SEC 309 Advanced Malware Cleaning Mark Russinovich Technical Fellow, Platform and Services Division Microsoft Corporation

About Me Technical Fellow, Microsoft Co-founder and chief software architect of Winternals Software Co-author of Windows Internals, 4th edition and Inside Windows 2000, 3rd Edition with David Solomon Author of tools on Home of blog and forums Senior Contributing Editor, Windows IT Pro Magazine Ph.D. in Computer Engineering

Why Is Manual Cleaning Necessary? How do users get malware? How do users get malware? They download apps that include adware and spyware They download apps that include adware and spyware They click on misleading popups or banners They click on misleading popups or banners They visit sites that use exploits to inject malware They visit sites that use exploits to inject malware Many users still don’t patch or don’t use antivirus or antispyware Many users still don’t patch or don’t use antivirus or antispyware Why doesn’t antivirus and antispyware stop malware? Why doesn’t antivirus and antispyware stop malware? They are dependent on signatures They are dependent on signatures Malware directly attacks it Malware directly attacks it Always perform manual cleaning after you’ve run available antivirus and antispyware Always perform manual cleaning after you’ve run available antivirus and antispyware

Malware Cleaning Steps Disconnect from the network Disconnect from the network Identify malicious processes and drivers Identify malicious processes and drivers Terminate identified processes Terminate identified processes Identify and delete malware autostarts Identify and delete malware autostarts Delete malware files Delete malware files Reboot and repeat Reboot and repeat

Identifying Malware Processes

What Are You Looking For? Processes that… …have no icon …have no icon …have no description or company name …have no description or company name …unsigned Microsoft images …unsigned Microsoft images …live in Windows directory …live in Windows directory …are packed …are packed …include strange URLs in their strings …include strange URLs in their strings …have open TCP/IP endpoints …have open TCP/IP endpoints …host suspicious DLLs or services …host suspicious DLLs or services

What About Task Manager? Task Manager provides little information about images that are running Task Manager provides little information about images that are running

Process Explorer Process Explorer is “Super Task Manager” Process Explorer is “Super Task Manager” Runs on Windows 95, 98, Me, NT, 2000, XP, Server 2003 Runs on Windows 95, 98, Me, NT, 2000, XP, Server 2003 Also supports 64-bit (x64) and Vista Also supports 64-bit (x64) and Vista Has lots of general troubleshooting capabilities: Has lots of general troubleshooting capabilities: DLL versioning problems DLL versioning problems Handle leaks and locked files Handle leaks and locked files Performance troubleshooting Performance troubleshooting Hung processes Hung processes We’re going to focus on its malware cleaning capabilities We’re going to focus on its malware cleaning capabilities

The Process View The process tree sort shows parent-child relationships The process tree sort shows parent-child relationships Icon, description, and company name are pulled from image version information Icon, description, and company name are pulled from image version information Most malware doesn’t have version information Most malware doesn’t have version information What about malware pretending to be from Microsoft? What about malware pretending to be from Microsoft? We’ll deal with that shortly… We’ll deal with that shortly… Use the Window Finder (in the toolbar) to associate a window with its owning process Use the Window Finder (in the toolbar) to associate a window with its owning process Use the Google menu entry to lookup unknown processes Use the Google menu entry to lookup unknown processes But malware often uses totally random or pseudo-random names But malware often uses totally random or pseudo-random names

Refresh Highlighting Refresh highlighting highlights changes Refresh highlighting highlights changes Red: process exited Red: process exited Green: new process Green: new process Change duration (default 1 second) in Options Change duration (default 1 second) in Options Press space bar to pause and F5 to refresh Press space bar to pause and F5 to refresh Cause display to scroll to make new processes visible with Show New Processes option Cause display to scroll to make new processes visible with Show New Processes option

Process-type Highlights Blue processes are running in the same security context as Process Explorer Blue processes are running in the same security context as Process Explorer Pink processes host Windows services (we’ll look at services shortly) Pink processes host Windows services (we’ll look at services shortly) Purple highlighting indicates an image is “packed” Purple highlighting indicates an image is “packed” Packed can mean compressed or encrypted Packed can mean compressed or encrypted Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult Packing and encryption also hides strings from view Packing and encryption also hides strings from view There are a few other colors, but they’re not important for malware hunting There are a few other colors, but they’re not important for malware hunting

Tooltips Process tooltips show the full path to the process image Malware more often hides behind Svchost and Rundll32 Tooltip for Rundll32 processes shows hosted DLL Tooltip for service processes shows hosted services Services covered in detail shortly…

Detailed Process Information Double-click on a process to see detailed information Image tab: Description, company name, version (from.EXE) Full image path Command line used to start process Current directory Parent process User name Start time

Image Verification All (well, most) Microsoft code is digitally signed Hash of file is signed with Microsoft’s private key Signature is checked by decrypting signed hash with the public key You can selectively check for signatures with the Verify button on the process image tab Select the Verify Image Signatures option to check all Add the Verified Signer column to see all Note that verification will connect to the Internet to check Certificate Revocation List (CRL) servers

Windows Services Services can start when the system boots and run independently of the logged-on user Examples include IIS, Themes, Server, Workstation, … Can run as their own process or as a service DLL inside a Svchost.exe The services tab shows detailed service information: Registry name (HKLM\System\CurrentControlSet\Services\...) Display name Description (optional) DLL path (for Svchost DLLs)

Strings On-disk and in-memory process strings are visible on the Strings tab There’s only a difference if the image is compressed or encrypted Strings can help provide clues about unknown processes Look for URLs, names and debug strings You can also dump strings with the command-line Strings utility from Sysinternals

The DLL View Malware can hide as a DLL inside a legitimate process We’ve already seen this with Rundll32 and Svchost Typically loads via an autostart Can load through “dll injection” Packing highlight shows in DLL view as well Open the DLL view by clicking on the DLL icon in the toolbar Shows more than just loaded DLLs Includes.EXE and any “memory mapped files” Can search for a DLL with the Find dialog DLL strings are also viewable from the DLL menu`

Loaded Drivers There are several tools for viewing configured drivers: Start->Run->Msinfo32 Builtin SC command: sc query type= driver Device Manager with View->Show Hidden Devices Process Explorer DLL view for the System process shows loaded drivers Even drivers that delete their image files Same path and version info as standard DLL view Simply identify them now Usually they’re not stoppable Delete their files and autostart settings later

TCPView Look for suspicious network endpoints with TCPView You can do this by looking at the TCP/IP tab of each process, but that’s slow TCPView also uses refresh highlighting TCPView includes a “close connection” capability …but you should be disconnected from the network

Terminating Malicious Processes Don’t kill the processes Malware processes are often restarted by watchdogs Instead, suspend them Note that this might cause a system hang for Svchost processes Record the full path to each malicious EXE and DLL After they are all asleep then kill them Watch for restarts with new names…

Cleaning Autostarts

Investigating Autostarts Windows XP Msconfig (Start->Run->Msconfig) falls short when it comes to identifying autostarting applications It knows about few locations It provides little information

Autoruns Shows every place in the system that can be configured to run something at boot & logon Standard Run keys and Startup folders Shell, userinit Services and drivers Tasks Winlogon notifications Explorer and IE addins (toolbars, Browser Helper Objects, …) More and ever growing… Each startup category has its own tab and all items display on the Everything tab Startup name, image description, company and path

Identifying Malware Autostarts Zoom-in on add-ons (including malware) by selecting these options: Verify Code Signatures Hide Microsoft Entries Select an item to see more in the lower window Google unknown images Double-click on an item to look at where its configured in the Registry or file system Has other features: Can display other profiles Can also show empty locations (informational only) Includes compare functionality Includes equivalent command-line version, Autorunsc.exe

Deleting Autostarts Delete suspicious autostarts You can disable them if you’re not sure After you’re done do a full refresh If they come back, run Process Monitor (or Filemon and Regmon) to see who’s putting them back You might have misidentified a malware process It might be a hidden, system, or legitimate process

Rootkits

What’s a Rootkit, Anyway? Hoglund and Butler write in “Rootkits: Subverting the Windows Kernel”: A rootkit is a set of programs and code that allows a permanent or consistent, undetectable presence on a computer. My definition: Software that hides itself or other objects, such as files, processes, and Registry keys, from view of standard diagnostic, administrative, and security software. Hoglund’s revised definition from Rootkit.com on February 4: A rootkit is a tool that is designed to hide itself and other processes, data, and/or activity on a system.

The Evolution of Malware Malware, including spyware, adware and viruses want to be hard to detect and/or hard to remove Rootkits are a fast evolving technology to achieve these goals Cloaking technology applied to malware Not malware by itself Example rootkit-based viruses: Rootkit history Appeared as stealth viruses One of the first known PC viruses, Brain, was stealth First “rootkit” appeared on SunOS in 1994 Replacement of core system utilities (ls, ps, etc.) to hide malware processes

Modern Rootkits Rootkits can hide virtually anything: Processes Files, directories, Registry keys Services, drivers TCP/IP ports There are several types of rootkit technology: User-mode hooking Kernel-mode hooking Code patching Hiding in other processes is the primary rootkit forum

Example Rootkit Cloaking Attack user-mode system query APIs Examples: HackerDefender, Afx Taskmgr.exeNtdll.dll Rootkit Explorer.exe, Winlogon.exe user mode kernel mode Explorer.exe, Malware.exe, Winlogon.exe

Rootkit Detection All cloaks have holes Leave some APIs unfiltered Have detectable side effects Can’t cloak when OS is offline Rootkit detection attacks holes Cat-and-mouse game

Rootkit Detection Types Three classes of rootkit detection: Signature based Microsoft Malicious Software Removal Tool Anomaly detection System Virginity Verifier: GMER: IceSword: Cross-view comparison F-Secure Blacklight: Sysinternals RootkitRevealer Use more than one tool!

RootkitRevealer RootkitRevealer (RKR) runs online RKR tries to bypass rootkit to uncover cloaked objects All cross-view detectors listed do the same RKR scans HKLM\Software, HKLM\System and the file system Performs Windows API scan and compares with raw data structure scan RootkitRevealer Rootkit Windows API Raw file system, Raw Registry hive Filtered Windows API omits malware files and keys Malware files and keys are visible in raw scan

RootkitRevealer Limitations Rootkits have already attacked RKR directly by not cloaking when scanned RKR is given true system view Windows API scan looks like raw scan We’ve modified RKR to be a harder to detect by rootkits RKR is adopting rootkit techniques itself Rootkit authors will continue to find ways around RKR’s cloak It’s a game nobody can win All rootkit detectors suffer the same vulnerability

Local Kernel Debugging Windbg supports “local kernel debugging” (LKD) Works like standard kernel debugging which requires two computers Requires Microsoft Debugging Tools For Windows (free download from Microsoft) Can examine kernel structures of a live system Supported on XP and higher including 64-bit For NT 4 and Windows 2000 use Sysinternals’ Livekd Both require matching kernel symbols Use Microsoft’s symbol server (documented in help file)

LKD Rootkit Hunting List running processes and compare with Process Explorer: !process 0 0 List loaded drivers and compare with Process Explorer:.reload lmkv Look for kernel hot-patches: !chkimg -d nt Dump the system service table and interrupt dispatch table (IDT): dd kiservicetable !idt -a

Finding and Deleting Malware Files

Sigcheck Scan the system for suspicious executable images Look for same characteristics as suspicious processes Be especially wary of items in the \Windows directory Investigate all unsigned images sigcheck -e -u -s c:\

Deleting Hard-to-Delete Files Files that are open or mapped can’t be deleted Find owning process with Process Explorer search Terminate the process and delete the file If you still can’t delete it (it might be protected by a driver or system process): Try renaming it If that fails, schedule it for deletion at the next reboot with Sysinternals’ Movefile: If it still won’t go away, delete it from an off-line OS movefile malware.exe “”

Deleting Hard-to-Delete Registry Keys Watch for key security Some antispyware tools don’t report access-denied errors Use Regmon to check for errors Use Regedit to change security permissions Some keys have embedded nulls Can’t be open with standard tools like Regedit Use Sysinternals’ Regdelnull: As a last resort use Regedit in ERD Commander regdelnull hklm\software

Summary and the Future

Malware Cleaning Steps Disconnect from the network Identify malicious processes Terminate identified processes Identify and delete malware autostarts Delete malware files Reboot and repeat

The Future of Malware We’re already seeing trends: Malware that pretends to be from Microsoft or other legitimate companies Malware protected by rootkits Malware that can’t be cleaned on-line Cleaning is going to get much harder Targeted and polymorphic malware won’t get AV/AS signatures Malware can directly manipulate Windows structures to cause misdirection All standard tools will be directly attacked by malware There will be more un-cleanable malware Malware will adapt to a limited-user environment

The Bottom Line Be careful what you run!

References Mark’s Sysinternals Blog: Sony, Rootkits and Digital Rights Management Gone Too Far The Antispyware Conspiracy Windows Internals, by Mark Russinovich and David Solomon, Microsoft Press

Summary Thanks for coming! Please fill out your evals

©2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.