Friday, March 11, 2011

Sysinternals Advanced Malware Cleaning Review

_MG_0853Image by rwoan via Flickr

Trying to cleanup malware from your computer? Advanced Malware Cleaning, located on the Windows Sysinternals website, is a must watch video from Windows expert Mark Russinovich. Mark was the co-founder of Sysinternals before it was acquired by Microsoft in 2006.

Mark gives an overview of how SysInternals tools work, such as Process Explorer, along with using the AutoRuns utility,  SigCheck, and TCPView Utility to discover where malware is hiding on your computer and how to clean it. Mark talks about Rootkits and his own RootkitRevealer tool, an advanced rootkit detection utility.

Mark discusses the future of malware and how malware is becoming harder and harder to detect.

With standard tools, we are not going to be able to spot malware, Mark says.  Our regular antivirus and spyware tools are unable to get rid of all malware because these tools are so dependent on signatures.

Mark advises that you should always perform a manual cleaning after you run your regular antivirus and spyware.

According to Mark, these are the steps you should take to clean malware from your system:
  • Disconnect from the network (because malware is constantly communicating with the network to download updates to the malware images)
  • Identify malicious processes and drivers
  • Terminate identified processes (by putting them to sleep first)
  • Identify and delete malware autostarts
  • Delete malware files
  • Reboot and repeat
These are the processes we are looking for:
  • have no icon
  • have no description or company name
  • unsigned Microsoft images
  • live in Windows directory
  • are packed
  • include strange URLs in their strings
  • have open TCP/IP endpoints
  • hosts suspicious DLLs or services
Process Explorer is still a free SysInternals tool that you can get from  Process Explorer has many features, but, Mark focuses primarily on the processes useful for hunting malware in this demonstration.

Process Explorer has a tree structure, a parent/child relationship, that assists you in seeing the relationships between processes. It gives you a detailed view of the currently active processes and has an optional lower window pane that shows the DLLs or Handles associated with the selected process. A button on the toolbar lets you choose the DLL mode or Handle mode. The optional lower pane is displayed when you select Show Lower Pane in the View menu on the toolbar.

Window finder. Window finder is one of the features in Process Explorer that shows you what process owns a window.  For example, if you open notepad and drag the bullet icon (located on the tool bar in Process Explorer) over the notepad window, Process Explorer will show you what process owns the notepad window.

Search Online. Another cool feature is the Search Online option.  If you are not sure of a process function, click on the process, right click and choose the Search Online option to go online and find out what the process does.  Useful because there will undoubtedly be processes you won't know.

Refresh Highlighting. Refresh Highlighting helps to see process activity in the tree and highlights the malware process when it comes or goes. Select Refresh Highlighting on the Options menu in the Process Explorer toolbar. Click the PF5 key to refresh. Green highlighting indicates malware has appeared. Select Difference Highlight Duration on the Options menu and change the 1 to a maximum of 9 seconds. If a malware process exits, a red highlight is applied. Note: the green and red lights indicate a process is entering and leaving, not that it is necessarily malware.  Before taking any action, definitely investigate what the process is.

In Process Explorer, the processes are highlighted in different colors.  Each color can be configured to your liking in the Options tab located on the toolbar.  The default blue color means the process running is in the current logon session that you own.  Processes that are pink are windows services.  The orange color means the process is a job object and Mark says these types are not very useful when hunting malware.  Purple indicates the image is packed, and probably malware. Purple is the color to keep your eye on.

Tool tip. Roll your cursor over a process and it shows the full path name.  Useful for processes that are hosting multiple components, such as DLLs.  Sometimes malware hides in the Rundll32.exe which is a Microsoft file and digitally signed. The tool tip shows the DLL target path. Double clicking on a process will display even further information about a process.

Verify Image Signatures. Most Microsoft files are digitally signed, but, not all. Mark says the policy is for future releases to digitally sign all Microsoft files. Digitally signed means the file's hash is signed with Microsoft's private key and if you take that hash and decrypt it with the public key and it matches the hash of the image, then it is verified to be signed. Mark has added an option in Process Explorer to Verify Image Signatures.  If the Verify Image Signatures option is checked, the verification is done in the background.  Under the View option in Select Columns, you can add a column called Verified Signer that will show you the results of the Verify Image Signatures. Note that when this is done, you will see Network traffic in Process Explorer because Process Explorer goes to the Internet to see if the certificate has been revoked.

Windows Services.  Services (the pink coloring) can either run in their own dedicated process or the service can be hosted in a service host process that runs multiple services. These types of services are run as DLLs, instead of executables. In Process Explorer, you will see a number of service hosts (svchost.exe). The tooltip that appears, when you roll over the svchost.exe file with your cursor, shows you the services that are running within that svchost.exe. The Service tab on the tool bar of Process Explorer gives you additional information.  Among other things, it gives you the path to the DLL.  This is very useful because malware can hide in DLLs.  Look for ones without a description. All Microsoft services have a description, where as malware normally wouldn't have a description.

Strings. If you double click on a process, a dialog box pops up and you will have a number of tabs. One of the tabs is the Strings tab. Strings are a way to look inside an image to see if there is suspicious data inside the image. For example, if your service is highlighted in purple, indicating a presence of malware, double click the service. You won't see anything suspicious because the image is packed. Click on the Memory button at the bottom of the Strings dialog box. Look for strings such as www, .com, and http to see if anything looks suspicious. (note: you won't be able to look in Memory for a system process). In Mark's example, there was a string with Pretty obvious, huh? Sysinternals also has a Strings utility where you can dump strings from executables.

View DLLs. When checking DLLs, there is a button on the toolbar to view DLLs. If there is an image that is packed, it will show up highlighted in purple. You can also search for a DLL to see what processes have it hosted in the Find dialog.

There are a number of tools for looking at drivers:

Built in command SC query type=driver
Device Manager with View Show Hidden Drivers

Process Explorer has a convenient way to look at drivers.  Click on the System Process at the top on the left hand side of the tree.  First, make sure you are in the tree view by clicking on the Show Process Tree button at the top of Process Explorer. Click on the view DLLs button to see the drivers. Look for suspicious drivers that have no description or company name. If it says its from Microsoft and it's not digitally signed, then you should check it out.

TCPView. The above steps are just steps to identify the suspicious processes and services.  Hold off on doing anything with them at this point. The next step should be to look at the network to see if you have any processes that have a connection to the network and look suspicious. You can use another Sysinternals utility called TCPView to show you the full list of active end points. In TCPView, you have an option to Close Connection that will let you terminate the suspicious connection to your network. You can also do a Whois look up to see who is on the other end of that connection.

Suspend. After you have identified the processes and services where you think malware is hiding, you should not terminate the processes, yet. Malware has adopted something called the 'buddy' system where multiple processes are running and the processes look out for each other. If one is deleted, the other replaces it. Instead of killing the processes, you should Suspend the process. Mark says no malware he has seen thus far has the ability to determine their malware process is suspended and that they are "about to get killed". After you suspend a process, the process will have grey highlighting.

Cleaning Autostarts. You can use the msconfig tool that comes bundled with your Windows OS. However, it is extremely difficult to look for malware using msconfig. Msconfig does not show you every autostart location on your computer.
I guarantee you will love the free Sysinternals AutoRuns onto your system. Personally, I like knowing what is going on in my system and I don't like the idea of some malware lurking around.

It shows every single autostart and lets you check and uncheck the ones you have identified as suspicious or that you just don't want to run at boot up. Go to Options in the AutoRuns toolbar and click on Verify Code Signatures and Hide Microsoft and Windows Entries. If you are unsure about an autostart, you can highlight it and right click for the Search Online function so you can investigate it. You can either delete the autostart or uncheck it to disable it if you are not sure about whether or not you want the autostart. You can add the autostart back by rechecking it. Afterwards, do a PF5 to refresh. If the malware comes back, you have to figure out what malware process is putting it back.  Run Sysinternals Process Monitor or Filemon and Regmon to see what is putting it back.

Rootkits. "Rootkits are becoming more and more of a serious threat", according to Mark Russinovich. Mark's definition of a rootkit is as follows:

Software that hides itself or other objects, such as files, processes, and Registry keys, from view of standard diagnostic, administrative, and security software.

Rootkits, botnets, and certain types of spyware hide themselves and steal your login information and other personal information. Rootkits are a type of "cloaking" or "stealth technology".
On the bright side, Mark says all rootkits have holes where there is some way to detect its presence. However, it is a "cat and mouse game", according to Mark. Neither side can win. No rootkit detection kit can detect and kill all rootkits. There are three types of Rootkit Detection software:
  1. Signature based. Microsoft Malicious Software Removal Tool is one.  
  2. Anomaly detection. These look for signs the rootkit has tampered with the system. System Virginity Verifier, GMER, IceSword, PatchGuard (built into the 64-bit versions of Windows XP/Server 2003 SP1/Vista) 
  3. Cross-view comparison. Tries to uncover a rootkit by working around it. Sysinternals Rootkit Revealer, F-Secure Blacklight are examples of this. 
Mark says if you think you have a root kit, you should run all of the above. What one doesn't catch, the other rootkit detector might. Apparently, you will see more rootkits that uncloak themselves when they determine a rootkit detection kit is running, so you are unable to see anything suspicious.
These are my test results from the above mentioned rootkit detectors:

Rootkit Revealer: Rootkit Revealer is compatible with Window XP (32-bit) and Windows Server 2003 (32-bit).
F-Secure Blacklight: Easy to run and user-friendly.
System Virginity Verifier download:  Unable to locate a current download of SVV.  If anyone knows of a current version 2011, let me know.
GMER: Problems with it, crashed my system with blue screen the first time and shut down with a Windows error on the second run. If anyone knows of a current version 2011 that works with documentation, let me know.
IceSword: PCWorld says a lot of people were having problems with IceSword. I was unable to figure out how to use it. If anyone knows of a current version 2011 with documentation, let me know.
PatchGuard: Mark said it is built into the newer Windows versions of the OS.
Microsoft Malicous Software Removal Tool: I run MMSR on a regular basis. See Malicious Software Removal Tool to find out about MMSR. 

(Another advanced tool you can use is the Local Kernel Debugging tool that comes in the Debugging Tools for Windows package, a free download from Windbg is part of the package and supports XP and higher including 64-bit. It requires the symbols for the kernel. You can get the symbols by pointing the tool at Microsoft's public symbol server that will download the symbols it needs on demand. Check out the Help file for further information, as this tool is for the advanced debugger and requires explanation beyond this posting.)

Sigcheck. Even if you don't do the above, one way to look for malware on your system is to look for files that don't have digital signatures. Sysinternals free Sigcheck tool can be used for scanning the system for suspicious executable images. Here are some command line options that can be used:

 sigcheck -e -u -s c:\
-e will look for any digital signatures on any executable image, regardless of the extension. Mark says one of the drawbacks of many types of antivirus and spyware is it only examines executables that have an executable extension like .exe or .com. Windows doesn't care about the extension. If it has a header in it that says it is executable, you can launch it. 

-u shows only images that aren't signed and -s does a directory recursive listing. Remember most Microsoft files are signed, but not all. Investigate the files on your system that are not signed.

Movefile. Sometimes there are Hard-to-Delete Files. The file could have a handle on it that won't let you delete it, even if you are the administrator. Try renaming it. If that doesn't work, schedule the deletion for the next reboot using Sysinternals Movefile:

movefile malware.exe ""

Movefile schedules a delayed rename that is processed by session manager, the first user-mode process during the boot process.  If that still doesn't get it, go into an offline OS and clean it using a solution such as BartPE or WindowsPE or ERD Commander.

RegDelNull. There are also some Hard-to-Delete registry keys that have "embedded-nulls". To clean use RegDelNull from Sysinternals. (note, in this example: hklm\software is the Hard-to-Delete registry key).
regdelnull -s hklm\software

Regrettably, Mark says as time goes on and malware designers develop more sophisticated methods, the tools he just gave us will will no longer work. Eventually, you will see more malware you can't clean online and that adapts to the Standard User account.

I just hope Mark and others like him will keep trying to keep a step ahead of the "bad guys". I've said it before and I'll say it again. A sincere thank you to Mark Russinovich for attempting to keep us educated so that we can help ourselves!

Windows Sysinternals Process Explorer

Process Explorer Tutorial


Advanced Malware Cleaning
Enhanced by Zemanta

1 comment:

  1. This is a very viable way of terminating malware that are suspicious and are running actively. I recommend CC Cleaner.


"Comment As:" anonymous if you would rather not sign into an account!