • ListDLLs shows that this dll is injected only into Internet Explorer • ListDLLs and Windows show suspicious traces from the DLL I d e n t i f y i n g and R e m o v i n g M a l w a r e

L i s t D L L s and H i j a c k T h i s Summary This is the summary o f what we have found:

• • •

A computer showing undesired behavior o f pop-ups when user is browsing on the Internet. HijackThis found a B H O on Internet Explorer. L i s t D L L s show that this WebAssist.dll is loaded only w i t h Internet Explorer. The D L L presents traces like Base Address, Version Number, and other D L L information that makes it highly suspicious!

126

>2016 Pedro Bueno

Removing the Malicious DLL: HijackThis (1) • Next steps: Clean the system, test, and remove it • Clean the BHO • Test the browser • Delete the file

Identifying and R e m o v i n g Malware

Removing the Malicious D L L : H i j a c k T h i s (1)

Next Steps I n the previous actions, w e got enough information to consider that D L L to be a malicious piece o f code. I t is now time to take some actions.

The suggested actions i n this case are:





Clean the B H O from the system. •

Test the browser to see i f it is w o r k i n g properly. Delete the

from the system.

Pedro Bueno

127

Removing the Malicious DLL: HijackThis (2) • • • •

The easiest way to get rid of BHOs is using HijackThis Close all Internet Explorer and Windows Explorer windows first Select the BHO box and click Fix Checked button Confirm

To*] Iter Process] 0* 09 -

-

-

-

e





Identifying and

Removing the Malicious D L L : H i j a c k T h i s (2)

Removing the B H O Removing B H O s is not an easy task because i t involves something that is linked to the browser. The safest and easiest w a y to remove those malicious, or just annoying, B H O s is b y using the previously discussed friend

I t involves just three simple rules:

Because y o u w i l l remove an Internet Explorer component, i t is recommended to close all M S I E and W i n d o w s Explorer windows first so that the change can take effect. 2.

R u n the System Scan on HijackThis and check the B H O box from the WebAssist B H O . C l i c k F i x Checked button and confirm!

128

© 2 016

Pedro Bueno

Removing the Malicious DLL: HijackThis (3) • Rescan the system! Below are t h eresults the B ecareful w h a t y o u delete with t h e checked' S c a n results d o n o t whether a n bad not. T h e best thing to d o to and show the file t o k n o w l e d g e a b l e folks. - Toolbar: -

[VMware Tools] [VMware User [MSMSGS] "C;\Program

-

/background

Extra button: Related - Extra menuitem: Show Links - Service: R e m o t e Packet C a p t u r e Protocol v.O (experimental) (rpcapd) - C A C E Technologies -

• No traces from the BHO! Identifying and Removing Malware

Removing the Malicious D L L : H i j a c k T h i s (3)

E n s u r i n g the Removal

When y o u confirm the

operation, i t removes the B H O from Internet Explorer.

Just to be sure the removal happened successfully, performing another scan is recommended.

On the report, y o u can see that there is no longer any trace o f the WebAssist B H O : 0 3 - Toolbar: & R a d i o 04 04 -

[ V M w a r e Tools]

F i l e s W M w a r e W M w a r e ToolsWMwareTray.exe

[ V M w a r e User Process] ToolsWMwareUser.exe

04 -

FilesWMwareWMware

[MSMSGS]

/background

0 9 - Extra button: Related 0 9 - Extra

-

menuitem: Show &Related L i n k s -

-

0 2 3 - Service: Remote Packet Capture Protocol v.O (experimental) (rpcapd) - C A C E Technologies 0 2 3 - Service: V M w a r e Tools Service ( V M T o o l s ) - V M w a r e , Inc. F i l e s W M w a r e W M w a r e ToolsWMwareService.exe

© 2 016

Pedro Bueno

129

Removing the Malicious DLL Next steps: Clean the system, test, and remove it • Clean the BHO • Test browser • Delete the file

Identifying and R e m o v i n g Malware

Removing the Malicious D L L

Next Steps The first step was done successfully, and there are no traces o f the B H O . N o w i t is time to move to the next step, w h i c h is to open Microsoft Internet Explorer and test i t to ensure that no other suspicious activity has occurred i n its place, and confirm that y o u have stopped the unwanted pop-ups.

Also, ensure that the browser is w o r k i n g normally, as sometimes the B H O takes over some functionality and changes settings for D N S or LSPs, w h i c h renders the browser unusable without the B H O loaded.

130

© 2 016

Pedro Bueno

Backup Before Remove with HijackThis •



In general, removing BHOs not cause any problems on your machine or browser because they are just add-ons for the Internet Explorer In the case of a browser complaining about the missing BHO, you can always restore from the HijackThis Backup! "Configuration



• •-

| •



| |

Backups

Misc Tools

j

is y o u r of items t h a t w e r e b a c k e d u p . can restore them (causing to re-detect them unless you place them on the or delete t h e m from (Antivirus programs m a y

| Delete

|

D e l e t e ell

j

and R e m o v i n g Malware

Backup Before Remove with

Using

Backups

I n general, removing B H O s from Internet Explorer is an easy and safe task. I t w i l l not cause any harm to the computer or the browser because they are created as add-ons for Internet Explorer and are not an intrinsic part o f it. I n case something went w r o n g or y o u are missing a legitimate B H O , y o u can use the HijackThis backup.

Every time removes a B H O , i t creates a backup list on the system w i t h a l l items removed b y it. The Backup list is under the M a i n menu on a button called V i e w the List o f backups. W h e n y o u click V i e w the list, it goes to the backup list. Here y o u have the option to select the backup item and restore i t to the original place (putting a B H O back to I E , for example).

Pedro Bueno

131

Removing the Malicious DLL (1) Next steps: Clean the system, test, and remove it • Clean the BHO • Test browser • Delete the file

Identifying and

Malware

Removing the Malicious D L L (1)

Next Steps N o w that y o u removed the B H O from I E and tested the browser to see i f everything is w o r k i n g correctly, y o u can assume that the previous steps were successful and that y o u can delete and permanently remove the D L L from the system. The next step focuses on finding and deleting the D L L that was acting as a B H O .

©2016

Pedro Bueno

Removing the Malicious DLL (2) • Because you already know the path of the DLL, which is c:\windows\ webassist.dll, you can just go there and delete the file • Now, there is a difference if you do it after or before run HijackThis

Identifying and R e m o v i n g Malware

Removing the Malicious D L L (2) I n previous actions, y o u found the D L L was located on the c:\windows directory as listed on the L i s t D L L s report:

0x10000000 0x35000 2.01.0000.0000

C:\WINDOWS\WebAssist.dll

So n o w y o u can just go to this directory and delete the I t is important to k n o w there is a difference i f y o u do this after or before y o u r u n HijackThis to remove the B H O .

Pedro Bueno

133

Removing the Malicious DLL: HijackThis and Prompt DOS • Deleting after using HijackThis: • Another nice feature from HijackThis is that when you decide to Fix it, it will also remove the file. So you will not find it

File C=

in Serial of Not Found

C

.d l l no is

X.

Identifying and Removing Malware

Removing the Malicious D L L : HijackThis and Prompt D O S I f y o u decide to follow the steps and delete the

after running HijackThis, y o u can notice that there is no

WebAssist.dll on the c : \ W I N D O W S directory anymore and therefore y o u need not delete i t .

The reason for this behavior is that HijackThis already d i d i t for us! W h e n y o u run the System scan on HijackThis and check an item and F i x it, i t w i l l also move the associated w i t h that B H O to a quarantine space, so y o u w i l l not find i t i n the original path location. The quarantine space is used for backup purposes that y o u can restore i t later i f needed.

Please note that depending on the state o f the Internet Explorer process, the HijackThis, so a manual delete w o u l d be needed.

© 2 016

Pedro Bueno

w i l l not be deleted b y

Removing the Malicious DLL: Prompt DOS (1) Deleting before using HijackThis: • In this case, you can go directly to the dll it path and : ir Uolume i n drive C S e r i a l Number Directory

no l a b e l .

84,992 84,992 bytes

1 0

free

Identifying and R e m o v i n g Malware

Removing the Malicious D L L : Prompt D O S (1) I f y o u decide to go directly to the path found by L i s t D L L s and delete the WebAssist.dll before running HijackThis, y o u can list i t w i t h D I R and delete i t w i t h the regular D E L command.

Basically:

C:\windows\dir webassist.dll

08/07/2007

09:41 A M

84,992 W e b A s s i s t d l l

A n d delete it:

C:\windows\del webassist.dll

© 2 016

Pedro Bueno

Removing the Malicious DLL: Prompt DOS (2) Deleting before using HijackThis C no Uolume S e r i a l Number i s S 8 F 7 - E G 7 C D i r e c t o r y of 09:41 84,992 File > 0 Dir

WebAssist.dll bytes bytes free

HijackThis will show a "file missing" message show

Ma



(He •

.

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Removing the Malicious D L L : Prompt D O S (2) After a successful fde deletion, you may want to run HijackThis to see i f y o u did the j o b right. The System Scan from HijackThis still reports the presence o f a B H O on the system. Because y o u manually removed the fde, it reports that the B H O trace is there, but the D L L associated w i t h it is not:

0 2 - B H O : WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll missing)

This means the B H O trace is there i n I E , but the D L L that makes the B H O w o r k is not. The best thing to do i n those cases is to check the B H O box and click the Fix Checked button so that removes the B H O traces from the system.

Note, however, that because y o u manually removed the folder and hence you cannot restore it from a backup later!

136

© 2 016

Pedro Bueno

cannot store i t i n the quarantine items

Identifying and Removing Malware Fighting Alternate Data Streams (ADS)

Identifying and Removing Malware

This page intentionally left blank.

© 2 016

Pedro Bueno

Understanding ADS Questions to be answered: • What are ADSes? • Are all ADSes malicious? • Can Windows show ADSes on files? • How can you identify ADSes on the system? • How can you remove malicious ADSes from the system? Identifying and R e m o v i n g Malware

Understanding

Introduction I n this module, y o u learn h o w to fight Alternate Data Streams.

First, w e take a look at the different parts o f files and attempt to determine whether they are malicious. Then, w e identify Alternate Data Streams ( A D S ) on the system using W i n d o w s internal tools. W e then take a look at some external tools. W e also take a look at h o w to remove them.

138

© 2 016

Pedro Bueno

What Are ADS? • What are ADSes? • Introduced on NTFS file system • Way to add an alternative stream of information/data onto an existing file • The size of the alternative stream matter

Identifying and Removing

Are ADSes? Alternate Data Streams were added i n the N T F S file system, w h i c h means that y o u w o n ' t have it on systems that use the F A T system. I t appears that Microsoft hasn't fully developed this feature due to the lack o f Microsoft documentation on i t .

Basically, i t was created and introduced i n N T F S on W i n d o w s N T to provide compatibility w i t h Apple's Macintosh Hierarchical File System (HFS) and was completely ignored and forgotten.

W i t h o u t getting into details about the system, what y o u need to understand is that i t allows every in N T F S to create an A D S , w h i c h is a hidden file associated w i t h the initial As a hidden it provides a nice w a y to hide malicious software, configuration files, illegal files, and any other content that y o u w o u l d like to keep hidden.

Another thing is that N T F S doesn't care about the size o f the A D S . For example, y o u can have a large binary file as an A D S attached to a single small text file.

Pedro Bueno

139

ADS: Always Malicious? • Are all ADSes malicious? • Simple answer: No • Extended answer: Maybe • Some AV vendors use it • Kaspersky AV is an example

• Starting in XP SP2 Windows also uses it as file "zone identifier" • What about Backdoor Identifying

Removing Malware

A D S : Always Malicious?

A r e A l l A D S e s Malicious? I a m tempted to answer yes, but the right answer is no.

A l t h o u g h most users, even W i n d o w s , ignore A D S . Some do use i t , and even Microsoft started to use i t w i t h Internet Explorer on X P SP2. Kaspersky antivirus vendor also used the A D S feature, called iStreams h y Kaspersky, w h i c h added an A D S to each scanned file to speed up subsequent scans. This feature was abandoned after Kaspersky released version 6 o f its A V product and w h i c h also has an option to delete those streams left on the system.

For more information on this, visit http://www.kaspersky.com/faq?qid=156636746.

W i n d o w s also started to use streams as a "security" feature. Since W i n d o w s X P SP2 a l l files originating from the Internet got an A D S to identify the Zone (Trusted, zones) i t came from. This allows W i n d o w s to warn the user i f they try to execute the file.

For example, a file received through Google Talk I M program w i l l have an A D S like:

[ZoneTransfer] ZoneId=3

I n addition, i f you right-click a safe i n an A D S .

140

i n W i n d o w s File Explorer, select properties, and add a summary, i t w i l l be

© 2 016

Pedro Bueno

W h a t About Backdoor Poisonlvy? This backdoor is created using a graphical utility. A l t h o u g h there have been no developments o f this graphical u t i l i t y since the end o f 2007/2008, as o f 2015, we have seen several backdoors created w i t h this tool. This is because the S D K for i t is also available. One o f the options is to install i t as an A D S on the infected machines, making i t harder to be identified.

© 2 016

Pedro Bueno

How to Identify an ADS? (1) • How do you identify an ADS? • Several external tools can Identify and remove an ADS • Our example focuses on: • A CLI tool from Sysinternals called Streams • A GUI tool from

Identifying and Removing

H o w Do Y o u Identify an A D S ? (1) Various tools identity ADSes on a system, such as L A D S from Heysoft, w h i c h y o u can (not W i n d o w s 7 compatible).

at

Today, most antivirus and antispyware products also detect A D S .

I n this module, you learn h o w to deal w i t h an A D S using t w o tools:

• •

142

A C L I tool called streams, from Microsoft Sysinternals, w h i c h can be downloaded at A G U I tool that was already used for other purposes, the HijackThis tool.

© 2 016

Pedro Bueno

How Do You Identify an ADS (2) • Windows 7 now has a simple but effective option for when you need something fast! • Regular Dir output: 0 4 : 1 7 PM 1 File

13 sec581.txt 13 bytes

Dir /R output: 04:1? PM 1 File(s>

13 s e c 5 0 1 . t x t 14 13 and R e m o v i n g Malware

How Do Y o u Identify an A D S ? (2) O n W i n d o w s 7, Microsoft included an extra option that can be used i n the already familiar dir.

W h e n using the dir command w i t h the option

i t also shows files w i t h the possible A D S present.

O n the slide, y o u can clearly see this i n the example used w i t h the sec501.txt. W h e n y o u use a simple dir w i t h no options, i t shows just the regular file; but w h e n y o u use the dir i t shows the regular file plus the file and the A D S attached to i t .

© 2 016

Pedro Bueno

143

MS Sysinternals Streams Tool (1) • Introducing Sysinternals Streams • Scans the system, recursively if needed, and shows all the ADSes on the system with full path. Can also be used to delete an ADS

Identifying and Removing Malware

M S Sysinternals Streams Tool (1)

Introducing Streams The Streams tool is another tool developed by Sysinternals.

This tool can be downloaded at

Streams is a C L I tool that can scan a single a directory, or the hard drive searching for ADSes. I t can also be used to delete those ADSes from the files and directories. I f an A D S is found, the output w i l l be the full path o f the regular file plus the A D S "attached" to i t using the as a delimiter.

Example: C:\windows\clock.avi:testADS.txt

This means that the file clock.avi, which is i n the c:\windows directory, has an A D S called testADS.txt.

144

© 2 016

Pedro Bueno

MS Sysinternals Streams Tool (2) • Scanning the system with streams: • Using command-line interface: •

To scan a single directory Example: C: \streams. •

exe c: |

windows\system32

To scan recursively all directories Example: C: \streams.

exe -s c: \

This command searches the entire hard drive c: for files with streams associated with them.

Identifying and R e m o v i n g Malware

M S Sysinternals Streams T o o l (2)

Streams Basic Usage Streams lets y o u scan a single file, a single directory, or a l l files and directories on the hard drive b y scanning all folders recursively. The basic usage to scan a single file is Streams.exe

To scan a directory w i t h all subfolders: Streams.exe -s

For example, scanning the W i n d o w s directory, including a l l subfolders: C:\streams.exe -s c:\windows

Streams

- Enumerate alternate N T F S data streams

Copyright (C)

M a r k Russinovich

Sysinternals -

: testADS.txt:

This shows the A D S testADS.txt on the A D S is 10 bytes.

clock.avi inside the folder c:\windows, and the

© 2 016

Pedro Bueno

size o f the

Hands-on

Identifying and R e m o v i n g M a l w a r e

O n the M S Sysinternals Streams part, w e start w i t h the f o l l o w i n g steps:

Revert the V M w a r e W i n d o w s 7 image to the Snapshot V M - > Snapshot - > Select Clean7 2.

Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.

3.

Open the Part6 folder.

4.

Right-click the badads.zip file, and then select Extract A l l . Enter the password training.

5.

Double-click the new created folder; right-click the badads.exe file, and select Run as Administrator.

6.

Run both tools and malware as Administrator!

N o w , continue to follow the slides doing the same on the V M w a r e W i n d o w s 7 image.

146

© 2 016

Pedro Bueno

MS Sysinternals Streams Tool • Using Streams.exe: -s v i . 5 3 - Enumerate a l t e r n a t e NIPS data streams Copyright 1999-2005 Mark Sysinternals 31 125

• Two files with streams found: • C:\windows\system32\putty.exe with ADS config2.txt • C:\windows\system32\wupdmgr.exe with ADS config.txt

Identifying and R e m o v i n g M a l w a r e

MS Sysinternals Streams T o o l O u r Learning Example I n this module, y o u look at examples o f t w o ADSes on the system, and y o u learn h o w to identify what they do and how to remove them i f y o u decide that they are malicious. Copy the streams.exe from the Part 6 folder to your desktop. Start w i t h streams doing a f u l l scan on the System32 folder looking for a l l ADSes:

-s c:\windows\system32\ Streams

1.56 - Enumerate alternate N T F S data streams

Copyright (C)

M a r k Russinovich

Sysinternals -

Error opening c:\pagefile.sys: The process cannot access the fde because i t is being used b y another process.

c:\WINDOWS\system32\putfy.exe: 129

:config.txt:$DATA 33 So, y o u

t w o ADSes attached to t w o legitimate files: • •

putty.exe w i t h the A D S Wupdmgr.exe w i t h the A D S config.txt

Pedro Bueno

147

HijackThis ADS Spy Tool (1) Another easy way to identify an ADS is with HijackThis The HijackThis misc. tool ADS Spy can search for an ADS on the system Be sure to uncheck: •

Quick Scan •

Ignore Safe ADS

|

[

Backups

j [

Misc Tools

scan Ignore safe system

: bytes)

Scan complete. Scan

log...

J

selected

[

Upload to I

Identifying and R e m o v i n g

H i j a c k T h i s A D S Spy Tool (1)

O u r L e a r n i n g Example The HijackThis tool also offers an easy w a y to identify and later remove an A D S from the system. O n the M i s c Tools section, i t offers a t o o l called HijackThis A D S Spy. I t also allows y o u to search a l l files and directories on the hard drive looking for A D S anywhere on the system.

B y default, the tool scans only the W i n d o w s folder and ignores a list o f ADSes that are k n o w n to be safe. So to get a complete v i e w o f the system, i t is recommended to uncheck these check boxes:



Quick Scan (Windows base folder only) •

Ignore safe systems info streams

A n d scanning the system, y o u

the same t w o streams that the Sysinternals tool found:

C:\WINDOWS\system32\putty.exe :

(33 bytes)

C:\WINDOWS\system32\wupdmgr.exe : config.txt (129 bytes)

148

Pedro Bueno

HijackThis ADS Spy Tool (2) Summary • Two ADSes were found attached to legitimate files: •

Looks like the SSH Client • Wupdmgr.exe: Looks like part of Windows Update

• Are they malicious? • Can you remove them?

Identifying and Removing Malware

H i j a c k T h i s A D S Spy

(2)

Summary A t this point i n the example, y o u scanned the system and found two ADSes attached to files that normally w o u l d have no reason to have an A D S hidden i n them:



Putty.exe •

Wupdmgr.exe

Also, the A D S names config.txt and make them at least somewhat suspect because they sound like configuration files. The next step is to identify whether they are malicious and, i f they are determined to be malicious, determine how to remove them from the system.

©2016

Pedro Bueno

ADS and TaskManager • Running putty.exe didn't show the ADS on Windows Task Manager Windows Task

)|

j-

View J Applications j

Help j Services

Image Name

Networking | Users

User

me

CPU

Memory

]

, .

X fc-ty

labOl labO A.

ra-jk-rrrgr •

labOl labOl

SSH , Most Pr

OO 1,62D 1,42-4 1 5,384 832

processes from all

P r o c e s s e s : 3S

Usage:

Process

Physical Memory:

I d e n t i f y i n g and R e m o v i n g M a l w a r e

A D S and TaskManager

H o w Does Windows See A D S ? O n this and the following slides, w e show h o w W i n d o w s sees the A D S . O n this slide, we opened the Putty.exe from the c:\windows\system32 folder, w h i c h has the A D S Then, w e opened W i n d o w s Task Manager to check h o w i t sees a fde that has an A D S attached to i t . W i t h Task Manager opened (shortcut y o u can check both the Applications and Process tabs.

O n the Application tab, y o u can see that a process called Putty running, w h i c h is normal because y o u just opened it. I f y o u click the Process tab, you can also see putty.exe running. I n neither case can y o u determine whether there is an A D S attached to i t .

150

© 2 016

Pedro Bueno

ADS and Command Prompt Dir • Using command line using the switch /r

help,

putty.exe i n drive C no l a b e l . S e r i a l Number i s 788B-2E07 D i r e c t o r y of PM i File 0 Dir

483,328 putty.exe bytes bytes free

/ r putty.exe Uolume in drive G bas no l a b e l . Uolume S e r i a l Number i s Directory of PM 1 0 Bir

putty.exe 483,328 bytes 57,404,989,440 bytes free

Identifying and Removing Malware

A D S and C o m m a n d Prompt D i r

How Does Windows See A D S ? I n an attempt to identify A D S w i t h built-in W i n d o w s tools, y o u can see that Task Manager doesn't show anything. N o w t r y to list the files to see whether y o u can determine the presence o f an A D S . Using the dir command doesn't help. I t shows only the regular files and filenames.

Fortunately, Microsoft improved the dir command w i t h new features, and since W i n d o w s Vista, the dir command offers a switch that shows the A D S .

As y o u can see i n the slide, using dir w i t h the /r switch shows the A D S for us. B u t remember that i f y o u are on W i n d o w s X P , there is no such option.

© 2 016

Pedro Bueno

ADS and Windows Explorer • Windows Explorer shows both files, but doesn't show the ADS!

Computer • [ J Open

Local



Windows

New folder Name



Desktop

System32 •

Type

Date

i

Size

DAT He

Downloads

PM

Recent Places

PM

sett,..

PM Libraries

PM

j

. raj

Application

oral

and Removing Malware

A D S and Windows E x p l o r e r

How Does Windows See A D S ? Our tests w i t h W i n d o w s TaskManager and dir d i d n ' t reveal any information on the A D S , so the next test is w i t h W i n d o w s Explorer. Opening W i n d o w s Explorer on the folder c:\windows\system32 y o u can see both files but still no trace o f the A D S .

© 2 016

Pedro Bueno

Working on the ADS Files • The two files identified by the ADS tools look suspicious by: • Their location (windows\system32) • Where they are attached: putty.exe and wupdmgr.exe • The ADS names config.txt and config2.txt

• But before you remove them, you need to be sure they are malicious I d e n t i f y i n g and R e m o v i n g M a l w a r e

W o r k i n g on the A D S Files

Identifying the A D S Content W e already have a lot o f information about the two ADSes:



They are located i n the

directory.

They are attached to two files on the Windows folder. •

They have suspicious names that look like configuration files.

Normally, this w o u l d be enough to warrant removing them from the system, but it w o u l d be better i f we could be totally sure first. So now y o u have to find out what those ADSes are.

© 2 016

Pedro Bueno

Accessing the ADS Files • Because you cannot see the ADS using Windows Explorer, you could try to access them directly from CLI: • Using Type: C:\windows\system32\type putty.exe:config2.txt

• Using More C:\windows\system32\more putty.exe:config2.txt

Identifying and R e m o v i n g

Accessing the A D S Files

Identifying the A D S Content Y o u already k n o w that y o u cannot see the A D S from W i n d o w s Explorer or from the dir command line. B u t y o u could try w i t h a couple o f other utilities from W i n d o w s such as:

more type

Usually to see a text file, y o u can use these two utilities to open them. The basic syntax for either o f the commands is:





type [filename] more [filename]

© 2 016

Pedro Bueno

Accessing the ADS Files: DOS Prompt • Type returns a syntax incorrect message • More returns a cannot access message • Looks like neither recognize ADS files! The

directory

or

label syntax is incorrect.

Cannot access f i l e

Identifying and R e m o v i n g Malware

Accessing the A D S Files: D O S Prompt

Identifying the A D S Content

Note that you may notice different behavior on Windows 7 32-bit and Windows 7 64-bit.

Neither o f the utilities produced a nice result. Type returned the following:

The filename, directory name, or volume label syntax is incorrect.

M o r e returned the following:

Cannot access

But that's because we were using it in the wrong way!

The more u t i l i t y can be used to read A D S content! The right syntax w o u l d be:

more < and more
resultADS.txt

© 2 016

Pedro Bueno

155

Accessing the ADS Files: Notepad • Notepad can do the trick! C:\windows\system32\notepad wupdmgr.exe:config.txt |j

- Notepad

j:

Format

fi--uuu,

The £

q

Hype put directory

qap

oo

. txt 1

is

. txt Cannot

C

exe :

ig2 ten32>

Identifying and Removing Malware

Accessing the A D S Files: Notepad

Identifying the A D S Content Another nice w a y to see the contents o f A D S is using the same Notepad. Notepad can understand the A D S and show y o u only the contents o f the A D S . For example, from the D O S prompt, y o u can call Notepad to show us the content o f both config.txt and using the following:

C:\Windows\System32\notepad

c:\windows\system32\putty.exe:config2.txt

and C:\Windows\System32\notepad

156

© 2 016

Pedro Bueno

Accessing the ADS Files • Checking the ADS contents: • Config.txt: From wupdmgr.exe gqggljgpg,vzv

• Config2.txt: From putty.exe Version=1.0.0-priv8 Both look strange. Config.txt looks obfuscated and config2.txt definitely looks suspicious.

Identifying and Removing

Accessing the A D S Files

Identifying the A D S content

Using both M o r e and Notepad, y o u retrieve the content o f both ADSes:

Config.txt

Config2.txt Update=Yes V e r s i o n = l .0.0-priv8

B o t h ADSes l o o k strange, b u t at least y o u can see something meaningful i n Config2.txt. I t looks like a configuration for something. The appears to have an update setting and the current version information. The version number is also suspicious due to the hacker style wording:

Priv8 = Private

The first looks like i t is protected b y some k i n d o f encoding to obfuscate the real content. Y o u probably could t r y to w o r k on this to out the real content.

©2016

Pedro Bueno

157

Working on the Obfuscated ADS • Working on the obfuscated ADS: • You can see the repetition of some letters, such as: -v -u (

)

• Maybe XOR encoding was used? I d e n t i f y i n g and R e m o v i n g

W o r k i n g on the Obfuscated A D S

Y o u can clearly see some repetition o f characters like:

v (on

for example)

(on uuu for example)

X O R encoding is generally used to encode text or binaries to flip the characters according to a given key. For example:

Given a key o f 5 to X O R the word: "http" I w o u l d get

To explain this ftirther, first y o u have to convert the A S C I I to H E X . F r o m the H E X , y o u get the binary representation. Then, y o u X O R i t w i t h the given key.

158

© 2 016

Pedro Bueno

h =

5

Result

= m

Binary

Binary

Binary

1

o

1

1

0

1

0

0

0

1

0

1

0

1

1

0

0

0

0

1

1

Following the same math, y o u have:

t = H e x 74 + key 5 = H e x 71 = q t = Hex 74 + key 5 = Hex 71 = q p = H e x 70 + key 5 = H e x 75 = u

A s a final result, y o u have:

h t

q

t

q

P

© 2 016

Pedro Bueno

Obfuscated ADS and XOR • Getting help from XORSearch to help with the config.txt • XORSearch: Created by Didier Stevens:

is a program to search for a given string in an XOR encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key)." Identifying and Removing Malware

Obfuscated A D S and X O R

W o r k i n g on the Obfuscated A D S The m a i n problem is to get the right key to use w i t h the X O R math. Fortunately, y o u have another option: Brute Force

Didier Stevens created a tool called XORSearch:

"XORSearch is a program to search for a given string i n an X O R or R O L ( R o l l to the Left) encoded binary file. A n X O R encoded binary is a file where some (or all) bytes have been X O R e d w i t h a constant value (the key). A R O L (or R O R - Rolled to the Right) encoded has its bytes rotated b y a certain number o f bits (the key). X O R and encoding is used b y malware programmers to obfuscate strings like U R L s . XORSearch w i l l try all X O R keys (0 to 255) and R O L keys (1 to 7) when searching."

This t o o l can be downloaded at

I t is located i n the same folder Part 6, created on your desktop, so y o u may need to copy your recovered A D S to this folder when running XORSearch.

160

Pedro Bueno

Obfuscated ADS and XORSearch (1) •

Because you don't know which strings to search for, you could try a single character and use a brute-force approach following these steps: 1. Copy the contents of config.txt to another file, say ads.txt 2. Run XORSearch on the ads.txt xorsearch ads.txt a / more

Identifying and R e m o v i n g Malware

Obfuscated A D S and X O R S e a r c h (1)

W o r k i n g on the Obfuscated A D S The problem is that y o u d o n ' t k n o w the key used and don't k n o w which string to give to XORSearch to let it brute force to the key and strings. W e need to start some place, so first copy the contents o f the config.txt A D S to another file for XORSearch to w o r k w i t h . This can be done w i t h the more utility:

more < wupdmgr.exexonfig.txt > ads.txt

Then, y o u can give it to XORSearch to try to brute force and find the most appropriate key:

xorsearch ads.txt a | more

This w i l l make i t brute force w i t h string "a." The pipe (|) command w i l l be useful because a lot o f output should come up because it is a common string.

Pedro Bueno

161

Obfuscated ADS and XORSearch (2) Output from xorseach looking for a encoded with XOR: Found XOR 00 position 007D: ap Found XOR 01 position 002D: Found XOR 01 position 006A: Found XOR 02 position OOOC: Found XOR 02 position OOOF: Found XOR 02 position 0014: Found XOR 02 position 0049: Found XOR 02 position 004C: Found XOR 02 position Found XOR 02 position 0059: ans.org/nothingtobeseenhere-update.scr Found XOR 02 position 0078: ate.scr Found XOR 04 position 0019: Found XOR 04 position 0022: XOR 02 got nice strings!! Identifying and Removing Malware

Obfuscated A D S and X O R S e a r c h (2)

W o r k i n g on the Obfuscated A D S This output o f XORSearch looking for string "a" is quite useful. There is some garbage w h e n i t is using key 00 key 0 1 :

Found X O R 00 position 007D: ap Found X O R 01 position 002D: Found X O R

position 006A: afpffmkfqf.vsgbwf-p'q

B u t interesting strings w h e n using key 02:

Found X O R 02 position OOOC: Found X O R 02 position OOOF: Found X O R 02 position

aining.sans.org/nothingtobeseenhere.txt..http://ww

Found X O R 02 position OOlC: Found X O R 02 position 0049: Found X O R 02 position 004C: Found X O R 02 position Found X O R 02 position 0059: Found X O R 02 position 0078: ate.scr

Lots o f meaningful strings!

162

©2016

Pedro Bueno

Obfuscated ADS and XORSearch (3) • Because we got meaningful strings with use one of them and repeat the search: xorsearch ads.txt http | more

let's

Found XOR 02 position 0000: lwaretraining.sans.org/not Found XOR 02 position 003D: http://www.malwaretraining.sans.org/nothingtobeseenhere-update.scr

• Two URLS!!

Identifying and R e m o v i n g Malware

Obfuscated A D S and X O R S e a r c h (3)

W o r k i n g on the Obfuscated A D S K e y 02 is the key and y o u get a lot o f useful strings! N o w , y o u can use XORSearch to brute force w i t h some strings that are more meaningful, such as http.

To use xorsearch to search specifically for the http string, use the f o l l o w i n g command:

xorsearch ads.txt http

Found X O R 02 position 0000:

Found X O R 02 position 003D:

A s the result o f the execution, y o u can identify two U R L s :

• •

Maybe another configuration and another updated version o f a possible malware? I t is possible, but w e already k n o w that they are h i g h l y suspicious.

© 2 016

Pedro Bueno

163

Removing the ADS Because you found out that both ADS files are suspicious, you can remove them from the system: • Using Sysinternals Streams.exe • Using HijackThis ADS Spy

Identifying and Removing Malware

Removing the A D S ! Right now, y o u k n o w that both ADSes are malicious or part o f a malware that was installed i n the system, making i t safe to remove them.

N o w y o u have t w o options to remove the ADSes using the same tools that y o u used to scan and search for ADSes o n the system. These are:

• •

164

HijackThis A D S Spy Sysinternals Streams

)2016 Pedro Bueno

Removing the ADS: Streams (1) Removing with Sysinternals Streams: • Can specify a whole directory or file • To avoid searching the entire hard drive and deleting legitimate ADSes, we delete only from the files: • putty.exe • Wupdmgr.exe Identifying

Removing Malware

Removing the A D S : Streams (1)

Removing the Malicious A D S Using Sysinternals Streams i t is quite easy to remove an A D S . Y o u have two options to remove them:



Remove them directly from the •

Scan a directory and delete a l l ADSes.

Because y o u already k n o w the files that y o u want to delete the A D S from, y o u can simply use the path o f the files to delete them. This can help avoid deleting legitimate ADSes b y mistake.

© 2 016

Pedro Bueno

Removing the ADS: Streams Removing with Sysinternals Streams Streams.exe -d c:\windows\system32\putty.exe Will search the ADS on the putty.exe

and delete it

-d Enumerate a l t e r n a t e NTFS d a t a s t r e a m s 1999-2005 Mark R u s s i n o v i c h c Deleted

Identifying and Removing Malware

Removing the A D S : Streams (2)

Removing the Malicious A D S ! Streams w i l l use basically one command line to delete the A D S :

streams.exe - d c:\WINDOWS\system32\putty.exe

Streams

- Enumerate alternate N T F S data streams

Copyright (C) 1999-2007 M a r k Russinovich Sysinternals -

c:\WINDOWS\system32\putty.exe: Deleted

streams.exe - d c:\WINDOWS\system32\wupdmgr.exe

Streams v l . 5 6 - Enumerate alternate N T F S data streams Copyright (C)

M a r k Russinovich

Sysinternals -

Deleted

166

© 2 016

Pedro Bueno

Removing the ADS: HijackThis • Removing with HijackThis ADS Spy

S •

-

Spy



scan

Simple as removing BHOs



Select and click Remove Selected button •

Confirm (in the latest version the confirmation pop-up is blank)

i of

: ji

j

j

One difference from removing BHOs: deletions are permanent, no backups! Identifying and Removing Malware

Removing the ADS: H i j a c k T h i s

Removing the Malicious ADS! Using HijackThis A D S Spy is even easier. O n the report screen, y o u can see the A D S that HijackThis found on the system. I f y o u check the box o f any A D S and click the Remove Selected button, y o u w i l l be prompted w i t h a pop-up screen asking:

"Are y o u sure y o u want to remove the selected A D S from your system? They w i l l be deleted permanently."

I f y o u click Yes, you w i l l remove a l l the selected ADSes.

Note: The screen shot o f the HijackThis on this slide is version 1.99.1. I n version 2.04 (which is the latest version and w h i c h most slides are based on), there is an error on the confirmation pop-up. I t is blank, w i t h just the Yes or N o buttons.

© 2 016

Pedro Bueno

Identifying and Removing Malware Identifying and Fighting Persistent Malware

I d e n t i f y i n g and R e m o v i n g M a l w a r e

This page intentionally left blank.

168

© 2 016

Pedro Bueno

What is Persistent Malware? • What is persistent malware? Malware that uses techniques to keep it running as long as possible on the system, avoiding all attempts to clean the system by removing the malicious entries or killing the process Identifying and Removing Malware

W h a t is Persistent M a l w a r e ? I n this module, y o u h o w to identify and remove persistent malware. A s y o u learned i n previous examples, it is quite simple to remove or k i l l a process using either G U I or command-line tools. However, some malware has a protection mode, which prevents y o u from k i l l i n g i t .

So y o u may define them as a malware that uses techniques to keep i t running as long as possible on the system, avoiding all attempts to clean the system b y removing the malicious entries or k i l l i n g the process.

© 2 016

Pedro Bueno

169

How is Persistent Malware Created? • Our example is a Remote Administration tool (RAT). A RAT is a Backdoor trojan used to remotely control the machine. • This one is called ApOcalypse RAT and is used by hackers to create their versions and R e m o v i n g

How is Persistent M a l w a r e Created? Before we actually play and learn h o w to identify and remove the persistent malware, i t is interesting to h o w the hackers actually b u i l d those pieces o f software.

The persistent malware is a R A T , w h i c h stands for Remote Administration Tool. I n other words, i t is a backdoor that can give the hacker remote access to the system.

R A T s are the preferred method used b y A P T groups, and most o f the recent public target attacks used one or another common R A T , such as Poison I v y or DarkCommet used i n the latest attacks i n Syria at the end o f 2012.

The R A T that we h u i l d is called ApOcalypse R A T and is the latest "stable" version released as the time o f this writing.

Pedro Bueno

Persistent Malware: ApOcalypse j

• The interface has six tabs:

3 ;

|

|

[

About | |

: f-

PC Information -

•-

_

_ |

Ports

i

-

Connections Broadcast Settings Builder Statistics About Identifying

Persistent

f

: •

!

Msc Passwords R i

Manager Download

i !

fiertst/y

;

frit

:

Process

Prompt '

• Remote Desktop

i

;

Removing

ApOcalypse

The main interface o f the ApOcalypse R A T has six tabs:



Connections •

Broadcast •

Settings •

Builder •

Statistics •

About

W e focus on Connections, Broadcast, and Builder tabs, w h i c h are more what we are looking for.

Settings and Statistics tabs are more related to the server side o f the R A T , than the client.

The A b o u t tab has the description o f it, w i t h this information:

Using: B o r l a n d ™ D e l p h i ®

7

Compiled at: 02:09 A M Saturday 29 August, 2009 Coded I n T U R K E Y

|

© 2 016

Pedro Bueno

Persistent Malware: ApOcalypse Server • Broadcast allows the hacker to execute commands, retrieve passwords, and change settings ;

.

|

|

Statistics )

Builder | ]

Pino

;

|

)

-----

-

-

-

-





Passwords

j; i

Explorer

-77 -777 -

• j: [ 1

Server

-

google

|

:: j

Internet :

: .

Set

|

Power j

Product Kays |

:

;• •

Identifying and Removing Malware

Persistent

ApOcalypse Server

The Broadcast tab has several options that allow the hacker to push instructions and commands to all the clients that i t has connected to its server.

These options are

Ping •

Password ( w h i c h allows i t to get passwords from Messenger, Browser, N o - I P , D y n D N S , Filezilla, and also Product Keys) •



Change Explorer Settings, like the Internet Explorer Start Page, and open a specific web page



Execute Commands on the client machine •

Change some server settings •

Power Settings •

Script Creator

© 2 016

Pedro Bueno

Persistent Malware: ApOcalypse Builder (1) The Builder tab allows the hacker to customize his new malware, first by selecting the icon to be used (in this case, an icon used by Flash files) Connections

Broadcast

IconSettlngs j

Builder j •

Icon Path :

Message Box

About | Binder |



]

and

jj Default Icon | Icon Hunter j Save Icon I

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Persistent

ApOcalypse Builder (1)

The sample application that has the server options and settings also allows the hacker to b u i l d its o w n customized client version.

The builder has several The first subtab is Icon Settings, w h i c h allows the hacker to change the icon that w i l l be used by its backdoor executable.

I n the example, y o u use an icon that is used b y Adobe Flash applications.

© 2 016

Pedro Bueno

Persistent Malware: ApOcalypse Builder (2) • The hacker can then customize things like Server ID, Password, and the server/port to which it should connect

Identifying and Removing

Persistent Malware: ApOcalypse Builder (2) The Basic Settings subtab enables the hacker to configure options for the server that i t w i l l connect when executed on the v i c t i m machine.

For example, i t is possible to define a Connection Password, w h i c h i n this case is sans501, and the address w h i c h the server w i l l be installed and the port number.

I n this case, the address is

174

and the port is 1453. (Note that this is not a v a l i d address.)

Pedro Bueno

Persistent Malware: ApOcalypse Builder (3) • The Builder also allows the option to create fake deceptive messages when executing the malware

|

| -y

| _..

_

__

_

_

i —

-

; ;

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Persistent

ApOcalypse Builder (3)

O n the Message B o x subtab, it is possible to configure a fake message to he shown when the malware runs on the system.

This message is sometimes used to make the user believe that maybe the application was corrupt and d i d n ' t w o r k , so that i n the background the malware can run and w i t h no worries about the user being suspicious, because apparently the application d i d n ' t run correctly.

I n the example, y o u selected the Attention message icon w i t h the message SANS_SEC_501_Malware_Day.

© 2 016

Pedro Bueno

Persistent Malware: ApOcalypse Builder (4) The Advanced settings show the main options for persistence, such as Inject into the Browser and a Watchdog option, called Persistence, as well Identifying

|:

|

About]

ttKu|

|

Browser Persistence

tup F

; •

rtdden

F F

Removing Malware

Persistent Malware: ApOcalypse Builder (4) On the Installation subtab, there is a box called Advanced Settings.

I n this box, i t is possible to select w h i c h Advanced options y o u w i l l use to b u i l d the malware.

The options are:

Into Default Browser: This option w i l l make the malware run i n a more stealthy mode because the malware w i l l not be seen on the process list, but w i l l r u n as an injected code into the system browser, such as I E or Firefox. I n this way, y o u can see the browser doing the malicious activities and not the executable. Persistence: This option creates a "watchdog" mode, w h i c h monitors when the process is running and the Registry entries are i n place. This makes i t m u c h harder to remove i t from the system. Offline K e y Logger: This means that even i f the client is not connected to the server, the key logger w i l l be running. Melt Server: This is an option that makes the executable disappear after run.

176

© 2 016

Pedro Bueno

Disable Safe Mode This option disables the W i n d o w s Safe M o d e . Some tools and techniques to remove malware require that y o u enter into W i n d o w s Safe M o d e . W h e n checking this option, the Safe M o d e w i l l not exist anymore.

Set File Older Date This option sets the to an older date than the date i t was copied/installed. One o f the techniques used to out i f new files are installed on the computer is using a simple D i r / 0 : d . This command lists all files and sort b y date, w h i c h makes i t easy to spot new files added to the folder, especially the Windows and folders.

© 2 016

Pedro Bueno

1

Persistent Malware: ApOcalypse Builder (5) • After the options are selected, the tab Build Server is used to define the filename used and the option to apply a packer (UPX) to make it smaller and attempt to bypass some antivirus | .

| Settings

Bidder |

|

About | Server |

RAT

v|

Apocalypse server RAT Server Editor vt.3

Compression

Identifying and Removing Malware

Persistent Malware: ApOcalypse Builder (5) The last step to b u i l d the malware is to select the name that w i l l be used b y i t and i f y o u want to pack i t .

I f y o u decide to pack it, i t uses the U P X packer. This is generally used to try to bypass antivirus and to make i t a smaller size.

A l t h o u g h most modern

can unpack U P X , i t is still a v a l i d technique.

W h e n ready, y o u just need to click the B u i l d Server to create the customized version.

© 2 016

Pedro Bueno

Persistent Malware: ApOcalypse Builder (6) Apocalypse Remote Administration Tool

When you click the Build Server button, it applies all changes and creates the executable ready to use

Corrections | Icon

Broadcast |

Bug fixed 1

Settings:

|

statistics |

Message Box)

About | /

J server via using UPX Apocalypse RAT Server server settings... settings... was recorded settings... alien was recorded server Icon and Server been

Beta

Stub Compressed Compressing server with

Removing

Created

and R e m o v i n g Malware

Persistent Malware: ApOcalypse Builder (6) W h e n y o u click the B u i l d Server button, the builder creates a customized executable.

W i t h no errors, the message box shows that the server was created successfully.

© 2 016

Pedro Bueno

179

Hands-on

Removing Malware

Hands-on To start the "Persistent Malware Hands-On" section, y o u need to revert to our V M Image and run the course.exe again.

O n the R A T Malware part, start w i t h the following steps:

Revert the V M w a r e W i n d o w s 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.

Open the folder Course on the V M w a r e W i n d o w s 7 Desktop.

3.

Open the Part9 folder.

4.

Copy HijackThis.exe, Processexp.exe, and Tcpview.exe to the desktop. This can be done b y right-clicking and selecting Copy and going to the desktop and right-clicking and selecting Paste.

5.

Double-click the

N o w , continue to follow the slides doing the same on the V M w a r e W i n d o w s 7 image.

180

© 2 016

Pedro Bueno

Persistent Malware in Action (1) •

Monitoring the system with and TCPView and running the Malware created, it shows the deceptive message !

i -s i

i

!

ft

CPU

-

-

K

©

--

-

- -

'

I d e n t i f ' v i n g and R e m o v i n g M a l w a r e

Persistent Malware in Action (1) M o n i t o r the system w i t h Microsoft Sysintemals Process Explorer and T C P V i e w . Run both tools as Administrator and arrange them i n a way that it w i l l be possible to see both running.

N o w that they are ranning, let's ran the R A T Backdoor trojan. I t creates a folder called SANS_Day5_501_RAT. Double-click the folder, and i t opens the folder. N o w right-click the file

and select Run as Administrator.

Notice that when we ran it, the fake warning message appears. O n Process Explorer i t is also be possible to see that i t is running.

© 2 016

Pedro Bueno

181

Persistent Malware in Action (2) • After you click OK, you can see that the process disappears from the process list • You can see an Internet Explorer process trying to access a remote address at port 1453

.

E3 £3 £3 £3 :

UDP UDP UDP TCP UDP UDP TCP UDP TCP UDP UDP UDP UDP

1035 900

1" LISTENING LISTENING "7"

Option* View Process i CPU

m m Took . . Windows Explorer Microsoft

1456 704 164

In© In© 3-92 , -

:

Identifying and Removing

Persistent M a l w a r e in Action (2) After y o u click the O K button on the fake warning message, y o u can see that the SANS_Day5_501_RAT.exe exits, b u t a new process starts, the Internet Explorer process.

I f the system can resolve domains, y o u also notice that i t tries to connect to the remote server

port 1453.

I f your V M image cannot resolve domains, y o u cannot see this part, but y o u w i l l still see the Internet Explorer process.

Pedro Bueno

Persistent Malware in Action (3) • Windows Task Manager shows no Internet Explorer application running • It is probably running in the background with no visible window

Windows |

|

|

Task

Status Explorer -

|.

|

Identifying and Removing Malware

Persistent Malware in Action (3) Y o u can n o w open Windows Task Manager (using the shortcut

keys).

O n the Applications tab it is possible to see only two windows, Process Explorer and TCPView. Remember that the applications tab shows the processes that are i n the foreground, that means, w i t h Windows. So, w h y w o u l d an Internet Explorer process, w h i c h is an Internet browser, not have a visible window?

That means that i t is running i n the background and w i t h no visible window, w h i c h is highly suspicious.

Pedro Bueno

Persistent Malware in Action (4) On Windows XP, looking at the strings of the IE using Process Explorer, it is possible to see references to applications and passwords Not a typical IE behavior

|

Options View Process

|

i (he

Process System

0

CPU 99.01

OPCt

Ptoc 4

Windows ZrYd

.

889 980 1148

f Windows Services and Host 1 I Host)

spooky 1456 704 1080 164

B

VMware Tools

ft*-*-*N 200 User P 1464

and Removing Malware

Persistent Malware in Action (4) W e already k n o w that Process Explorer offers an option to check the strings o f any given process, being the strings from the image

o n disk, or on memory, w h i c h is always

w h e n dealing w i t h a packed

malware.

I f y o u come across this malware o n W i n d o w s X P , i t is possible to see some interesting strings. I n Process Explorer, double-click the Internet Explorer process and click the Strings tab. A t the bottom o f the Strings w i n d o w , be sure to select the M e m o r y option.

I f y o u go through all the strings, y o u find some strings that are not part o f a "clean" Internet Explorer process, such the following:

APPDATA

ZYYd Yahoo! Messenger YLoginWnd SVW3

ZYYd ZYYd ZYYd

184

Pedro Bueno

Software\DownloadManager\Passwords

EncPassword User

D u r i n g the previous phase, y o u saw that the ApOcalypse R A T gathered passwords from different applications, such as Messenger, FTP clients, and so on. Here, i t is clear.

Also, i n Advanced Settings, there was an option called Code into Default Browser. This option was the malicious code into the browser, so i t could run i n stealth mode, exactly what y o u see created to here.

© 2 016

Pedro Bueno

Persistent Malware in Action (5) •

Using the command ipconfig it is possible to see where it is trying to connect -> ipconfig

/dispiaydns

[

i Microsoft

Windows 2 0 0 9

fill

ij

rights

ig Windows

IP

naluareSQl.sans.org Name

does

not

Identifying and R e m o v i n g Malware

Persistent Malware in Action (5) Another w a y to verify where the malware is t r y i n g to connect or even w h i c h domains i t queried before is b y using the ipconfig command.

Open a D O S prompt. -> C l i c k Start; then click Run, type C M D , and press Enter.

O n the D O S prompt, type ipconfig and Press Enter. The output is the common output that shows the IP information for the interfaces installed. A n additional switch that can be used w i t h ipconfig is the option to display the D N S cache on the machine. This is done v i a the command: ipconfig /dispiaydns

/dispiaydns

W i n d o w s IP Configuration

Name does not exist.

A g a i n , this information is shown only i f the V M can resolve names.

186

Pedro Bueno

Persistent Malware: Actions Actions to take: -Kill the process -Clean the system

Identifying and Removing Malware

Persistent M a l w a r e : Actions N o w that we have the malware installed on the system, we need to get r i d o f it.

Our suggested actions w i l l be: K i l l the process. Clean the system.

Pedro Bueno

Persistent Malware: Process Explorer • Highlighting the process and clicking X button lets you kill it

704

g

UDP UDP

roartww-ivrisakmp V ":*

TCP UDP UDP TCP UOP TCP UOP UDP UDP

0 300

you

P1D

CPU

you

to HI

*

a 172

Persistent Malware: Process Explorer The first step is to k i l l the process v i a Process Explorer. A s y o u saw on previous modules, Process Explorer k i l l any process simply b y clicking to highlight i t and then pressing the X button. After that, it w i l l ask for confirmation.

I n this case, let's try i t w i t h the Internet Explorer process.

C l i c k once on i t i n Process Explorer, so i t w i l l be highlighted. Then, click the red X button. W h e n the confirmation pop-up appears, just click the Yes button.

88

© 2 016 Pedro Bueno

Persistent Malware: Cleaning Problems (1) • Problem: -As soon as you kill Internet Explorer with the injected malware, it restarts. This is part of the "watchdog" persistent method -This happens if you try with ProcessExplorer, Windows Task Manager, or even with WMIC Identifying and R e m o v i n g

Persistent Malware: Cleaning Problems (1) A s noted, Process Explorer k i l l s the Internet Explorer, but just after that a new Internet Explorer shows up there again. (Please note that y o u may notice different behavior i n W i n d o w s 7 32 b i t and W i n d o w s 7 64 b i t )

This is part o f the "watchdog" persistent method used b y the ApOcalypse R A T .

This is not a defect o f Process Explorer. Y o u can t r y i t w i t h Process Explorer, W i n d o w s Task Manager or even via command line w i t h W M I C . A l l these behave the same.

Y o u can go ahead and open W i n d o w s Task Manager again and try i t .

To open it, use the shortcut process, and click the E n d Process button.

key. Then click the Process tab, locate the Internet Explorer

Another option, via W M I C :

Open a D O S Prompt w i n d o w and type: -> w m i c process list b r i e f < - this w i l l list the processes ranning and the respective Process I D number The w i l l be necessary to k i l l the process. -> process delete processes again and i t w i l l be there.

< - this w i l l actually k i l l the process, but as noted, y o u can list the

Pedro Bueno

Persistent Malware: HijackThis • Another try with HijackThis • The scan shows two suspicious entries on the system •

Let's select and click the Fix button

.

-

-



-

-

-

fcftelated

02 -

Remote

*

This

[

delate and/or

j

Technologies •

what

refected,

j

Wo...

to |

to frwefct j

Identifying and Removing M a l w a r e

Persistent Malware: H i j a c k T h i s W e already tried to k i l l the process using several methods, but the watchdog method prevents i t .

N o w , y o u w i l l make another attempt w i t h the HijackThis tool and see what else can y o u find on this process.

Let's ran HijackThis and scan the system. This can be done b y double-clicking the that was copied to the desktop.

application

W h e n y o u double-click it, y o u can select the option D o a System Scan Only. The output w i l l be quite close to this:

F2 - REG:system.ini: 0 3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

0 4 - H K L M \ . . \ R u n : [ V M w a r e Tools]

ToolsWMwareTray.exe

0 4 - H K L M \ . . \ R u n : [ V M w a r e User Process] C:\Program F i l e s W M w a r e W M w a r e exe 0 4 - HKLMV.YRun: [apocalyps32] C:\WINDOWS\apocalyps32.exe 04 -

[MSMSGS]

0 9 - Extra button: Related C:\WINDOWS\web\related.htm

190

-

Pedro Bueno

0 9 - Extra

Show &Related Links -

-

0 2 3 - Service: Remote Packet Capture Protocol v.O (experimental) (rpcapd) - C A C E Technologies 0 2 3 - Service: V M w a r e Tools Service ( V M T o o l s ) - V M w a r e , Inc. ToolsWMwareService.exe

Y o u can n o w try to select and fix the suspicious Ap0calyps32.exe entries. Select the two/three entries and click the F i x Checked button.

I n theory, i t cleans those entries.

Pedro Bueno

Persistent Malware: Cleaning Problems (2) • Problem 2: -Another scan with HijackThis shows that the entries that were removed were added again -The "watchdog" process is preventing us from removing it

Malware

Persistent M a l w a r e : Cleaning Problems (2) Another problem w i t h the cleaning...

A s y o u rescan w i t h mechanism adds them again.

y o u can see that the results are not good. A s soon as i t removes i t , the watchdog

© 2 016 Pedro Bueno

Persistent Malware: Solution • Solution: -Manually remove the watchdog file, fix the entries, and kill the process -HijackThis shows where it is on the disk -

Identifying and Removing Malware

Persistent Malware: Solution Because the watchdog mechanism prevents us from removing the entries and k i l l i n g the process, w e need to follow w i t h another approach.

Remember that this malware also disables the W i n d o w s Safe Mode, so y o u cannot reboot the system and enter into Safe Mode to try something else. The approach n o w is to manually remove the watchdog

One good thing i n the

scan result is that we were able to see where i t is located:

0 4 - H K L M V A R u n : [apocalyps32] C:\WINDOWS\apocalyps32.exe

© 2 016 Pedro Bueno

193

Persistent Malware: Removing the Watchdog -> C:\>move

c:\virus.ex_

The reason for using move instead of Del is that with move you can send this file to your antivirus later. Now it is time to kill the process and fix the entries

I d e n t i f y i n g and Removing Malware

Persistent Malware: Removing the Watchdog There may be several ways to do so. The easiest w a y is simply to open Windows Explorer i n that location and drag the to some other place.

Another way is simply to open a D O S prompt w i n d o w and do it by hand.

Open the DOS prompt:

C l i c k Start, click Run, and type C M D . Right-click the C M D . E X E , select R u n as Administrator, and press Enter.

N o w let's move the files to C:\:

-> C:\>move c:\windows\apocalyps32.exe

Instead o f M o v e , y o u could simply use D e l and remove the The reason to use M o v e instead o f D e l is to preserve the and move i t to another location on the disk. I n this way, it w i l l be possible to send the to the antivirus for analysis.

After y o u are done w i t h this step, it w i l l finally be time to k i l l the process and

© 2 016 Pedro Bueno

the entries.

Persistent Malware: Killing the Process • The process can be terminated with either Windows Task Manager or repeating the same step with Process Explorer • A

version with WMIC would also works:

- >

process

brief

delete

Deleting instance Instance deletion successful.

Identifying and Removing Malware

Persistent Malware: Killing the Process The process n o w can be k i l l e d using any tool, from W M I C , to W i n d o w s Task Manager or Process Explorer.

Using the command line w i t h W M I C , open the DOS prompt: -> C l i c k on Start, then click on R u n and type -> c:\wmic process list b r i e f

Press Enter.

< - to list and get the P I D (process I D )

-> c:\wmic process < P I D > delete

Repeat the process listing step to verify that this time i t k i l l e d the process.

Pedro Bueno

195

Persistent Malware: Removing the Entries Trend Micro HijackThis of

HijackThis can now remove the entries safely

thing

is to

scan, Be not and

tfi the log fie To

you delete is

[VMware User Process] buttons Related - Extra - Service; Remote Capture Protocol v.O VMware Tools - VMware,

the The

VMware • (rpcapd) - CACE Technologies -

Pies'

fix stuff Save

| Fix checked | : on selected (tern.

Info...

Upload to Menu

I

j

Add checked to

Identifying and Removing Malware

Persistent Malware: Removing the E n t r i e s N o w that we removed the watchdog

and k i l l e d the process, we can delete the entries.

Just r u n HijackThis scan again, select the entries to be fixed, and click the F i x Checked button. Rescan and y o u see that this time, they have been removed.

196

Pedro Bueno

J |

Persistent Malware: Summary Result:

a Local Address

Protocol

Remote Address

.

-The system is now clean of this infection -And any new IE process will be safe to use

;0

System: 4

UDP UDP UDP UDP TCP UDP UDP TCP UDP TCP

) System: 4 ZD

UDP UDP UDP

dJ

1

5000

ma

0

ma

E E S Options

Find



Help

h i

Process

! CPU

752

m Description LSA Windows

2016 Pedro Bueno

F-Secure BlackLight: Checking the Results (1) When Blacklight finishes its system scan, it gives a basic report about the status. In this case, it reports: 2 items Now, you can try to clean them by clicking the Next button

1 - Scan far

Items •

-Scan

and Scan 2 hidden item: found.

: Show

Close

and Removing Malware

F-Secure BlackLight: Checking the Results (1) W h e n F-Secure Blacklight finishes the system scan, i t goes directly to the report screen where i t shows the status:

Scan complete 2 hidden items found

N o w that we are sure our computer has two hidden items, it is time to start the cleaning process by clicking the N e x t button.

© 2 016 Pedro Bueno

241

F-Secure BlackLight: Checking the Results (2) • The items found were the same ones from McAfee and Panda's anti-rootkits applications: • 9129837.exe • New_drv.sys

• F-secure chooses to rename them as a cleaning method. So we have to select and click the Rename button Identifying and Removing Malware

F-Secure BlackLight: Checking the Results (2) The cleaning method adopted b y F-Secure is the same used b y McAfee Rootkit Detective. I t renames the files after a reboot so that i t deactivates the rootkit but keeps the files so that y o u can share them or research them deeper.

F-Secure Blacklight found the same two files as Panda and McAfee:

• •

C:\WINDOWS\9129837.exe C:\WINDOWS\new_drv.sys

A s y o u can see from the log file:

08/17/07 11:53:45 [Info]: Hidden process: C:\WINDOWS\9129837.exe 08/17/07 11:53:52 [Info]: Hidden

C:\WINDOWS\9129837.exe

08/17/07 11:53:52 [Info]:

So we have to select the files and click the Rename button.

242

© 2 016

Pedro Bueno

F-Secure BlackLight: Renaming the Rootkits F-Secure

• Now that we renamed them, we can just click the Next button

LACKLIGHT ROOTKIT ELIMINATOR Slop 2 -

hidden name Rename

Identifying and R e m o v i n g Malware

F-Secure Blacklight: Renaming the Rootkits Note the rootkit components n o w show the w o r d Rename i n the action column.

The last step o f the F-Secure BlackLight cleaning procedure after renaming the files is to continue b y clicking the N e x t button. This reboots the system to clean up the rootkit files and processes.

© 2 016 Pedro Bueno

F-Secure BlackLight: Renaming the Rootkits (2) F-Secure BlackLight

Accept warning about the procedure

Renaming is recommendedfa users. The actions cause serious problems:

Click to restart the computer Files are renamed to make them unusable

• Renaming • Renaming unknownroalweieRes continue, the and

you have be renamed resistedYou should back up all

the warning

OK

Cancel

Identifying and R e m o v i n g

F-Secure B l a c k L i g h t : Renaming the Rootkits (2)

Before F-Secure BlackLight starts the shutdown process, i t prompts w i t h a last warning and asks for confirmation that y o u understand the warning. To continue we have to check the box I Understand the Warning, and then click the O K button.

The reason for this warning is that any application using a rootkit technique w i l l be renamed, making the application unusable.

244

© 2 016

Pedro Bueno

Anti-Rootkits: Advanced Tools • The tools used so far are great for fast detection of Rootkits • However, they offer little/no option for more in-depth check • IceSword and Rootkit UnHooker give plenty of information and actionable options Identifying and Removing Malware

Anti-Rootkits: Advanced Tools The Panda, McAfee, and F-Secure anti-rootkit tools are great tools, but they are restrictive about what they can do. They are basically point-and-shoot rootkit scanners. The McAfee tool still offers more options, such as renaming the files hidden by the rootkits, but that's i t .

Sometimes, y o u need additional options w h e n trying to identify and remove malware on the machine.

On the following slides, y o u w i l l be introduced to some basic usage o f two tools that offers more control o n what y o u can do when y o u suspect y o u have a rootkit on the machine.

These are powerful tools that should be handled carefully to avoid system crashes.

© 2 016

Pedro Bueno

245

IceSword Anti-Rootkit • Chinese Developed • Last development from 2007 on both English and Chinese versions • Not suitable for Vista or Widows 7, but extremely useful on Windows XP

Identifying

Removing Malware

IceSword Anti-Rootkit The IceSword tool is a powerful tool that enables y o u to inspect



Kernel Modules •

BHO • SSDT



Scan Modules •



Explorer-like view o f files, even files hidden by rootkits

I t can be downloaded at

246

© 2 016

Pedro Bueno

Rootkit UnHooker • Supports Windows 2k to Vista (not Win 7-compatible) • Latest Version from 2007 • Development Team is now at Microsoft • Allows Hook Restore

and R e m o v i n g Malware

Rootkit UnHooker L i k e various anti-rootkit tools, the Rootkit Unhooker was developed by a group o f users that are not publicly known.

The latest version is w h i c h added support to Vista OS i n 2007. The latest news about the development group is that i t moved to Microsoft and no longer supports it. However, i t is still one o f the best anti-rootkit tools available.

F r o m the website, the features described are: •

SSDT Hooks Detection and Restoring •

Shadow SSDT Hooks Detection and Restoring •

Hidden Processes Detection/Terminating/Dumping •

Hidden Drivers Detection and D u m p i n g •

Hidden Files Detection/Copying/Deleting



Code Hooks Detection and Restoring •

Report Generation

I t can be downloaded at

© 2 016

Pedro Bueno

247

Advanced Rootkits and Anti-Rootkits Windows XP: Examples

Identifying and Removing Malware

A l t h o u g h our training material is based on W i n d o w s 7, we decided to include this subsection o f tools specifically for W i n d o w s X P . The reason, as explained before, is that there is still a large user base o f W i n d o w s X P i n both the corporate and end-user w o r l d .

The following slides contain tools that are needed to fight rootkits on W i n d o w s X P systems, but don't w o r k on W i n d o w s 7. Although w e find few examples o f rootkits that w o r k on W i n d o w s 7, the same applies for the antirootkit tools. Most o f the tools from antivirus and security companies w i l l not w o r k under Windows 7 and 8.

I f y o u want to practice these examples o n a W i n d o w s X P system, we included the folder that y o u can use later.

248

Pedro Bueno

badkits2.zip i n the Part 7

Advanced Anti-Rootkit Tools for Windows XP Stinger

Rootkit Stinger

McAfee Rootkit tool detects a hidden file on Windows\system32 folder The file is called kdosz.exe

:

rteto!—

Identifying and Removing Malware

Advanced Anti-Rootkit Tools for Windows X P W h e n w e r u n the we can first r u n the M c A f e e tool to check the results. I n this case, i t shows that there is a hidden file o n the Windows\System32 folder called kdosz.exe.

Because the malware uses a random name every time i t runs, y o u may notice a different filename i n your exercise.

N o w , let's confirm i t uses W i n d o w s Explorer.

© 2 016

Pedro Bueno

249

Advanced Anti-Rootkit Tools: Using Windows Explorer The file is hidden by the rootkit and not viewable on Explorer Favorites Back

j.

lools

Search

|

•£/>:

Address Name

-

Type K B K B & 6

K B K B

6

K B

7

K B K B

44

K B

7

K B

KB 4 2 KB KB KB

Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application Extension Application S y s t e m fife Device driver System Application

Date Modified AT* 4 : 0 0 AT* 4:00 4 : 0 0 AT* S / 2 3 / 2 0 0 1 4 : 0 0 AT* 8/23/2001 8/23/2O0I

AT* 8/23/2001 S/23/2001 8/23/2001 S/23/2001

4:00 4:00 4:00 1; 4:00 8/23/2001 4:00 S/23/2001 4:00

Identifying and Removing Malware

Advanced Anti-Rootkit Tools: Using Windows Explorer A s y o u can see on this slide, there is no hidden b y the rootkit.

called kdosz.exe on our

folder because i t is

For this lab, you have to check i n the Windows\System32 folder for the filename that was detected w i t h the M c A f e e tool because the name w i l l change.

N o w , let's check Rootkit UnHooker and see what we can do.

250

© 2 016

Pedro Bueno

Advanced Anti-Rootkit Tools: Rootkit UnHooker Opening Rootkit UnHooker and going to the File tab and selecting SCAN shows our hidden file. Setup

Language

Tools

Help

:: ! Suspect

Status Hidden

exe

.- -

;

Scan

|

r

Close

f

1/0

Going to the "Report" tab and pressing the Scan button lets you scan options. and R e m o v i n g Malware

Advanced Anti-Rootkit Tools: Rootkit UnHooker W h e n w e open Rootkit UnHooker, we can go to the File tab and ask for a Scan.

The result reveals the "suspect this case Hidden.

(the executable under the C:\Windows\system32\ folder) and the status,

Instead o f going to each tab for a Scan, we can n o w go to the Report and ask for a scan to reveal a more complete view o f the system.

Pedro Bueno

Advanced Anti-Rootkit Tools: Rootkit UnHooker (2) On the report tab, it is possible to run a scan The report shows a warning about rootkit infection Also, shows the hooks made by the rootkit to hide the file

Acton |

5SDT |

| Drivers J

Cod* |

|

Type: Type: Type: Type: Type: Type: Type: Type: Type: Type: -

.

Type:

ACTIVITY DETECTED!!

ALL ROOTKIT ACTIVITY

address address at address at address

at

in harder located in took, in ta&hvdw located

at address at address at at at address

j

Scan

.

took harder

at

-

.

Puled

at address at address

Type: Type: Type: Type: -

j locate) touted

-

-

Hooks

harder

[unknown

tockbaderboated n too*harder booted

|

CPs*

|

-)

Identifying and Removing Malware

Advanced Anti-Rootkit Tools: Rootkit UnHooker (2) The Report tab is useful to have a broad v i e w o f the system, and i n the end i t m a y even warn on what i t suspects. I n our case, after the scan i t shows the hidden file and a l l Hooks that i t found.

The warning is also clear: P O S S I B L E R O O T K I T A C T I V I T Y D E T E C T E D .

The fiinctions for hooked are basically the following four:



NtQueryDirectoryFile •

NtSetValueKey •

NtCreateThread •

NtDeleteValueKey

The hooks are always the same o n the report, i n most o f the running process. I n this case, i t is fairly safe to assume the consequences to force the unhook, using the option Code Hooks.

252

© 2 016

Pedro Bueno

Advanced Anti-Rootkit Tools: Rootkit UnHooker (3) • To the functions that prevent us from seeing the malware, we have to: -Go to the Code Hooks tab -Scan again -Select UnHook ALL button

and Removing Malware

Advanced Anti-Rootkit Tools: Rootkit UnHooker (3) On the Report tab, i t was possible to see the hooks that were preventing us from seeing the malware on W i n d o w s Explorer.

N o w , we can U n H o o k them. T o do this, we go to the Code Hooks tab, and click the Scan button again.

After i t is done w i t h the scan, we can simply click the U n H o o k A L L button because i n this case a l l hooks are related to the Rootkit. There may be some cases i n w h i c h y o u may go and manually select the hooks where y o u want to do the Unhook.

W h e n w e click the Unhook button, we w i l l be warned that i n some cases, when y o u unhook a function, the system may become unstable and you may get a B S O D (the infamous Blue Screen o f Death).

© 2 016

Pedro Bueno

253

Advanced Anti-Rootkit Tools: Rootkit UnHooker (4) After the UnHook, we can now see our hidden file on Explorer!

Favorites '

Tools

Help

V

Folders

(US-

Address Size 44 KB

Type

Date

Application Extension

8/23/2001 4:00 AM

KB Application Extension KB 905 KB

8/23/2001

Application

AM 4:00 AM

extension

0/23/2001 4:00 AM

Application Extension

4:00 AM

objects

4 Identifying and Removing Malware

Advanced Anti-Rootkit Tools: Rootkit UnHooker (4) After the U n H o o k , i f we go back to Windows Explorer, we have a nice surprise. Go to Tools and select Refresh. W e can now see the this previously was only possible w i t h other tools!

254

© 2 016

Pedro Bueno

Advanced Anti-Rootkit Tools: IceSword (1) File

Dump

Plugln

x I c e S w o r d on

Name File

6144 6144 6144

C D LastGc Media C D Micros'

5632 6656 44160 7040

C D

fib-CD Offline S3

C D

kernel32.dll 42809

C D

!•

repair

42537

ftesoui

,

_L Identifying and R e m o v i n g Malware

Advanced Anti-Rootkit Tools: IceSword (1) This is another example o f a great tool that works only on W i n d o w s X P . The following slides use the same badkits2.zip rootkit file used to create the previous slides.

After the badkits2 is executed, extract the IceSwordl22.zip and open IceSword.exe; then select the File section on the left panel.

Selecting our local driver C: and going to the to see our hidden malware on the Windows\System32 folder.

Pedro Bueno

folder, i t reveals a nice surprise: I t is possible

255

Advanced Anti-Rootkit Tools: IceSword (2) One of the good points on IceSword is the capability to copy a file that the rootkit is hiding to some other folder. In this way, you can examine it or send to an AV vendor or an online service.

Refresh Copy force delete

Identifying and

Malware

Advanced Anti-Rootkit Tools: IceSword (2) W e n o w k n o w that IceSword can show us the

that is hidden b y the rootkit.

That is already a good thing. N o w , another good thing from this tool is the ability to Copy the location on the hard drive.

to another

This is useful because sometimes we want to send this suspicious file to our antivirus vendor, simply run i t on one online service that offers a Sandbox, or just r u n several A V and see h o w they detect this suspicious

This is accomplished on IceSword b y right-clicking the file and choosing the Copy to option.

The right-click also offers the f o l l o w i n g options:

Delete •

Refresh •





256

to . . . Force delete

Pedro Bueno

Advanced Anti-Rootkit Tools: IceSword Functions

After we have found the suspicious file, we may want to copy it through IceSword, or go deeper and "unhide" the file.

j ;

SSDT

i

Message Hooks

Log •:

To do this, we click the Advanced button on the Functions tab on the left panel.

Log

Process:

Registry File

Identifying and

|

Malware

Advanced Anti-Rootkit Tools: IceSword (3) A s mentioned before, IceSword is powerful and has several

fiinctions.

Because we k n o w that we have a hidden file on our system, i t w o u l d be nice to find the hooks associated w i t h i t .

The Advanced button helps w i t h this, by offering the option to scan the system.

© 2 016

Pedro Bueno

257

Advanced Anti-Rootkit Tools: IceSword (4) j -7* i ! — . trine

On the advanced area, we click on the General Scan button

(ft



ttttffcd

rfC;[Wlfl>W^«trt37VC«tcrie> d

*),

d

-• teres (ft

iPAGE d

!—.

PAGE of

i-—

(tn PAGE d

ftb"i*

PAGE d of 4*4 4*4

:

: :

4*4

ffwdfied

(ft len:S (ft 4*4 d 77f •

(ft 4*4 rf

(ft (ft •

cods

(ft (ft 4*4 (ft

Irto* cod* Irto*

i

(ft

d of

:

Identifying and Removing Malware

Advanced Anti-Rootkit Tools: IceSword (4) W h e n we go to the advanced area, we can scan the system b y pressing the General Scan button.

The results come up quite fast and show the hooked functions.

I n this case:



ZwQueryDirectoryFile •

ZwCreateThread

• • Does this sound similar to Rootkit UnHooker? ©

258

Pedro Bueno

Advanced Anti-Rootkit Tools: IceSword (5) Select the modules that have the suspicious functions hooked

ten: :

tot (ft of (ft d (ft (ft of (ft PAGE

trite

of

:

te rf

Click Restore button "You should not do this!" Identifying and Removing Malware

Advanced Anti-Rootkit Tools: IceSword (5) W e can now select the hooked functions b y clicking them and holding the Shift key.

After we select all hooks o f interest, we can press the Restore button. Y o u w i l l see a warning w i n d o w , w i t h the message: " Y o u should not do this!" © This is i f we do something w r o n g (unhook something critical), we may get a B S O D .

because i n some cases,

Go ahead and restore the Hooks and see i f we can n o w see the hidden file i n Windows Explorer.

Pedro Bueno

259

Identifying and Fighting Rootkits (1) • Caveats: • Beware when cleaning the machine with antirootkit tools • Some Rootkits may hide in legitimate processes like iexplore or winlogon.exe • Removing legitimate files may result in failure to boot or failure of the system to run correctly

Identifying and Removing

Identifying and Fighting Rootkits (1) F o l l o w i n g are some caveats: • Beware when "cleaning" the machine w i t h anti-rootkit products; some rootkits may be tricky to remove.

• Some rootkits may hide i n legitimate processes such as Internet Explorer (iexplore.exe) and winlogon.exe. Removing legitimate files may result i n failure to boot or failure to run correctly. I n those cases, i t is recommended to follow these actions:

260



Get a more verbose program to check the hook and device drivers related to the legitimate application. •

Boot i n safe-mode to a l l o w y o u to manually delete the malicious device driver (preferably using tools). •

Restart the system and r u n the anti-rootkit application again.

© 2 016

Pedro Bueno

Identifying and Fighting Rootkits (2) Last tip: • When dealing with Rootkits, if you are unsure about the cleaning operation, make a backup of your files and rebuild the machine from scratch

Identifying and Removing Malware

Identifying and Fighting Rootkits (2)

Last Tip A l t h o u g h w e identified this rootkit i n our machine, and safely removed/renamed them, i n some cases i t may not be possible or i t may be too complex to do so without causing harm to the computer. I f y o u are unsure about cleaning the rootkit, back up the important files instead and rebuild the machine scratch. Be careful, as some malicious files may still be hiding i n the data y o u are about to back up.

Therefore, it's better to restore your system from a k n o w n clean previous backup i f y o u have one.

A n d remember, removing legitimate files may result i n failure to boot or failure to r u n correctly.

© 2 016

Pedro Bueno

261

Rootkits and Anti-Rootkits Windows 7 Hands-on Part 1

Identifying and

Malware

Rootkits and Anti-Rootkits O n the rootkits and anti-rootkits part, we start w i t h the following steps:

Revert the V M w a r e Windows 7 image to the Snapshot Clean7: V M - > Snapshot - > Select Clean7 2.

Open the folder Course on the V M w a r e W i n d o w s 7 Desktop. Open the Part7 folder.

4.

Copy TDSSKiller.exe, mbr.exe and sanitySetup.exe to your desktop.

5.

Double-click the SanitySetup.exe file and click the Next button on the instructions screens to complete the installation.

6.

Right-click the badkit.zip file and select Extract A l l . Enter the training password when asked.

7.

Double-click the new created folder.

8.

Copy the badkit.exe to the desktop.

9.

N o w , right-click the badkit.exe file and select Run as Administrator.

Continue to follow the slides doing the same on your V M w a r e Windows 7 image. L E G A C Y INFO: I f plan to do this exercise on a W i n d o w s X P machine, you need to check: I f the machine is on Service Packl or less, y o u need to install the Service Pack2, WindowsXP-KB835935-SP2-ENU.exe. This process can take up to 20 minutes depending on your system. Restart your W i n d o w s X P (on V M ) after the SP2 installation. Take a new snapshot, called SP2, so we can revert later.

262

© 2 016

Pedro Bueno

Rootkits: Win 7 Example • In the following example we examine a machine that is acting strangely • Identify/verify malicious activity with Windows tools

I d e n t i f y i n g and R e m o v i n g M a l w a r e

Rootkits: L i v e Example

Our Learning Example I n our learning example w i t h Rootkits, we have the f o l l o w i n g scenario:

A machine was w o r k i n g okay, but the Incident Response Team identified that something was not quite right. That's not exactly the best thing to hear because no details were provided, yet we have to figure i t out.

First, we try to identify i f something is w r o n g using some o f the tools that we learned about so far such as Task Manager, Process Explorer, and TCPView.

©2016

Pedro Bueno

263

Rootkits: TaskManager View Checking for suspicious processes with Windows Task Manager didn't trigger any

File

Options

View

Applications i Processes

Help Services j Performance

Image Name

Name labOl

ond.exe labOl

[

labOl labOl labOl

processesfrom

00 00 00 00 00 00 00 00 00 00 00 00 00 00

K

Windows ... ...

K 4,999 K

K K K

Pros... ... ...

3,956 K K

T...

users

CPU Usage: 0%

Identifying

|

Physical Memory:

Removing Malware

Rootkits: TaskManager View

Using TaskManager The first thing we can do is use Windows TaskManager and visually try to identify anything that could be considered suspicious, any process that w o u l d not i n the machine configuration.

This is obviously not an easy task because a machine can have hundreds o f processes, and y o u may not always k n o w each o f the processes, and because a malicious process could choose a deceptive name to avoid visual detection.

I n our case, we could not see anything that triggered our "visual radar."

264

© 2 016

Pedro

Rootkits: Process Explorer View r

Using Process Explorer to look for suspicious processes didn't help either

PID CPU 1352

for

S.,

Service VMware, he,

Hod

for tabkUed Hod Process Software

1372 2052

5..

... Windows Search P... Hod

520 Local Server

Process

13 VMware

riSVMwseTrayane

Cere Service VMware,

3804

CPU

Commit

40

38.34%

Identifying and R e m o v i n g Malware

Rootkits: Process E x p l o r e r V i e w

Using

Process Explorer

We already tried to identify possible suspicious processes or services w i t h Windows Task Manager, but w e didn't have any luck. N o w w e t r y to see the same processes and services w i t h Microsoft tool Process Explorer.

Process Explorer can give a much more complete v i e w o f the processes and services o n the machine, including the description o f the process and service.

As y o u can see, y o u cannot spot any suspicious activities or processes. Process

PID

System Idle Process

0

Description

Company Name

98.02

Interrupts

Hardware Interrupts

DPCs

Deferred Procedure Calls

© 2 016

Pedro Bueno

265

Rootkits: TCPView Traces .

• TCPView shows interesting information!

a

*

i

TCP

i

TCP TCP

• process??? • Initiating connection to a remote site on http port?

' TCP

00.000

LISTENING US1EIIII.G LISTENING

i 3 i 3 3 i 3

U0FV6 TCP TCP

0.000(9153

LISTENING (..

F F

LISTENING

TCP LISTENING TCP

000.00

Identifying and

Malware

Rootkits: T C P V i e w Traces

Using Sysintemals T C P V i e w Because we already tried to get information w i t h W i n d o w s Task Manager and Process Explorer, and could not identify any suspicious processes or services, we can now try to use another w e l l - k n o w n tool: TCPView.

This time we got at least some suspicious activities.

T C P V i e w shows a bunch o f connections initiated b y a process, to a remote server on port 80.

266

Process

Protocol

Local Address

Remote Address

:744

UDP

Lab-machine: 1075

*.*

:744

TCP

Lab-machine:

LISTENING

:744

TCP

lab-machine: 1046

SYN_SENT

© 2 016 Pedro Bueno

State

Rootkits: SanityCheck (1) • Works on different versions of Windows, including 7, 8, and Server 2012 • Works on x32 and x64 • Great to not to "Fix"

Identifying and Removing Malware

Rootkits: SanityCheck (1) The tool SanityCheck works great i n different versions o f Windows, including W i n d o w s 7. Before y o u start to use i t , y o u need to have i t installed i n the system.

I t is a great t o o l to assist to y o u i n identifying suspicious rootkit activities; however, i t does not fix them.

I t can be downloaded at

The installation is simple; just double-click i t and follow the default options. Remember to check the box that creates a desktop icon, on the screen called Select Additional Tasks.

The last screen during installation lets you launch the tool after the Setup W i z a r d finishes. That's okay; just click Finish.

Before the t o o l actually starts, i t asks i f y o u want to change certain Registry settings to improve detection. Because we don't want to mess w i t h the Registry, select N o .

© 2 016

Pedro Bueno

Rootkits: SanityCheck (2) Hip '

Simple interface

J finals t

Welcome to

Just click the Analyze

This program viruses and other malware. drivers, hidden threads and

the of Toolkits, processes, hidden

kernel

Note certain because security software with malware. This is it software which may be

you have installed, This is normally associated and other security

In case any irregularities are found the report suggestions on how to proceed in the investigation.

tofind

process or module and offer

Note that although this software creates a comprehensible report it is not intended for absolute novice users not have not any type of idea about the software that is installed and on their systems. styling cur system please

this may

do

minutes

Identifying and Removing Malware

Rootkits: SanityCheck (2) The SanityCheck interface is simple. W e just need to click the Analyze button and wait for the results.

268

Pedro Bueno

Rootkits: SanityCheck (3) •

The result shows a hidden process detected running in the system • This is a good indication that a rootkit is installed • Now we need to find the driver that is preventing us to see and kill the process to clean our system

j bten detected One

is

fofa

or

be ft* ftjjisre^tffttxcat l\toy fc^jnes

prates.1

or

»

• to Processes

running no:

any

Identifying and Removing Malware

Rootkits: SanityCheck (3) After the scan finishes, i t shows y o u the results when y o u scroll d o w n the main window.

O n the results, y o u can see that i t detected a hidden process running on the system, called 9129837.exe. This is a good indication that there is a rootkit on the system that is intercepting the system calls and preventing a process to display.

This is usually done b y a low-level system driver installed i n the system. T o clean our system, we need to see the process. To see the process we need to delete what is preventing W i n d o w s to show it.

Pedro Bueno

269

Rootkits: TDSSKiller (1) Kaspersky TDSSKiller -Developed by AV Kaspersky in 2009 -Clear (command line available) -Supports 32 and 64 bits

Identifying

Removing Malware

Rootkits: T D S S K i l l e r (1) TDSSKiller, developed b y the A V vendor Kaspersky, can be downloaded at I t is a simple, yet powerful application, and i t runs smoothly on Windows 7, both 32- and 64-bit.

270

© 2 016 Pedro Bueno

Rootkits: TDSSKiller (2) • Starting the TDSSKiller tool Kaspersky TDSSKiller

Ready to scan designed to detect and

rootkits (such as TDSS, Stoned,

SST, reboot

after documents

'^>j

About

protection

scan.

Start scan

malware

and Removing Malware

Rootkits: T D S S K i l l e r (2) T o start the T D S S K i l l e r tool, simply double-click i t on the tdsskiller.exe on your desktop.

The application opens and asks i f y o u want to Start the Scan right away, or i f y o u want to customize i t . The tool offers y o u the option to select w h i c h objects y o u want to scan, such as System M e m o r y , Services and Drivers, B o o t Sectors and Loaded Modules. B y default the first three are checked to be scanned and i n general y o u should be okay.

P.S. The tool also offers some options that enable y o u to run on the command line. T y p i n g tdsskiller.exe - h shows a l l available options.

Pedro Bueno

271

Rootkits: TDSSKiller (3) • Delete the Suspicious Driver and Reboot

Identifying and Removing Malware

Rootkits: T D S S K i l l e r (3) A s y o u can see, the slide shows that the TDSSKiller found a threat. I t is a hidden w i t h the name new drv.

that works as a service,

T D S S K i l l e r offers three options for the suspicious hidden file: Skip, Copy to Quarantine, and Delete.

N o w let's delete the suspicious driver and reboot the system.

Note that on 64-bit Windows 7, after running TDSSKiller, new_drv is not detected, but 9129837 exists on the machine and may be ranning.

272

© 2 016

Pedro Bueno

Rootkits: Process Explorer (1) -

• Now you can see the process running! • It is time to remove it from the system

4

!

CPU

|

* ', S. S.

fi» 743

tt£re**Cawi* [c:\WinPE\Mount] Successfully mounted image (RW).

5.

A t the command prompt, type the following and then press Enter to access the following Registry subkey:

(The font size may break into two lines, hut i t is just one command line.)

reg

6.

load

A t the command prompt, type the f o l l o w i n g and then press Enter to create a 9 6 M B disk cache o f RAM:

(The font size may break into t w o lines, but i t is just one command line.)

reg

add

/v /t

7.

reg

/d

96

/f

A t the command prompt, type the following and then press Enter to exit this Registry key:

unload

HKLM\ WinPE SYSTEM

© 2 016

Pedro Bueno

345

8.

Create a directory for the malware-scanning tools under the M o u n t folder. (For example, y o u could use the name "Tools" for this folder.)

9.

Copy the tool files that y o u downloaded i n Task 2 to the tools directory that y o u just created. Example:

copy

c:\WinPE\mount\Tools

Y o u can also use Windows E x p l o r e r to do this task!

10. A t the command prompt, type the following, press Enter, type Yes, and press E N T E R again to continue the process:

/prep

Y o u should see the following message on your system:

Preinstallation Environment Image Setup Toolfor Windows Copyright (C) Microsoft Corporation. All rights reserved. The /prep command will permanently modify a Windows PE image, so that it can no longer be serviced. This means that operations including: • Installing or • Applying

or other servicing packages

• Installing language packs Will not be possible on the prepared image. To continue, enter "yes". Any other input will exit the program. Continue? Yes PEIMG completed the operation successfully. A t the command prompt, type the following and then press Enter to save your changes:

/unmount

346

c:\WinPE\Mount

© 2 016

/commit

Pedro Bueno

Y o u should see the following message on your system:

for Windows Copyright (C) Microsoft Corp. 1981-2005. All rights reserved. Unmounting:

\

Successfully unmounted image. 12.

A t the command prompt, copy the following, press Enter, and then type Yes to overwrite the existing

copy

13.

wim

A t the command prompt, type the f o l l o w i n g and then press Enter to create an PE image:

o f the

(The font size may break into two lines, but i t is just one command line.)

~n c: \

c:\WinPE\ISO iso

The message indicates that it was successful. Please note that the number o f files may vary depending on the tools y o u include. I n m y ease I d i d n ' t include Spybot Search & Destroy because i t w o u l d i t to installed on the machine; we w i l l do the offline analysis and i n most cases we w i l l not be able to install additional software the infected machine.

OSCDIMG 2.45

Utility

Copyright (C) Microsoft, 1993-2000. All rights reserved. For Microsoft internal use only.

Scanning source tree complete

in 8 directories)

Computing directory information complete fde is 205975552 bytes

Writing

in 8 directories to

100% complete

Final image fde is 205975552 bytes Done.

14.

The previous step created an I S O image for us. W e w i l l to a C D - R O M .

© 2 016

Pedro Bueno

the

located at

347

Booting with Windows PE Step 4: Use the Malware Removal Starter Kit to scan your computer • It is time to boot your system with the newly created Windows PE CD-ROM • Ensure that your BIOS is set to boot from CDROM!

Identifying and

Malware

Booting with Windows P E Some BlOSes are already set to put the C D - R O M boot i n first place, followed by hard disk and other medias.

Y o u may need to consult your B I O S documentation for instructions o n h o w to change the settings for Boot preferences.

I f your computer is already set to check C D - R O M first, y o u may be asked to press Enter to boot from the C D R O M and then start the W i n d o w s PE.

348

Pedro Bueno

On the System (1) • Tools will be on tools folder • Two options: • Check the known suspicious files or • Start with the antivirus/anti-spyware tools

O n the System (1) W h e n y o u first start on Windows PE, y o u are presented w i t h a D O S Prompt w i n d o w i n folder

Y o u r tools are i n folder x:\tools; then, y o u have to change directories:

X:\windows\system32\cd

x:\tools

y o u to the Tools folders, where y o u can

© 2 016

all the tools that y o u included i n the

Pedro Bueno

349

On the System (2) Check the known suspicious files • This option is for when you found suspicious files during the online analysis but could not delete them • Now you can find and delete them!

Identifying and Removing Malware

O n the System (2) N o w that y o u have access to the offline system, y o u can go after the suspicious files that y o u found during an online analysis but were unable to delete/remove them because o f a malware trick.

W h e n the boot process is finished, y o u w i l l be i n a D O S prompt w i n d o w on drive X : , but y o u can easily go through the actual hard drives and the suspicious file and try to delete it.

A simple command: cd c:\ w i l l take y o u to the drive C:\ and then y o u can navigate to any folder.

350

©

2016 Pedro Bueno

On the System (3) • All tools will be on X: drive in folder tools • Check your USB pen-drive drive letter with Drive Manager tool, from X:\tools

Identifying and Removing Malware

O n the System (3) A s y o u aheady explained, y o u w i l l be prompted to a DOS w i n d o w on the X:\windows\system32\ folder. The tools y o u put on w i l l be i n X:\tools; y o u can just cd x:\tools.

I f during the boot process y o u inserted your pen-drive, you can find i t . Usually the system w i l l assign the letter E: for it, but y o u might need to check i t w i t h the Drive Manager tool.

© 2 016

Pedro Bueno

351

On the System (4) • Using the AV/AS tools in offline mode: • This option is useful when you've already tried everything possible to uncover malicious files on a live system • It runs some antivirus and anti-spyware tools, looking for suspicious file/threats • This helps because some malware prevents them from running on live systems

Identifying and Removing Malware

O n the System (4) Y o u probably want to use the antivirus/antispyware tools, such as the Avast and M c A f e e Stinger, so they can scan the system looking for malicious software.

Some o f these tools are set to scan C:\, w h i c h is usually the common root drive for Windows systems, but y o u might want to use DriveMan.exe to see a l l disk drives on the system, and maybe reconfigure the scan tools to also check for additional drives.

352

© 2 016

Pedro Bueno

Cleaning the System • When your tools detect something malicious, you have a chance to remove it • Remember that removing legitimate files may result in failure to boot or failure to run correctly Identifying and Removing Malware

Cleaning the System When y o u decide to r u n an antivirus/antispyware, y o u must k n o w that some o f them w i l l automatically remove the virus from the system.

The Avast Cleaner w i l l proceed i n this way, but M c A f e e Stinger offers y o u four options on virus detection:



Report Only: Reports only the virus detection on the screen •

Repair: Tries to repair the virus infection •

Rename: Renames the infected file •

Delete: Deletes the infected file from the system

The default option is to repair the virus infection.

Remember that removing legitimate files may result i n failure to boot or failure to run correctly.

Note: I n some i t is not safe to remove a malware file i f the changes made b y i t are not remediated as well. For example, the malware could have been acting as an LSP, removing i t without reassigning the order i n the Registry keys w o u l d lead to a loss o f network connectivity. The same goes for other malware that hooks the initialization chain, w h i c h without removal o f all artifacts, may lead to an unbootable system. Therefore, it's better to rename the file so that y o u can revert the changes i f necessary.

Pedro Bueno

353

Restoring the System (1) • In case of failure, to restart the system after removing files during the offline scan, you have two options: • Restore the system • Rebuild the system

Identifying and Removing Malware

Restoring the System (1) W h e n y o u decide to remove some files, y o u might affect your system i n a way to prevent i t from restarting properly. W h e n that occurs, y o u have t w o options:



Restore the system. •

Rebuild the system.

W e see both options i n detail on the f o l l o w i n g pages.

354

Pedro Bueno

Restoring the System (2) • In some situations, Windows creates Snapshots of "safe" configurations, so if your system is booting, you may have a chance to restore it to a last good state • If it doesn't boot, you can also try to restore from the command prompt and R e m o v i n g M a l w a r e

Restoring the System (2) The first option is the System Restore. W i n d o w s usually creates snapshots o f safe configurations and calls them restore points. I n case something goes w r o n g y o u can choose to restore the system configuration to one o f those safe restore points.

I f y o u can boot the system, y o u can locate the system restore points by f o l l o w i n g these steps:

L o g on to Windows as Administrator. 2.

Click Start, point to A l l Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts. On the Welcome to System Restore page, click Restore m y computer to an earlier time ( i f it is not already selected), and then click Next.

4.

O n the Select a Restore Point page, click the most recent system checkpoint i n the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists make. C l i c k O K .

5.

changes that System Restore w i l l

O n the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows X P configuration, and then restarts the computer.

6. L o g on to the computer as Administrator. The System Restore Restoration Complete page appears. 7. C l i c k O K .

© 2 016

Pedro Bueno

355

I f y o u cannot l o g correctly, boot the system. Y o u can try to restore the system using the command prompt instructions: Restart your computer, and then press F8 during the initial startup to start your computer i n Safe Mode w i t h a command prompt. 2.

L o g on to your computer w i t h an administrator account or w i t h an account that has administrator

3.

Type the following command at a command prompt, and then press Enter: %systemroot%\system32\restore\rstrui.exe

4.

Follow the instructions that appear on the screen to restore your computer to an earlier state.

credentials.

356

© 2 016

Pedro Bueno

Rebuilding the System • If everything fails, you have to reinstall the system from scratch or from an image • Critical step when doing it: Remember to apply all patches; otherwise, you might be compromised quickly by one of the several Internet zombies ...

Identifying and Removing Malware

Rebuilding the System W h e n everything fails, and not even a system restore solves the problem, the only w a y to follow is to rebuild the system.

Some companies have hard-disk imaging software and that makes the w o r k faster.

I f y o u are not category, y o u have to install i t from scratch. I n this case, a critical step is to apply the security patches as soon as possible; otherwise, y o u may be compromised fast b y one o f the several Internet zombies that keeps scanning the Internet looking for vulnerable machines

Pedro Bueno

Summary • In this module, you learned: • What is the MS approach on removing malware • Building a special Windows PE CD-ROM • Offline scanning • System restore/rebuild

Identifying and Removing Malware

Summary I n this module, y o u learned about the M S approach for malware removal. Y o u also learned how to b u i l d a custom Windows PE C D - R O M that can be used for attempts to identify and remove malware on an offline system, using both commercial

tools and going directly to suspicious files that might may have been found

during live analysis.

Also, i f we accidentally remove a critical and the system refuses to behave normally, y o u learned h o w to use a W i n d o w s feature, called system restore, so y o u can go back to the last k n o w n good configuration. A n d i f even that doesn't w o r k , y o u learned that the best solution w o u l d be to reinstall the system from scratch.

358

Pedro Bueno

Identifying and Removing Malware Summary

Identifying and

Malware

This page intentionally left blank.

© 2 016

Pedro Bueno

359

What We Covered in This Course (1) • Usage of Basic tools from Windows to help spot and remove malware • Usage of WMIC to give us more power and information when dealing with malware

Identifying and Removing Malware

W h a t W e Covered i n This Course (1) D u r i n g this course, y o u learned h o w to use the D O S prompt to get the most already k n o w n tools, such as D I R and Netstat, which help identify and remove malware from the system. Y o u also learned about the advanced command-line tool, W M I C , w h i c h enables us to query the system for more complete information and to terminate processes and services that may be used by malware.

360

Pedro Bueno

What We Covered in This Course (2) Usage of HijackThis tools in different scenarios Usage of MS Sysintemals Process Explorer and TCPView to identify and remove malware Understanding BHOs and how to use ListDLLs and HijackThis to deal with them I d e n t i f y i n g and R e m o v i n g M a l w a r e

W h a t W e Covered in This Course (2) W e first used a Swiss knife tool called HijackThis, w h i c h enables y o u to do a system scan, clean malware traces, terminate malware processes, and identify auto-loading applications.

W e also introduced the Microsoft Suite, w h i c h contains a lot o f tools. W e started w i t h Process Explorer, an advanced version o f Windows Task Manager, and then we covered T C P V i e w , w h i c h can be also compared w i t h the Netstat tool.

The malicious usage o f D L L s as B H O was also explained, as w e l l the introduction o f M S Sysintemals L i s t D L L s to deal w i t h them.

©2016

Pedro Bueno

361

What We Covered in This Course (3) • Understanding ADS and how to get information about them • Examining rootkits and anti-rootkits technologies • Dealing with persistent malware • Analyzing different types of malware

Identifying and Removing Malware

W h a t W e Covered i n T h i s Course (3) Alternate data streams were covered, as w e l l as the tools that can be used to identify and remove them from our system.

Y o u learned about rootkit and anti-rootkit technologies, such as the tools that can be used to identify rootkit presence and h o w to use the anti-rootkit tools to remove them from our system.

362

Pedro Bueno

What We Covered in This Course (4) • Learning how to use protocol analyzers to identify malware traces on our network • Using Sandbox websites to help us identify possible malicious files, by examining the reports generated

and Removing Malware

W h a t W e Covered in This Course (4) Identifying the presence o f malware i n the network can help a lot to improve defenses. Y o u learned h o w to use a protocol analyzer tool, Wireshark, to identify the network traces left by malware, so y o u could better understand the purpose o f it.

The Sandbox technologies were also explained and y o u learned h o w to use them to identify i f a suspicious file is malicious by observing the reports generated.

© 2 016

Pedro Bueno

363

What We Covered in This Course (5) How to build a special version of Windows PE, used on Microsoft Malware Removal Kit, and how to use it

Identifying and

Malware

W h a t W e Covered in This Course (5) I n this course, y o u learned how to b u i l d a special version o f Microsoft Windows PE, w h i c h is used on the Microsoft Malware Removal K i t w i t h tools for an offline scan on the machine.

Y o u also learned how y o u can use the k i t to detect additional malicious software.

364

© 2 016

Pedro Bueno

Hands-on Answers

Identifying and Removing Malware

This page intentionally left blank.

Pedro Bueno

365

Lab 1: Part 1

Answers

Identifying and Removing Malware

1)

H o w many files were added to the directory? Files/directories that are created as a result o f running C:\WINDOWS\system32\0wned.log

Hidden files: 2\inetsrv\smc.exe 2) A r e any o f them running? Process that is running: 3) Can y o u identify any network connections associated w i t h those files? Using Netstat w i t h the parameters -ano, i t is possible to identify some network connections and the process I D o f each one. Because the malware rotates between a list o f hard-coded IPs, y o u may notice different being checked, such as 173.194.43.43 and 37.59.41.117. 4) H o w can y o u k i l l that connection? O n the previous question, y o u were able to see the SMC.exe process making network connections. Our material shows examples o f using taskkill.exe malware.exe, but i n this case y o u can notice that using only the parameter w o n ' t k i l l the process smc.exe. Sometimes y o u might need to force the k i l l . This can be done b y adding the parameter line.

366

Pedro Bueno

to the command

Lab 2: Part 2

Answers

Identifying and Removing Malware

H o w can y o u start W M I C console?

Open the command line and type wmic.

2. List a l l processes i n a b r i e f way. W h i c h command d i d y o u use?

list 3. List a l l instances

brief

processes. W h i c h command d i d y o u use?

where

list

brief

4. Use W M I C to k i l l a l l processes o f name malware.exe.

d e l e t e 5. Check Check the startup list.

or any suspicious

is configured to start w h e n the computer reboots. T i p :

list

full

This command w i l l show a l i s t o f t h e f i l e s ; n o t i c e t h e file.

©

Pedro Bueno

367

6. Generate the list o f all processes that start on boot time i n the H T M L format and open w i t h I E .

W m i c startup list f u l l

: startup.html

7. L i s t all services and see i f malware.exe or any suspicious

is running as a service.

Using the process described, malware.exe is not shown, hut i t is possible to see My_Love.exe.

368

Pedro Bueno

Lab 3: Part 3

Answers

Identifying and Removing Malware

This lab has the following questions:

W h a t do y o u see when y o u click "Do a system scan only?" Take note o f anything suspicious that w i l l be loaded at boot time.

2.

I f a suspicious process is running, t r y to kill/terminate it. Describe the process used to k i l l the suspicious process using HijackThis.

3.

I f the process was successfully terminated, i t is time to remove the malicious registry entries. Using the tool, w h i c h function w i l l allow y o u to remove the entries?

Because this is an interactive lab, the answers are included i n the slides f o l l o w i n g the original Hands-On questions.

© 2 016

Pedro Bueno

369

Lab 4: Part 4

Answers

I d e n t i f y i n g and R e m o v i n g M a l w a r e

D o y o u see any suspicious activity on the machine using both Process Explorer and TCPView? I f y o u keep T C P V i e w open for a few moments, y o u w i l l notice the machine attempting to connect to a remote website. 2. W h i c h remote ports are involved? 80 3. Is i t using any method to ensure that i t w i l l he loaded at boot time? Yes, by running HijackThis, i t is possible to see i t being loaded w i t h an A u t o r u n Registry key

4. What can y o u use to clean its traces? can delete i t h y checking the box that i t is and selecting the F i x button. However, i n some cases y o u need to make sure that the malware is not running. The solution i n this case is to rename the malware on this folder, reboot the system, and then r u n to fix i t . 5. W h i c h folder is the suspicious file installed in? On W i n d o w s 7, i t is installed i n the

logged>\AppData\Roaming\\.

370

Pedro Bueno

6.

y o u delete it? W i t h TCPView, y o u notice that the malware is making connections, hut the process that is doing i t is not the malware process. I t is a W i n d o w s process called TaskHost.exe. (Note that y o u might observe different behaviors on W i n d o w s 7 32-bit and W i n d o w s 7 64-bit.) This means that the malware analyst to it.

its code into a legit W i n d o w s process to make i t harder for the

W i t h the tools provided i n the folder, y o u can find the autostart mechanism and the folder where i t is located.

After y o u delete it, try to run the

and remove the autorun entry. Then, scan again.

7. D i d the Autorun entry get removed?

N o , w h i c h means that y o u need to reboot the system first.

N o w reboot the system and t r y to remove the A u t o r u n entry again.

©2016

Pedro Bueno

Lab 5: Part 6

Answers

and Removing Malware

Because this is an interactive lab, the answers are included i n the slides f o l l o w i n g the original Hands-on questions.

372

©2016

Pedro Bueno

Lab 6: Part 9

Answers

Identifying and Removing Malware

Because this is an interactive lab, the answers are included i n the slides following the original Hands-on questions.

© 2 016

Pedro Bueno

373

Lab 7: Part 7

Answers

Identifying and Removing Malware

Because this is an interactive lab, the answers are included i n the slides following the original Hands-on questions.

Remember that Rootkit_Detective, Panda anti-rootkit, and rku37300509 from the Part 7 course files do not on W i n d o w s 7. They are included to help y o u create your arsenal o f tools, w h i c h may r u n on different W i n d o w s versions.

374

© 2 016

Pedro Bueno

Lab 8: Part 7

Answers

Identifying and

Malware

Because this is an interactive lab, the answers are included i n the slides f o l l o w i n g the original Hands-on questions.

Pedro Bueno

375