SEC 309

Advanced Malware Cleaning

Mark Russinovich
Technical Fellow, Platform and Services
Division
Microsoft Corporation
mark.russinovich@microsoft.com
About Me

• Technical Fellow, Microsoft

• Co-founder and chief software architect
of Winternals Software
• Co-author of Windows Internals, 4th edition
and Inside Windows 2000, 3rd Edition with
David Solomon
• Author of tools on www.sysinternals.com
• Home of blog and forums
• Senior Contributing Editor, Windows IT Pro
Magazine
• Ph.D. in Computer Engineering
Why Is Manual Cleaning Necessary?

• How do users get malware?

• They download apps that include adware and spyware
• They click on misleading popups or banners
• They visit sites that use exploits to inject malware
• Many users still don’t patch or don’t use antivirus or antispyware

• Why doesn’t antivirus and antispyware stop malware?

• They are dependent on signatures
• Malware directly attacks it

• Always perform manual cleaning after you’ve run available

antivirus and antispyware
Malware Cleaning Steps

• Disconnect from the network

• Identify malicious processes and drivers
• Terminate identified processes
• Identify and delete malware autostarts
• Delete malware files
• Reboot and repeat
Identifying Malware Processes
What Are You Looking For?

Processes that…
• …have no icon
• …have no description or company name
• …unsigned Microsoft images
• …live in Windows directory
• …are packed
• …include strange URLs in their strings
• …have open TCP/IP endpoints
• …host suspicious DLLs or services
What About Task Manager?

• Task Manager provides little information about images

that are running
Process Explorer

• Process Explorer is “Super Task Manager”

• Runs on Windows 95, 98, Me, NT, 2000, XP, Server 2003
• Also supports 64-bit (x64) and Vista

• Has lots of general troubleshooting capabilities:

• DLL versioning problems
• Handle leaks and locked files
• Performance troubleshooting
• Hung processes

• We’re going to focus on its malware cleaning capabilities

The Process View
• The process tree sort shows parent-child relationships
• Icon, description, and company name are pulled from
image version information
• Most malware doesn’t have version information
• What about malware pretending to be from Microsoft?
• We’ll deal with that shortly…

• Use the Window Finder (in the toolbar) to associate a

window with its owning process
• Use the Google menu entry to lookup unknown processes
• But malware often uses totally random or pseudo-random names
Refresh Highlighting

• Refresh highlighting highlights changes

• Red: process exited
• Green: new process

• Change duration (default 1 second) in Options

• Press space bar to pause and F5 to refresh
• Cause display to scroll to make new processes visible
with Show New Processes option
Process-type Highlights
• Blue processes are running in the same security context
as Process Explorer
• Pink processes host Windows services (we’ll look at
services shortly)
• Purple highlighting indicates an image is “packed”
• Packed can mean compressed or encrypted
• Malware commonly uses packing (e.g. UPX) to make antivirus
signature matching more difficult
• Packing and encryption also hides strings from view

• There are a few other colors, but they’re not important for
malware hunting
Tooltips

• Process tooltips show the full path to the process image

• Malware more often hides behind Svchost and Rundll32
• Tooltip for Rundll32 processes shows hosted DLL
• Tooltip for service processes shows hosted services
• Services covered in detail shortly…
Detailed Process Information
Double-click on a
process to see detailed
information

Image tab:
•Description, company
name, version (from .EXE)
•Full image path
•Command line used to
start process
•Current directory
•Parent process
•User name
•Start time
Image Verification

• All (well, most) Microsoft code is digitally signed

• Hash of file is signed with Microsoft’s private key
• Signature is checked by decrypting signed hash with the public
key

• You can selectively check for signatures with the Verify

button on the process image tab
• Select the Verify Image Signatures option to check all
• Add the Verified Signer column to see all

• Note that verification will connect to the Internet to check

Certificate Revocation List (CRL) servers
Windows Services
• Services can start when the system boots and run
independently of the logged-on user
• Examples include IIS, Themes, Server, Workstation, …
• Can run as their own process or as a service DLL inside a
Svchost.exe

• The services tab shows detailed service information:

• Registry name (HKLM\System\CurrentControlSet\Services\...)
• Display name
• Description (optional)
• DLL path (for Svchost DLLs)
Strings

• On-disk and in-memory process strings are visible on the

Strings tab
• There’s only a difference if the image is compressed or encrypted

• Strings can help provide clues about unknown processes

• Look for URLs, names and debug strings

• You can also dump strings with the command-line Strings

utility from Sysinternals
The DLL View
• Malware can hide as a DLL inside a legitimate process
• We’ve already seen this with Rundll32 and Svchost
• Typically loads via an autostart
• Can load through “dll injection”
• Packing highlight shows in DLL view as well

• Open the DLL view by clicking on the DLL icon in the

toolbar
• Shows more than just loaded DLLs
• Includes .EXE and any “memory mapped files”
• Can search for a DLL with the Find dialog
• DLL strings are also viewable from the DLL menu`
Loaded Drivers

• There are several tools for viewing configured drivers:

• Start->Run->Msinfo32
• Builtin SC command: sc query type= driver
• Device Manager with View->Show Hidden Devices

• Process Explorer DLL view for the System process shows loaded drivers
• Even drivers that delete their image files
• Same path and version info as standard DLL view

• Simply identify them now

• Usually they’re not stoppable
• Delete their files and autostart settings later
TCPView

• Look for suspicious network endpoints with TCPView

• You can do this by looking at the TCP/IP tab of each process, but
that’s slow

• TCPView also uses refresh highlighting

• TCPView includes a “close connection” capability
• …but you should be disconnected from the network
Terminating Malicious Processes

• Don’t kill the processes

• Malware processes are often restarted by watchdogs
• Instead, suspend them
• Note that this might cause a system hang for Svchost processes
• Record the full path to each malicious EXE and DLL
• After they are all asleep then kill them
• Watch for restarts with new names…
Cleaning Autostarts
Investigating Autostarts
• Windows XP Msconfig (Start->Run->Msconfig) falls short
when it comes to identifying autostarting applications
• It knows about few locations
• It provides little information
Autoruns
• Shows every place in the system that can be configured
to run something at boot & logon
• Standard Run keys and Startup folders
• Shell, userinit
• Services and drivers
• Tasks
• Winlogon notifications
• Explorer and IE addins (toolbars, Browser Helper Objects, …)
• More and ever growing…

• Each startup category has its own tab and all items
display on the Everything tab
• Startup name, image description, company and path
Identifying Malware Autostarts
• Zoom-in on add-ons (including malware) by selecting these
options:
• Verify Code Signatures
• Hide Microsoft Entries

• Select an item to see more in the lower window

• Google unknown images
• Double-click on an item to look at where its configured in the Registry or file
system

• Has other features:

• Can display other profiles
• Can also show empty locations (informational only)
• Includes compare functionality
• Includes equivalent command-line version, Autorunsc.exe
Deleting Autostarts

• Delete suspicious autostarts

• You can disable them if you’re not sure

• After you’re done do a full refresh

• If they come back, run Process Monitor (or Filemon and
Regmon) to see who’s putting them back
• You might have misidentified a malware process
• It might be a hidden, system, or legitimate process
Rootkits
What’s a Rootkit, Anyway?
• Hoglund and Butler write in “Rootkits: Subverting the
Windows Kernel”:
A rootkit is a set of programs and code that allows a
permanent or consistent, undetectable presence on a
computer.
• My definition:
Software that hides itself or other objects, such as files,
processes, and Registry keys, from view of standard
diagnostic, administrative, and security software.
• Hoglund’s revised definition from Rootkit.com on February
4:
A rootkit is a tool that is designed to hide itself and
other processes, data, and/or activity on a system.
The Evolution of Malware
• Malware, including spyware, adware and viruses want to be
hard to detect and/or hard to remove
• Rootkits are a fast evolving technology to achieve these goals
• Cloaking technology applied to malware
• Not malware by itself
• Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm

• Rootkit history
• Appeared as stealth viruses
• One of the first known PC viruses, Brain, was stealth

• First “rootkit” appeared on SunOS in 1994

• Replacement of core system utilities (ls, ps, etc.) to hide malware processes
Modern Rootkits

• Rootkits can hide virtually anything:

• Processes
• Files, directories, Registry keys
• Services, drivers
• TCP/IP ports

• There are several types of rootkit technology:

• User-mode hooking
• Kernel-mode hooking
• Code patching
• Hiding in other processes

• www.rootkit.com is the primary rootkit forum

Example Rootkit Cloaking

Explorer.exe,
Taskmgr.exe Winlogon.exe Ntdll.dll
Rootkit

user mode
kernel mode
Explorer.exe, Malware.exe, Winlogon.exe
 Rootkit Detection

• All cloaks have holes

• Leave some APIs unfiltered
• Have detectable side effects
• Can’t cloak when OS is offline

• Rootkit detection attacks holes

• Cat-and-mouse game
Rootkit Detection Types
• Three classes of rootkit detection:
• Signature based
• Microsoft Malicious Software Removal Tool

• Anomaly detection
• System Virginity Verifier: http://www.invisiblethings.org/tools.html
• GMER: http://www.gmer.net/index.php
• IceSword: http://www.xfocus.net/tools/200509/IceSword_en1.12.rar

• Cross-view comparison
• F-Secure Blacklight:
http://www.f-secure.com/blacklight/
• Sysinternals RootkitRevealer

• Use more than one tool!

RootkitRevealer
• RootkitRevealer (RKR) runs online
• RKR tries to bypass rootkit to uncover cloaked objects
• All cross-view detectors listed do the same
• RKR scans HKLM\Software, HKLM\System and the file system
• Performs Windows API scan and compares with raw data structure scan

RootkitRevealer
Filtered Windows API
omits malware files and keys Rootkit
Malware files and keys
are visible in raw scan
Windows API

Raw file system,

Raw Registry hive
RootkitRevealer Limitations

• Rootkits have already attacked RKR directly by not

cloaking when scanned
• RKR is given true system view
• Windows API scan looks like raw scan

• We’ve modified RKR to be a harder to detect by rootkits

• RKR is adopting rootkit techniques itself
• Rootkit authors will continue to find ways around RKR’s cloak
• It’s a game nobody can win

• All rootkit detectors suffer the same vulnerability

Local Kernel Debugging

• Windbg supports “local kernel debugging” (LKD)

• Works like standard kernel debugging which requires two
computers
• Requires Microsoft Debugging Tools For Windows (free download
from Microsoft)
• Can examine kernel structures of a live system
• Supported on XP and higher including 64-bit

• For NT 4 and Windows 2000 use Sysinternals’ Livekd

• Both require matching kernel symbols
• Use Microsoft’s symbol server (documented in help file)
LKD Rootkit Hunting

• List running processes and compare with Process Explorer:

!process 0 0
• List loaded drivers and compare with Process Explorer:
.reload
lmkv
• Look for kernel hot-patches:
!chkimg -d nt
• Dump the system service table and interrupt dispatch table
(IDT):
dd kiservicetable
!idt -a
Finding and Deleting Malware Files
Sigcheck

• Scan the system for suspicious executable images

sigcheck -e -u -s c:\

• Look for same characteristics as suspicious processes

• Be especially wary of items in the \Windows directory
• Investigate all unsigned images
Deleting Hard-to-Delete Files

• Files that are open or mapped can’t be deleted

• Find owning process with Process Explorer search
• Terminate the process and delete the file

• If you still can’t delete it (it might be protected by a driver or

system process):
• Try renaming it
• If that fails, schedule it for deletion at the next reboot with
Sysinternals’ Movefile:

movefile malware.exe “”

• If it still won’t go away, delete it from an off-line OS

Deleting Hard-to-Delete Registry Keys

• Watch for key security

• Some antispyware tools don’t report access-denied errors
• Use Regmon to check for errors
• Use Regedit to change security permissions

• Some keys have embedded nulls

• Can’t be open with standard tools like Regedit
• Use Sysinternals’ Regdelnull:

regdelnull hklm\software

• As a last resort use Regedit in ERD Commander

Summary and the Future
Malware Cleaning Steps

• Disconnect from the network

• Identify malicious processes
• Terminate identified processes
• Identify and delete malware autostarts
• Delete malware files
• Reboot and repeat
The Future of Malware
• We’re already seeing trends:
• Malware that pretends to be from Microsoft or other legitimate
companies
• Malware protected by rootkits
• Malware that can’t be cleaned on-line

• Cleaning is going to get much harder

• Targeted and polymorphic malware won’t get AV/AS signatures
• Malware can directly manipulate Windows structures to cause
misdirection
• All standard tools will be directly attacked by malware
• There will be more un-cleanable malware
• Malware will adapt to a limited-user environment
The Bottom Line

•
Be careful what you run!
References

• Mark’s Sysinternals Blog: www.sysinternals.com

• Sony, Rootkits and Digital Rights Management Gone Too Far
• The Antispyware Conspiracy

• www.spywarewarrior.com
• www.rootkit.com
• Windows Internals, by Mark Russinovich and David Solomon,
Microsoft Press
 Summary
• Thanks for coming!
• Please fill out your evals
© 2006 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only.
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.