Advanced malware identification techniques.

March 2008

By Chris Misztur [w= ww.sync-io.net]

Required Tools:

1. &n= bsp; Process Explorer [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx]

2. &n= bsp; Autoruns [http://technet.microsoft.com/en-us/sysinternals/= bb963902.aspx]

3. &n= bsp; ShellXView [http://www.nirsoft.net/utils/shexview.html]=

4.&n= bsp; Regcleaner 4.3 [www.majorgeeks.com/download460= .html]

5.&n= bsp; Catchme= [www.gmer.net/catchme.php]

6.&n= bsp; Streams [http= ://www.microsoft.com/technet/sysinternals/FileAndDisk/Streams.mspx]<= /span>

7.&n= bsp; Hijackthis= [http://www.majorgeeks.com/down= load3155.html]

8.&n= bsp; LSPFIX [http://www.majorgeeks.com/download4180.html]=

&= nbsp; &nbs= p; All above tools are available at [http://www.sync-io.net/Dl]

Symptoms:

&= nbsp; Surfing the web is slow, computer performance in general is slow, constant pop ups advertising software or notifying user that their computer has been infecte= d.

Causes:=

&= nbsp; User has downloaded and ran a malicious piece of code without knowing it.

Resolution:

Before proceeding you may want to investigate whether you can use System Restore to restore your computer to a point in time prior to the infection. To determine if your system restore points have not been infected contact chris@sync-io.net.<= /p>

Any items modified/re= moved during this procedure will act as a guide to identifying the malicious software.

&= nbsp;

1. = Kill unwanted processes using task ma= nager to regain some control over computer.

&= nbsp; &nbs= p; Run Windows Task Manager and sort the running Processes by Us= er Name. Start off by end= ing the processes under which Windows is currently logged in under. If you do now know whether a proce= ss is safe or not, you can try Googling the process or using www.file.net or www.processlibrary.com to help y= ou make a determination. N= ow check out the running processes of other users. If you see anything questionable, attempt to end it. Repeat this procedure with Process Explorer. End any RUNDLL32 processes.

PROCESS NAME ENDED &= nbsp; &nbs= p; USERNAME

___________________ &= nbsp; &nbs= p; _________________

2. = Remove start-up entries using MSCONFI= G and Autoruns.

Under START/Run… type in MSCONFIG and press OK. In the System Configuration Utility select the Services tab and check the ‘Hide All Microsoft Services= 217; box. Scroll through the= list of checked services and uncheck anything questionable. Next, select the Startup tab. Again go though the list of Startup Items and uncheck anything questionable. If you’re not sure, Go= ogle it! If you receive an access = denied error or some sort, make a note of what you unchecked that threw the error. This is just another a= ttempt by the malware to hide itself. Note that after making any changes in the System Configuration Utility, a message box will be shown when you reboot your computer.<= span style=3D'mso-spacerun:yes'> This is normal.

&= nbsp; &nbs= p; &= nbsp; &nbs= p; SERVICE NAME DISABLED = &nb= sp; &= nbsp; MANUFACTURER

&= nbsp; &nbs= p; &= nbsp; &nbs= p; ___________= _______________ &= nbsp; ________= _______________

&= nbsp; &nbs= p; &= nbsp; &nbs= p; STARTUP ITEM DISABLED = &nb= sp; = COMMAND

&= nbsp; &nbs= p; &= nbsp; &nbs= p; ___________= _______________ &= nbsp; ________= _______________

Run Autoruns. This procedure applies to all list= ed tabs. Here you are looking for entries with publishers other than Microsoft. If you find entries with emp= ty or questionable publishers, either uncheck them or delete them. Also look for entries where the Im= age Path column is marked ‘File not found:…’. These can be safely deleted. Be careful when deleting unknown publishers from the Drivers section. Unless your computer uses biometric or advanced authentication metho= ds, the LSA Providers tab should only contain Microsoft entries. The Boot Execute tab should only c= ontain an ‘Auto Check Utility’ entry.

TAB NAME = &nb= sp; ENTRY NAME &nb= sp; = &nb= sp; PUBLISHER

____________________ _____________________ ______________________

3. = Remove unwanted shell extensions from Windows Explorer.

&= nbsp; &nbs= p; &= nbsp; Run ShellExView and sort by Company Name. Search for any empty or questionab= le entries, select them and press F7 to disable them from loading with Windows= .

EXTENSION NAME DISABLED &= nbsp; &nbs= p; COMPANY NAME

__________________________= _ ______________________

4. = Attempt to find any hidden files or registry entries.

&= nbsp; &nbs= p; &= nbsp; Run catchme. Note any finds below.

ENTRY = &nb= sp; = &nb= sp; = &nb= sp; PROCESS/SERVICE/AUTOSTART/FILE

________________________= __ &= nbsp; &nbs= p; ___________________

5.&n= bsp; Attempt to find any alternate streams.

Extract Streams.exe to= your desktop. Open a command promp= t. In the command prompt type ‘= cd desktop’ and press enter. Type ‘streams –s %systemdrive%\ > stream.log’ and press enter.= After the command finishes open st= ream.log and note any files with streams other than Zone.Identi= fier:$DATA.

FILENAME = &nb= sp; = &nb= sp; STREAM FOUND

_________________________= ___ &= nbsp; __________________________________

6. = Examine your web browser’s load= ed extensions and add-ons.

Go through the list of= your browser’s add-ons and ActiveX controls and remove or disable them.

ADDON/ACTIVEX NAME &= nbsp; &nbs= p; &= nbsp; &nbs= p;

_________________________= _______

Start Process Explorer= and press CTRL+D. The lower pane = is now showing any loaded DLLs. Sele= ct IEXPLORE.EXE (or the infected browser binary) and sort the lower pane by Company Name. Look for any empty or questionable entries and mark them below. = *.dat, *.nls, *.so files are usually not harmful.= The harmful file types hear are *.dll. Location of the file is retrieved = by scrolling over the name of the file.

NAME = &nb= sp; = LOCATION &= nbsp; &nbs= p; &= nbsp; &nbs= p; = COMPANY

_______________ &= nbsp; __________________________= __ _________________= __________

Scan your computer wit= h Hijackthis. To obtain help with your output, post it on a Hijackthis<= /span> forum.

7. = Remove unwanted software manually or = with the help of 3^rd party tools.

Before continuing, res= tart your computer and repeat steps 1 through 6 again. You may have already solved your p= roblem. Test your computer by surfing the = web for 10-15 minutes. If the pro= blem is still occurring, repeating the previous steps will reveal very important information. Compare your not= es to see what entries were recreated or duplicated after you restarted your computer. Identify these entr= ies by Googling them to reveal the identity of your infection. Once you have corr= elated your finds with a malicious software name you can Google for ‘Remove Guide for Trojan XXX’.

Companies such as Syma= ntec provide tools for removing specific malicious code. Also there are many users who have= had the same problem as you and guides have already been created. Note that some software will still= be visible in Control Panel \ Add/Remove Programs. Using the uninstall feature of the= se products is usually not effective. To remove the entry from Add/Remove Prog= rams use RegCleaner 4.3. If you attempt to delete any files= and you receive errors such as access denied or file in use then you will have = to boot your computer into the Windowx Repair Cons= ole and use the DELETE command from there.&nbs= p; You can also try running LSPFIX to determine if your TCP/IP stack has been hijacked. Some malware c= hooses to insert itself into the Winsock (API used for communicating between IE and the TCP/IP stack).

8. = Protect your computer from opportunis= tic re-infection.

Destroy your System Re= store points by turning off System Restore, reboot your computer, and turn System Restore back on. Use the Windows Disk Cleanup utility to remove any traces of temporary files. Run Regcleane= r 4.3 and perform a registry clean up. Run ‘SFC /scannow’ to valida= te your Windows system files. Al= ways protect your Windows logins with passwords and create Windows login accounts with least privilege for the less educated users.

9. = Keep it updated.

Make sure your Windows= Updates are current and use Secunia’s free Softwa= re Inspector [www.secunia.com] to deter= mine what applications are out of date on your computer.

Editions

1^st.March = 2008

2^nd.April = 2008