marklon : tools

Measure and counter measure – malware and anti-malware

marklon — Mon, 21 Apr 2008 23:04:00 GMT

There is a small, high-tech and rather geeky war going on and the battlefield is your PC. Like any war, each side is trying to learn from the other. This war is for the ownership of resources – and ultimately for money. Maybe most wars are. Let us look at some of the details.

Much as it irritates users, sometimes the kindest thing that an administrator can do is to limit the abilities of an unskilled user to harm themselves. There is also the corporate network to consider – the safety of organization sometimes requires that individuals are limited. IE has features to limit what the user can do which an administrator can set. They are detailed here:

http://technet.microsoft.com/en-us/library/bb457144.aspx

These can be turned against the user by malware and that does sometimes happen. Let us consider a few of them and how malware has used them to protect itself rather than the user:

Download signed ActiveX controls – disable that and pretty much every online virus scanner will stop working.

Various settings allow the administrator to block the downloading of various file types including .exe files – which would prevent the user from downloading a lot of the “quick fix” type of malware removers.

Sites can be added to the restricted zone – and if security sites are added to this zone, the user is effectively blocked from them.

Group policies can also be set even if the machine is not in a domain.

We have seen malware doing these things lately. Of course, if the user is an admin (and home users generally are) then the changes can be reversed if the user knows how - but many home users do not.

For quite a while, one tool in the arsenal of the techie removing malware is to alter the rights on an executable using cacls to prevent it running. The same trick has been used maliciously to block access to cmd.exe – The black hats have access to all the same tricks as we do.

The white hat community has stolen a trick or two in their turn. Anti-virus solutions increasingly hijack the kiservicetable or overwrite function prologues to try to prevent malware doing the same or to detect malware by getting underneath it. One of the truisms of malware detection is that you can only trust the layer above you because you have complete visibility of it. Conversely, it is hard to see what has happened below you because it may be changing your behavior without you knowing – a malicious kernel fooling a benign application. The phrase that we most commonly use is “He who hooks lowest wins”. Anti-virus and virus are both heading down the stack from userland to kernel and eventually to hypervisor level.

Malware tries to hide from antivirus programs and kills AV products when it can. Some AV software is now using stealth technology to hide from malware and try to avoid being killed or more commonly, crippled to leave the appearance of function without actually blocking the malware. It can be a challenge to work out whether subversion of the kernel is benign or malicious without a good rummage around in the debugger.

So, we have measure and counter measure, each sharing the same tools. The legitimate software community has more resources but the malware industry has everything to play for. The balance shifts all the time and it may well be that user education and not technology has the most to contribute. Social engineering remains the number one way to compromise a system… and maybe limiting the user is the lesser of the two evils.

Of course, we have done this in a very small but important way. Later versions of the browser on later operating systems run content with fewer rights. Most users never notice.

We live in interesting times, my friends

Signing off

Mark

Malware that wants to stay - Some passive protection tricks

marklon — Thu, 20 Mar 2008 22:31:00 GMT

Hello again

I wanted to talk about some of the things that malware does to make itself hard to remove. Most Trojans are designed to work on an average XP workstation and make assumptions based on that – which typically breaks servers in rather nasty ways.

I was recently looking at a Russian written malware implemented in VB6 – a curious choice and the developer had an odd style to his coding. It didn’t use a kernel mode rootkit which is the more common approach but relied on registry settings to do the dirty work. You might want to check these if you find yourself cleaning up a box:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

DisableSR = 0x00000001

If it is a 1, you can’t do a system restore. Simple enough to fix if you can edit the registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

DisableTaskMgr = 0x00000001

DisableRegistryTools = 0x00000002

Except that you can’t because he disabled the registry tools and task manager. Well, task manager is no great loss. Process explorer from http://technet.microsoft.com/en-us/sysinternals/default.aspx will do the job at least as well. Disabling the registry tools is more of a problem unless you are on a network and able to remotely edit.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]

RestrictToPermittedSnapins = 0x00000001

This was used to make MMC effectively useless. By default, no snap-ins (things like perfmon or event viewer or SQL management or whatever) are in the permitted list.

Disabling CMD.EXE is a pain when trying to remove malware so he setting the following registry key

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

DisableCMD = 0x00000001

That is especially problematical for some tools that rely on batch files and some security tools do since old school can sometimes be the only way of doing something.

In this case, a few minutes work with WinPE was enough to rain on his parade but a bit of remote registry manipulation would have done the job just as well.

Hope that this helps someone

Signing off

Mark

Antimalware tools and tricks

marklon — Mon, 21 Jan 2008 19:50:00 GMT

Ah, I am back in the office and settling into to my normal day to day work.

I am fairly often asked to remove malware from systems which the anti-malware programs on that particular PC system can’t handle. In fairness, it is often not the AV products fault. Most (more than 75%) of malware is actually installed by the users of the system after some social engineering. I know that none of you out there in blog land would do that sort of thing but it does happen. We have all downloaded drivers from the web, codecs from the web and utilities. It is easy enough to get it wrong and some of the Blackhats can make some very convincing webpages and emails that would fool your brother/mother/dentist. Anyway, that is how a lot of this nasty stuff gets on systems and one of the first things that it normally does is try to break the AV solution. Sometimes it succeeds.

I am yet to find an instance in which this has happened where the machine could not be cleaned up with the SysInternals tools and a little ingenuity. I know that I have mentioned this before but I hadn’t linked to the excellent video presentation by Mark Russinovich video: http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid =359

I would also like to mention a really good tool called Rootkit Unhooker. This was written by a Russian team who have since joined Microsoft. It is excellent for finding hijacks in the kiservicetable, hidden files and processes and similar rootkit tools. If you work with malware on a regular basis and haven’t tried this tool then you might want to search it out. I have had considerable success with this tool where some others have not been as useful.

Anyway, hopefully I will be back to some more code related posts soon but thought that this tools update could prove useful

Signing off

Mark