-->

Sysinternals Malware Analysis (Notes Only)

Sysinternals Malware Analysis (Notes Only)

by Mark Russinovich (for to a greater extent than details, delight run across the YouTube video presentation)

NOTE: exercise non allow the notes below hold upwardly a substitute for the YouTube video, every bit the notes below include no screenshots of the tools used!
Also, I haven't checked if there's an update to the data below, hence if anyone thinks of it every bit obsolete, I apologize!

#######

Learn nearly the SysInternals tools as well as techniques for analyzing as well as cleaning malware
- professional person anti malware analysis requires years of deep training
- fifty-fifty for professionals, Sysinternals tools tin examine useful

Analyzing:
- agreement the bear on of malware
- tin hold upwardly used to sympathise malware operation
- generates route map for cleaning infestations

Cleaning:
- removing an infestation of a compromised system
- attempting a build clean tin also bring out to a greater extent than data nearly the malware's operation

Pave&Nuking a system, should hold upwardly the concluding as well as most extreme alternative!
If there's no expertise as well as fourth dimension left, to understand/analyze the malware, as well as hence pave&nuke the system!

Malware cleaning steps:
- disconnect from network
- position malicious procedure as well as drivers
- terminate identified processes
- position as well as delete malware autostarts
- delete malware files
- reboot as well as repeat

What are you lot looking for when you lot identify/investigate processes:
- it has no icon
- it has no description or society name
- unsigned Microsoft images
- alive inward Windows directory or user profile
- are packed
- include foreign URLs inward their strings
- conduct keep opened upwardly TCP/IP endpoints
- host suspicious DLLs or services

How many people await at processes amongst Task Manager?
Use Process Explorer (from Sysinternals)!
Process Explorer:
- is the Super Task Manager
- has lots of full general troubleshooting capabilities:
    - DLL versioning problems
    - conduct keep leaks as well as locked files
    - performance troubleshooting
    - hung processes
- we're going to focus on its malware cleaning capabilities

The Process View:
- the procedure tree shows parent-child relationships
- icon, description as well as society mention are pulled from icon version information
    - most malware doesn't conduct keep version information
    - what nearly malware pretending to hold upwardly from Microsoft? Will utter later
- Use the Window Finder (in the toolbar) to associate a window amongst its ain process
- exercise the Search Online bill of fare entry to lookup unknown processes
    - but malware oft uses totally random as well as pseudo-random names

Refresh Highlighting:
- refresh highlighting highlights changes
    - Red: procedure exited
    - Green: novel process
- modify duration (default 1 second) inward Options
- press infinite bar to recess as well as F5 to refresh
- crusade display to scroll to brand novel processes visible amongst Show New Processes option
- we'll run across how to spot short-lived processes later

Process-type Highlights:
- bluish processes are running inward the same safety context every bit Process Explorer
- pinkish processes host Windows services
- majestic highlighting indicates an icon is 'packed'
    - packed tin hateful compressed or encrypted
    - malware commonly uses packing (ex: UPX) to brand antivirus signature matching       to a greater extent than difficult
    - packing as well as encryption also hides strings from view
- in that location are a few other colors, but they are non of import for malware hunting

Tool tips:
- procedure tool tips present the total path to the procedure image
- malware to a greater extent than oft hides behind Svchost, Rundll32 as well as Dllhost
    - tool tip for Rundll32 processes shows hosted DLL
    - Dllhost tooltip shows hosted COM server
    - tool tip for service processes shows hosted services
        - services covered inward particular shortly

New inward v15.2:
- autostart locations
    - reports where icon is registered for autostart or loading
    - non necessarily what caused for procedure to execute, though
- procedure timeline

Detailed Process Information:
- double-click on a procedure to run across detailed information
- pages relevant to malware analysis:
    - image: signing status, starting fourth dimension time, version
    - TCP/IP: opened upwardly endpoints
    - strings: printable strings inward primary executable

Image Verification:
- all (well, most) Microsoft code is digitally signed
    - hash of file is signed amongst Microsoft's mortal key
    - signature is checked yesteryear decrypting signed hash amongst the populace key
- you lot tin selectively cheque for signatures amongst the Verify push on the procedure icon tab
    - conduct the Verify Image Signatures pick to cheque all
    - add together the Verified Signer column to run across all
- banking concern complaint that verification volition connect to the Internet to cheque Certificate Revocation List (CRL) servers

Sigcheck as well as ListDLLs:
- scan the arrangement for suspicious executable images
    sigcheck -e -u -s c:\       (it volition discovery keen places to shroud malware)
- await for same characteristics every bit suspicious processes
    - hold upwardly peculiarly wary of items inward the \Windows directory as well as the \Users          \<username>\AppData directories
    - investigate all unsigned images
- ListDLLs volition tin running processes for unsigned DLLs
    listdlls -u

Strings:
- on-disk as well as in-memory procedure strings are visible on the Strings tab
    - there's entirely a departure if the icon is compressed or encrypted
- Strings tin assistance supply clues nearly unknown processes
    - await for URLs, names as well as debug strings
- you lot tin also dump strings amongst the command-line String utility from Sysinternals
    strings <file>

The DLL View:
- malware tin shroud every bit a DLL within a legitimate process
    - we've already seen this amongst Rundll32 as well as Svchost
    - typically loads via an autostart
    - tin charge through 'dll injection'
    - packing highlist shows inward DLL sentiment every bit well
- opened upwardly the DLL sentiment yesteryear clicking on the DLL icon inward the toolbar
    - shows to a greater extent than than merely loaded DLLs
    - included .exe as well as whatsoever 'memory mapped files'
- tin search for a DLL amongst the Find dialog
- DLL strings are also viewable on the DLL properties

Terminating Malicious Processes:
- don't kill processes
    - malware processes are ofter restarted yesteryear watchdogs
- instead, suspend them
    - banking concern complaint that this affair powerfulness crusade a arrangement hang for Svchost processes
    - tape the total path to each malicious EXE as well as DLL
- after they are all asleep as well as hence kill them
    - sentinel for restarts amongst novel names

Investigating Autostarts:
- Windows msconfig.exe falls curt when it comes to identifying autostarting   applications
    - it knows nearly few locations
    - it provides piddling information
- it uses the Task Manager (which is REALLY bad)

Autoruns:
- shows every house inward the arrangement that tin hold upwardly configured to run something at kicking &     logon
    - touchstone Run keys as well as Startup folders
    - shell, userinit
    - services as well as drivers
    - tasks
    - winlogon notifications
    - Explorer as well as IE addins (toolbars, Browser Helper Objects...)
    - More as well as always growing
- each startup category has its ain tab as well as all items display on the Everything tab
    - startup name, icon description, society as well as path

Identifying Malware Autostarts:
- zoom-in on add-ons (including malware) yesteryear selecting these filter options:
    - verify code signatures
    - shroud Microsoft entries
- conduct an item to run across to a greater extent than inward the lower window
    - online search unknown images
    - double-click on an item to await at where its configured inward the Registry or       file system
- has other features
    - tin display other profiles
    - tin also present empty locations (informational only)   
    - includes compare functionality
    - includes equivalent command-line version, Autorunsc.exe

Deleting Autostarts:
- delete suspicious autostarts
    - you lot tin disable them if you're non sure
- after you're done exercise a total refresh
- if they come upwardly back, run Process Monitor to run across who's putting them back
    - you lot powerfulness conduct keep misidentified a malware process
    - it powerfulness hold upwardly a hidden, arrangement or legitimate process

Tracing Malware:
- tracing activeness tin bring out the arrangement bear on of malware
    - malware shows initial infection, earlier cloaking is applied
    - tin bring out the internals of 'buddy system' as well as other infection-protection       mechanisms
- Process Monitor makes tracing easy
    - a uncomplicated filter tin position all arrangement notifications
    - investigating stacks tin distinguish legitimate activeness from malicious       activity


Event Properties:
- trial details
    - duration, process, thread, details, etc
- procedure information
    - ascendance line
    - user
    - session as well as logon session
    - icon information   
    - starting fourth dimension time
- thread stack at fourth dimension of event

Filtering:
- to filter on a value, right-click on the occupation as well as conduct the attribute from the   Include, Exclude as well as Highlight sub menus
    - you lot tin conduct multiple values simultaneously
- when you lot laid a highlight filter you lot tin motility through highlighted trial properties

Advanced Filtering:
- multiple-filter behavior:
    - values from dissimilar attributes are AND'd
    - values from the same attributes are OR'd
- to a greater extent than complex filtering is available inward the Filter dialog
    - Outlook-style dominion definition
- you lot tin salve as well as restore filters
- filter for watching malware impact: "Category is Write"

The Process Tree:
- Tools-Process Tree
    - shows all processes that conduct keep been seen inward the draw (including parents)
    - tin toggle on as well as off terminated processes
- the procedure tree provides an tardily agency to run across procedure relationships
    - curt lives processes
    - ascendance line
    - user names


Real World Analysis as well as Cleaning (minute 44)

The Case of the SysInternals - Blocking Malware
- friend asked user to conduct keep a await at arrangement suspected of existence infected amongst malware
    - kicking as well as logons took a long time
    - Microsoft Security Essentials (MSE) malware scan would never complete
    - zilch jumped out inward Task Manager
- tried running Sysinternal tools, but all exited right away after starting:
    - Autoruns
    - Process Monitor
    - Process Explorer
    - Even Notepad opening a text file named "Process Explorer" would also terminate

- Looking through Sysinternals suite, noticed Desktops utility
    - hoped malware powerfulness non hold upwardly smart plenty to monitor additional desktops

- Sure enough, was able to launch Process Monitor as well as other tools:
    - Malware in all likelihood looks for tools inward window titles
    - Window enumeration entirely returns windows of electrical flow desktop

- Nothing suspicious inward Process Explorer
- Next, ran Process Monitor
    - noticed a lot of Winlogon activity, hence laid a filter to include it
    - could run across a once-per-second cheque of a foreign key
        (e.g acdcacaeaaacb...)
    - saw mention of random DLL inward the key:
        (e.g Yellow folder named acdcacaeaaacb...)

Solved:
- tried deleting the key, but after refreshing, it was back
- went dorsum to MSE as well as directed it to scan merely the random DLL icon file on disk
- after clean, was able to delete Registry telephone substitution as well as arrangement was dorsum to normal: work solved...

Cleaning FakeSysDef Scareware:

- run across video inward regards to the malware hiding

The illustration of the Strange Reboots:
- laptop would reboot right away after connecting to wireless networks:
    - followed yesteryear a kicking inward prophylactic mode
    - as well as hence kicking dorsum to normal mode
- kicking to prophylactic style resulted inward automatic logoff
- tried to run Microsoft Security Essentials (MSE), but it was damaged
- ran Process Explorer as well as saw many processes exhibiting malware characteristics
- processes amongst names mimicking Windows processes were clearly malicious
- Autoruns showed arrangement massively infected
- suspended all packed processes that looked suspicious
- connected to network: no restart
- downloaded as well as ran fresh re-create of MSE
    - MSE detected several malware variants
- after cleaning, in that location were no to a greater extent than suspicious processes as well as the arrangement behaved normally:
PROBLEM SOLVED!

Cleaning Cycbot.exe backdoor:

- delight run across video for details
- also exercise merely about query on how it plant as well as locations it uses

Analyzing as well as Cleaning Stuxnet as well as Flame:
- discovered June 2010 after it had spread for a year
- exploited 4 null twenty-four hr menstruation Windows vulnerabilities
    - impress spooler for remote code execution
    - rhythm link Explorer code execution from infected key
    - Win2k/Windows XP Win32k.sys privilege elevation
    - Windows vii Task Scheduler privilege elevation
- Drivers signed yesteryear certificates stolen from RealTek as well as JMicron (in Taiwan)
- Rootkit code for Siemens Step vii SCADA PLC for centrifuges
- suspected to conduct keep targeted Iranian centrifuges used for Uranium enrichment at Natanz nuclear facility
    - Islamic Republic of Iran confirms inward September 2010 that thousands were destroyed
    - suspected to hold upwardly created yesteryear State of Israel as well as US
- believed to conduct keep been spreading through USB keys (at this point)
- in that location is ONLY ONE lsass.exe on the arrangement (should hold upwardly anyway)

Flame:
- discovered a few weeks ago
- considered yesteryear merely about to hold upwardly to a greater extent than sophisticated than Stuxnet
- constitute yesteryear Kaspersky antivirus
- used LUA programming for the code
- the reckoner clock had to hold upwardly changed to Tehran


The Future of Malware:
- we've seen the trends:   
    - malware that pretends to hold upwardly from Microsoft or other legitimate companies
    - malware protected yesteryear sophisticated rootkits
    - malware that has stolen certificates
- cleaning is going to instruct much, much harder:
    - targeted as well as polymorphic malware won't instruct AV/AS signatures
    - malware tin direct manipulate Windows structures to crusade misdirection
    - all touchstone tools volition hold upwardly direct attacked yesteryear malware
    - in that location volition hold upwardly to a greater extent than un-cleanable malware
- you lot can't know you're infected unless you lot discovery a symptom

Zero Day - Influenza A virus subtype H5N1 Novel
- a cyber-thriller truthful to the science
- www.zerodaythebook.com
- book: Trojan a novel Equus caballus (Mark Russinovich)

The halt :)
Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser