SysInternals Malware Analysis (notes only)
by Mark Russinovich (for more details, please see the YouTube video presentation)
NOTE: do not let the notes below be a substitute for the YouTube video, as the notes below include no screenshots of the tools used!
Also, I haven't checked if there's an update to the information below, so if anyone thinks of it as obsolete, I apologize!
#######
Learn about the SysInternals tools and techniques for analyzing and cleaning malware
- professional anti malware analysis requires years of deep training
- even for professionals, Sysinternals tools can prove useful
Analyzing:
- understanding the impact of malware
- can be used to understand malware operation
- generates road map for cleaning infestations
Cleaning:
- removing an infestation of a compromised system
- attempting a clean can also reveal more information about the malware's operation
Pave&Nuking a system, should be the last and most extreme alternative!
If there's no expertise and time left, to understand/analyze the malware, then pave&nuke the system!
Malware cleaning steps:
- disconnect from network
- identify malicious process and drivers
- terminate identified processes
- identify and delete malware autostarts
- delete malware files
- reboot and repeat
What are you looking for when you identify/investigate processes:
- it has no icon
- it has no description or company name
- unsigned Microsoft images
- live in Windows directory or user profile
- are packed
- include strange URLs in their strings
- have open TCP/IP endpoints
- host suspicious DLLs or services
How many people look at processes with Task Manager?
Use Process Explorer (from Sysinternals)!
Process Explorer:
- is the Super Task Manager
- has lots of general troubleshooting capabilities:
- DLL versioning problems
- handle leaks and locked files
- performance troubleshooting
- hung processes
- we're going to focus on its malware cleaning capabilities
The Process View:
- the process tree shows parent-child relationships
- icon, description and company name are pulled from image version information
- most malware doesn't have version information
- what about malware pretending to be from Microsoft? Will talk later
- Use the Window Finder (in the toolbar) to associate a window with its own process
- use the Search Online menu entry to lookup unknown processes
- but malware often uses totally random and pseudo-random names
Refresh Highlighting:
- refresh highlighting highlights changes
- Red: process exited
- Green: new process
- change duration (default 1 second) in Options
- press space bar to pause and F5 to refresh
- cause display to scroll to make new processes visible with Show New Processes option
- we'll see how to spot short-lived processes later
Process-type Highlights:
- blue processes are running in the same security context as Process Explorer
- pink processes host Windows services
- purple highlighting indicates an image is 'packed'
- packed can mean compressed or encrypted
- malware commonly uses packing (ex: UPX) to make antivirus signature matching more difficult
- packing and encryption also hides strings from view
- there are a few other colors, but they are not important for malware hunting
Tool tips:
- process tool tips show the full path to the process image
- malware more often hides behind Svchost, Rundll32 and Dllhost
- tool tip for Rundll32 processes shows hosted DLL
- Dllhost tooltip shows hosted COM server
- tool tip for service processes shows hosted services
- services covered in detail shortly
New in v15.2:
- autostart locations
- reports where image is registered for autostart or loading
- not necessarily what caused for process to execute, though
- process timeline
Detailed Process Information:
- double-click on a process to see detailed information
- pages relevant to malware analysis:
- image: signing status, start time, version
- TCP/IP: open endpoints
- strings: printable strings in main executable
Image Verification:
- all (well, most) Microsoft code is digitally signed
- hash of file is signed with Microsoft's private key
- signature is checked by decrypting signed hash with the public key
- you can selectively check for signatures with the Verify button on the process image tab
- select the Verify Image Signatures option to check all
- add the Verified Signer column to see all
- note that verification will connect to the Internet to check Certificate Revocation List (CRL) servers
Sigcheck and ListDLLs:
- scan the system for suspicious executable images
sigcheck -e -u -s c:\ (it will discover great places to hide malware)
- look for same characteristics as suspicious processes
- be especially wary of items in the \Windows directory and the \Users \<username>\AppData directories
- investigate all unsigned images
- ListDLLs will can running processes for unsigned DLLs
listdlls -u
Strings:
- on-disk and in-memory process strings are visible on the Strings tab
- there's only a difference if the image is compressed or encrypted
- Strings can help provide clues about unknown processes
- look for URLs, names and debug strings
- you can also dump strings with the command-line String utility from Sysinternals
strings <file>
The DLL View:
- malware can hide as a DLL inside a legitimate process
- we've already seen this with Rundll32 and Svchost
- typically loads via an autostart
- can load through 'dll injection'
- packing highlist shows in DLL view as well
- open the DLL view by clicking on the DLL icon in the toolbar
- shows more than just loaded DLLs
- included .exe and any 'memory mapped files'
- can search for a DLL with the Find dialog
- DLL strings are also viewable on the DLL properties
Terminating Malicious Processes:
- don't kill processes
- malware processes are ofter restarted by watchdogs
- instead, suspend them
- note that this thing might cause a system hang for Svchost processes
- record the full path to each malicious EXE and DLL
- after they are all asleep then kill them
- watch for restarts with new names
Investigating Autostarts:
- Windows msconfig.exe falls short when it comes to identifying autostarting applications
- it knows about few locations
- it provides little information
- it uses the Task Manager (which is REALLY bad)
Autoruns:
- shows every place in the system that can be configured to run something at boot & logon
- standard Run keys and Startup folders
- shell, userinit
- services and drivers
- tasks
- winlogon notifications
- Explorer and IE addins (toolbars, Browser Helper Objects...)
- More and ever growing
- each startup category has its own tab and all items display on the Everything tab
- startup name, image description, company and path
Identifying Malware Autostarts:
- zoom-in on add-ons (including malware) by selecting these filter options:
- verify code signatures
- hide Microsoft entries
- select an item to see more in the lower window
- online search unknown images
- double-click on an item to look at where its configured in the Registry or file system
- has other features
- can display other profiles
- can also show empty locations (informational only)
- includes compare functionality
- includes equivalent command-line version, Autorunsc.exe
Deleting Autostarts:
- delete suspicious autostarts
- you can disable them if you're not sure
- after you're done do a full refresh
- if they come back, run Process Monitor to see who's putting them back
- you might have misidentified a malware process
- it might be a hidden, system or legitimate process
Tracing Malware:
- tracing activity can reveal the system impact of malware
- malware shows initial infection, before cloaking is applied
- can reveal the internals of 'buddy system' and other infection-protection mechanisms
- Process Monitor makes tracing easy
- a simple filter can identify all system notifications
- investigating stacks can distinguish legitimate activity from malicious activity
Event Properties:
- event details
- duration, process, thread, details, etc
- process information
- command line
- user
- session and logon session
- image information
- start time
- thread stack at time of event
Filtering:
- to filter on a value, right-click on the line and select the attribute from the Include, Exclude and Highlight sub menus
- you can select multiple values simultaneously
- when you set a highlight filter you can move through highlighted event properties
Advanced Filtering:
- multiple-filter behavior:
- values from different attributes are AND'd
- values from the same attributes are OR'd
- more complex filtering is available in the Filter dialog
- Outlook-style rule definition
- you can save and restore filters
- filter for watching malware impact: "Category is Write"
The Process Tree:
- Tools-Process Tree
- shows all processes that have been seen in the trace (including parents)
- can toggle on and off terminated processes
- the process tree provides an easy way to see process relationships
- short lives processes
- command line
- user names
Real World Analysis and Cleaning (minute 44)
The Case of the SysInternals - Blocking Malware
- friend asked user to take a look at system suspected of being infected with malware
- boot and logons took a long time
- Microsoft Security Essentials (MSE) malware scan would never complete
- nothing jumped out in Task Manager
- tried running Sysinternal tools, but all exited immediately after starting:
- Autoruns
- Process Monitor
- Process Explorer
- Even Notepad opening a text file named "Process Explorer" would also terminate
- Looking through Sysinternals suite, noticed Desktops utility
- hoped malware might not be smart enough to monitor additional desktops
- Sure enough, was able to launch Process Monitor and other tools:
- Malware probably looks for tools in window titles
- Window enumeration only returns windows of current desktop
- Nothing suspicious in Process Explorer
- Next, ran Process Monitor
- noticed a lot of Winlogon activity, so set a filter to include it
- could see a once-per-second check of a strange key
(e.g acdcacaeaaacb...)
- saw name of random DLL in the key:
(e.g Yellow folder named acdcacaeaaacb...)
Solved:
- tried deleting the key, but after refreshing, it was back
- went back to MSE and directed it to scan just the random DLL image file on disk
- after clean, was able to delete Registry key and system was back to normal: problem solved...
Cleaning FakeSysDef Scareware:
- see video in regards to the malware hiding
The case of the Strange Reboots:
- laptop would reboot immediately after connecting to wireless networks:
- followed by a boot in safe mode
- then boot back to normal mode
- boot to safe mode resulted in automatic logoff
- tried to run Microsoft Security Essentials (MSE), but it was damaged
- ran Process Explorer and saw many processes exhibiting malware characteristics
- processes with names mimicking Windows processes were clearly malicious
- Autoruns showed system massively infected
- suspended all packed processes that looked suspicious
- connected to network: no restart
- downloaded and ran fresh copy of MSE
- MSE detected several malware variants
- after cleaning, there were no more suspicious processes and the system behaved normally:
PROBLEM SOLVED!
Cleaning Cycbot.exe backdoor:
- please see video for details
- also do some research on how it works and locations it uses
Analyzing and Cleaning Stuxnet and Flame:
- discovered June 2010 after it had spread for a year
- exploited 4 zero day Windows vulnerabilities
- print spooler for remote code execution
- shell link Explorer code execution from infected key
- Win2k/Windows XP Win32k.sys privilege elevation
- Windows 7 Task Scheduler privilege elevation
- Drivers signed by certificates stolen from RealTek and JMicron (in Taiwan)
- Rootkit code for Siemens Step 7 SCADA PLC for centrifuges
- suspected to have targeted Iranian centrifuges used for Uranium enrichment at Natanz nuclear facility
- Iran confirms in September 2010 that thousands were destroyed
- suspected to be created by Israel and US
- believed to have been spreading through USB keys (at this point)
- there is ONLY ONE lsass.exe on the system (should be anyway)
Flame:
- discovered a few weeks ago
- considered by some to be more sophisticated than Stuxnet
- found by Kaspersky antivirus
- used LUA programming for the code
- the computer clock had to be changed to Tehran
The Future of Malware:
- we've seen the trends:
- malware that pretends to be from Microsoft or other legitimate companies
- malware protected by sophisticated rootkits
- malware that has stolen certificates
- cleaning is going to get much, much harder:
- targeted and polymorphic malware won't get AV/AS signatures
- malware can directly manipulate Windows structures to cause misdirection
- all standard tools will be directly attacked by malware
- there will be more un-cleanable malware
- you can't know you're infected unless you find a symptom
Zero Day - A Novel
- a cyber-thriller true to the science
- www.zerodaythebook.com
- book: Trojan a novel horse (Mark Russinovich)
The end :)
