License to Kill: Malware Hunting with the Sysinternals Tools

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

morning everybody all right lots of parties last night I take it let's try that again got lots of parties good parties cool well good morning much better welcome to malware hunting with the SIS internals tools my name is mark russinovich and this morning i'm going to take you on a tour with the system kernels tools for analyzing and cleaning malware off of systems and this quote nicely summarizes the whole motivation for this presentation which the sad fact is that a significant percentage of malware that people are running into today is not detected by antivirus and that's because the antivirus companies need to find the malware and analyze it and then generate signatures and then push it out so there's a lag between the time that the virus appears and wild and the time that you get it cleaned you can see this is from a google report that just came out a few weeks ago where they've got a technique that uses reputation based heuristics to identify malware and they sampled 10,000 pieces of malware they found just sitting out on the web and found that less than 40% of the binaries were detected at the time they found the binaries by major antivirus engines so this is really the reason for why you might need to use the system's rails tools to go clean malware off a system or analyze it how many people by the way have been infected by malware at one point or another Wow okay how about your family members have you cleaned malware for family members how about how many people are here today because you've got Malware right now anybody yeah I'll clean that off for you if you let us see your browser history [Applause] so what I hope to get across in this talk is to show you some tools and techniques for going about determining if you've got malware figuring out where that malware is what it's doing on your system and then cleaning it off the tools that I'm going to show you our tools that are used by professional antivirus researchers as well actually but they use them in the context of a kind of first phase reconnaissance of an infection where they'll use the tools to get an idea of how the malware operates and then use other tools like debuggers disassemblers tracers to go and dig deeper so that they can find the signatures but just with the information I'm going to give you here as you'll see with the demonstrations I have you'll be able to clean or detect malware of the most common types in fact I've got samples of some of the most common types now there's antivirus solutions out there on the market here's one it's called sysinternals antivirus I think I'm kind of I don't know how to feel about these kinds of things proud or dismayed or disturbed but there's a antivirus engine called sis in there in sysinternals antivirus and don't use it because I didn't write it and it's really not very good because it's actually malware and what really pisses me off about this thing is they don't even link to sysinternals so the steps that I've got here for cleaning malware off the system are the steps that I came up with Mac in 2004-2005 timeframe and back then malware was operating quite differently than it is today and or large segments of malware anyway back then malware was just infesting systems with adware spyware crap popping up everywhere downloading tons of spyware so you'd have these fight word downloaders and they'd make the system's boot really slowly and take forever to log in and have popups everywhere very noisy types of malware and the formula that I came up with was first disconnect from the network and the reason that I came up with that is because of these downloading pieces of malware I'd start cleaning and analyzing a system and the downloaders would start pulling down more malware while I was in the process of cleaning and so I couldn't keep up with what was going on so disconnecting from the system would stop the malware from the system from getting reinfected or infected with more malware but another reason why even today with the more stealthy kind of malware that doesn't do this kind of pulling down stuff actively is that if you detect malware on a system you want to disconnect it from the network so that you can stop the exfiltration of data off the system so you've already probably losing data you might lose more of it so disconnecting from the network is one of the steps in the process next this is the reconnaissance phase what is going on with the system obviously you've detected some symptoms somehow so you've seen rogue network traffic coming off this thing you might have seen a pop up app don't launch is to identify which processes are potentially malicious and then once you've identified them and have some confidence that you've done to find them then terminate them so get them out of the way so that they're not active and interfering with the rest of the cleaning process then find them places how they Auto activate delete those and then go delete the files just as a final precaution in this process it's not necessary going to be a complete process you're not necessarily going to identify everything all aspects of the malware so this is why I go as far as saying delete the malware files even after you deleted the activation points because in the worst but you know in the best case you're just cleaning crap off your computer in the best case you might be breaking malware that you haven't completely cleaned so if you left the files there it might still be operable but you're deleting whatever you see could you know disable it and then finally you might have missed something there malware might be coming back so rinse lather repeat so reboot the system look for the symptoms that you saw the first time and if your if you don't see them you might be good to go now I want to make a clarification point here because a lot of people have this philosophy of if you have malware on a system wipe it that's just security 101 they say wipe the system don't try to clean malware off it I have more of the principle of let's be pragmatic about if you can have some confidence that you've identified the malware then clean it off especially in the case where you might have your mom with you know tons of stuff on her system and if you've got a good idea that you clean the malware off better save the wiping of her system and everything that she's got on there rather than face the wrath of your mom now and I know that even big companies follow this approach they'll have a couple of domain controllers for example infected with malware and the cost of flattening those domain controllers basically rebuilding the domain is so high that they will rather have experts come in and say yeah we're confident we understand it and wipe it how many people have worked at a company where you had a domain controller with malware on it let's see anybody anybody nobody all right oh there's one person over there and did you flatten your domain no what I was just kidding no I'm just no that's okay all right let's talk about identifying processes first and again this is a list that I came up with four characteristics that identify malware again back in 2005 processes that have no icon in their image that have no description or company name in their version information so they're kind of anonymous they're they say that they're from Microsoft but they don't have a valid digital signature which I'll explain what that is in a minute they live in the windows directory or the user profile as opposed to the common place where most programs at least pre-modern phase got installed in the Program Files directory or they're packed which means compressed or encrypted I'll talk more about that later they include strange URLs in their strings or their have TCP IP IP em points open to Russia or China or they have suspicious dll's hosted within them so they're a benign process that's a host carrying malware this list of characteristics I thought would be obsolete in a few years after I came up with them but it turns out the kind of a sad state of situation is that most malware still identifies itself by meeting at least one of these criteria in fact many and you'll see the examples that I show you today almost all of them exhibit more than one of these and if the sad fact is that they don't need to do things to take themselves off this list because it's so easy to spread and still easy to stay kind of hidden in plain sight with this that they don't need to they're going to do the bare minimum of work how many people debug or look at systems with past manager wow that's a it's a bold admission in assist internals talk because first of all it you're kind of walking through a room blindfolded when you're using task manager but second I've got a better tool that I'm going to show you it's called process Explorer some people call it super task manager it has lots of troubleshooting capabilities in fact that was my original goal with this was to help you debug DLL problems file lock problems the hung process problems and in fact I've got a session this afternoon which is all about using process Explorer for those scenarios but what I'm going to focus on here is its malware cleaning capabilities let's pull it up on by the way this this is not a disclosure this is what blue would look like if you installed a third-party Start menu so just go back here oh by the way want to mention system kernels tools if you haven't been on the site website your sysinternals tools website where you can download the tools I actually updated some of the tools that I'll show you today autoruns insig check this week and there's a tool that i'm going to be using called zoom it here and the reason that I was playing Daft Punk how many people like Daft Punk by the way yeah the reason I was playing Daft Punk is if you listen to the beginning of the song except crash appended melt upgraded your authority resume it there you go shoutout from you hurt I sent an email thanking him for that but he hasn't responded must be busy anyway so back to process explorer and the process view which looks a little bit different than a test managers view the first thing you can see is it's a tree structure which shows you the parent-child relationship of processes and for example you can see that down up up here in this section the child's of this service host process this service host process is going to be the background tasks infrastructure service this is where you're going to see it now Windows 8 when you launch modern apps they're going to be a child of this thing but for the most part what you'll see is that the parent-child roosters we can tell you something about a process because every child of services eggsy the service Control Manager is going to be hosting a window service which I'll talk more about later so in the case of malware it will show you for example if you see malware as a child of another process that that parent process might be infected with malware itself you also see these colors besides the icon information that I mentioned the description the company name all pulled from the version resource you see colors first colors you'll see are these blue rows and the blue rows those are special kinds of processes those are anybody boy processes no those are not boy processes those are processes running in the same security context this process Explorer the pink processes are hosting windows services the white processes are anything that doesn't match any of the other filtering criteria and the blue processes are ones that are called immersive or modern they're able to operate both in the old world and the new world we come down here and you'll see that there's another couple processes here in a dark purple color and I'll explain what that is shortly one of the things you can do when you see a pop-up is use the window finder which is up here to identify the owning window so if I'd say who's the taskbar owned by it takes me and says we'll explore it us this is a way if you've got a pop-up you don't know which process is coming from it you don't see any that looked like malware you can figure which it is and there's also a right-click search online which has been adopted by the windows 8 task manager and the search online will do a search with your favorite search engine oh yeah with your favorite search engine and show you information about those processes now the thing is a lot of times that doesn't work anymore because malware either picks random or pseudo-random kind of names and so they will the searches won't come up with anything that in fact almost tell the mayor where we see these days does that there's also refresh vomiting so some other colors you might see are if I create a process like notepad you'll see notepad no I don't know what came up there and let's close that let's do notepad and down here what showed up in Green was notepad and when I terminate notepad it'll show up in red there's a problem with that refresh though is that it's short it's a refresh based it's every second and so if you run a short-lived process like ipconfig there it caught it actually ipconfig spew so much stuff now it's almost inevitable that it'll catch it okay never mind oh that that time I didn't catch it so you'll see that processes that live between the refresh rate won't get caught and I'll show you how to to catch those later there's also tool tips the tool tips can be useful for looking inside of processes to see what's hosted within them so I mentioned that the windows service the service processes the ones that are pink are hosting things and I already showed you the background process launcher that you have tool tips here on there on these if I had a decom launcher you would see a child of that which should be the become server if I had a run DLL 32 which I can create by running launching a control panel applet I do the window finder to see who this is and then it's a run DLL 32 and you'll see that the process is this run DLL 32 target time date CPL so this is a way to look at inside of a process quite conveniently a lot of malware hides itself in REM DLL 32 there's some think features that are new one is a Timeline view the other one is an auto start location view I'm not going spend time on those here because I'm going to focus on a different way of looking at honest arts but this is something to be aware of just really quickly how does Explorer get launched if I go look at its Auto Start its configured as Wind logon shell and that's why it gets launched when you log in and so you could go change that if you wanted to which malware we've seen does occasionally you want to look a little more detailed at the process double click on it and by the way there's a process here that is a little fishy because it is sitting here and it's purple you know talked about coming back to the purple color and I mentioned pact earlier purple is process explorers highlight color for a process that looks packed or encrypted and the reason that processes are packed are encrypted is typically not always that it's malware that is using obfuscation techniques where it will load into memory and unroll itself the reason it remains compressed encrypted on disk is that it makes it harder for antivirus engines to get reliable signatures for them because they'll use different encryption techniques or compression every time they get generated and we've got a couple of those here these windows processes and if we take a look at them they're not matching any of the other criteria that we've mentioned well actually maybe a few let's see the command line or in the path show that it's sitting in the windows directory but this does got a kind of a legitimate window sounding name win host it says it's from Microsoft so the really the tell kind of clues here suspicious clues are that it is purple so we're gonna dig into that a little bit more closely by taking a look at its signing status which you can do here let's talk about signing almost all Microsoft code is digitally signing most third-party code these days is digitally signed so when you see something that's from Microsoft you can go to the process Explorer and say verify and this will update the signing status up here which in this case says no signature was present and the subject there is no valid digital signature on this which is another big clue that this is probably malware that's masquerading as as a Microsoft process like I mentioned you can see the auto start location here this is configured in the run key so that's a convenience there that will show you that this thing is configured to auto start but there's other ways to look at the digital signatures too and when I clean malware off the system what I'll do is say very select all verified signers here add that as a column and then go to options verify image signatures and what process Explorer will do is check the digital signatures on all the processes so this is then I sort and I see down here that I do have some processes zoom it for example the test versions of sis internal tools as well as these windows that are not digitally signed so those are the ones that I would potentially go and take a closer look at note some people say hey when when I'm running process Explorer like this or auto runs I see connections to the Internet what's going on this is checking for the revocation of digital signatures which is done automatically by the signing engine so you will see that reaching out to a kril or certificate revocation list servers to see if those have been revoked and there been examples several over the last few years a malware being signed with digital certificates legitimate ones that had to be revoked and that you wouldn't didn't know that those signatures were revoked if you're disconnected from the network so this is a downside of disconnecting from the network what I also do when I'm scanning a system for malware is run a tool called SiC check another sysinternals tool SiC check is just a tool that will show you digital certificates and the way that I run it on a system is to use the dash S which is the recurse switch the dash II which says look at anything that is executable no matter what the extension because we've seen many examples of malware that will give itself a jpg extension or a dot txt extension to hide but it's really an executable image inside and this will ferret that out and then you too so only the unsigned executables well let me do this without the - s and the only one that I find in the windows directory is windows now I found other things here unfortunately in the GAC and the GAC is a place where I have I've been suspecting malware to place itself to hide with all the unsigned images that go in the GAC over time I mean there's no it's a hive of scum and villainy in there in the GAC and it's a great place to hide but I haven't seen anybody take advantage of that yet so any way that I would check the windows directory in the windows system32 directory with those switches as well as the Program Files directory strings as a utility let's talk about strings if you've got a process that's suspicious another way you can take a deeper look into it has come to the process view and go to the strings tab this will show you printable strings inside the file one of the problems with this though is that if the image is packed or compressed then you'll only be seeing the strings that are in on disk image which will be garbage that's where this memory button comes into play which will show you the strings in the image as it's mapped into RAM so this is how this process is unfolded and then what you want to do is look for suspicious URLs there's one right there so this is actually processes shaping up to be quite suspicious at this point and I think we can confirm that it is probably malware finally there's another view of the DLL view which when malware is hiding inside of a legitimate process what you'll what you can do is open up the lower pane with the control D view you can add the verified signer column to that as well and check for unsigned images in processes that are hosts and you can see that well the executable image itself is considered a DLL in the case of process Explorer and that's where another tool called lists dll's lists dll's from sysinternals - you star will dump any unsigned dll's in any process that it has that it's running so it didn't find any at this point finally now that we've identified that Wynn host it looks really suspicious what do you do kill it right no that's inhumane put it to sleep first now the reason that I've got that advice it comes from I haven't seen this in a while but four or five years ago I saw it quite a bit the buddy system was in play watch when I try to kill this Wynn host right here what happens and let me turn on the refresh rate the highlight duration so that we can see this thing let me kill this guy this one I've got actually a few of them up and then another one pops up and if I kill this one another one pops up so these are using what what I call the buddy system one is watching it the other guys back and if any of them good if the other one goes down he's gonna revive him he's gonna go take over the paddles and zap him back and so it becomes very hard to go cleaning the malware off a system when you've got this buddy system in play but you can suspend them put them to sleep so I'm going to suspend all these guys and now there's four of them and at this point actually sort by this now I simply I love love the sound of that new Bell [Music] love is in a sarcastic kind of love so now we've cleaned up the active processes we're ready to move on to Phase two cleaning the auto start locations for this piece of malware so that it doesn't come back how many people use ms config to go cleaning off auto starts lets you see raising hands so I'm surprised that you'll raise your hands after I made fun of you the first time ms config now I have to say though there's been a tremendous amount of work done on ms config in Windows 8 have you used it anybody used to win Miss config let's go take a look so we've got the the general tab that looks the same here let's go to startup and check it out what wow so tremendous amount of innovation and reimagining here in ms config what I'm going to do is use a different tool called Auto runs and this is another system Eternals tool let's run Auto runs and by default it's going to scan my entire system and show me all the files that are configured to auto start or load inside of processes like Explorer or Internet Explorer or Windows Media Player or whatever the media player modern ones called and what I want to do and this is going to take a while because it's actually reaching out to group policy settings scripts that are on Microsoft's Corp net and I'm not connected to the corpnet right now so you can see here's one this be deploy script here what I'll do to kind of get rid of the noise let me press escape and see if I can get control of this thing is the network behaves with me okay we had to wait for those threads to clean up and I'm going to say hide Microsoft entries and verify code signatures you can also see all the places auto run load spice it's checking that but with this I'm going to filter out anything that is Microsoft that is digitally signed and at this point I see things that aren't in showing up in red images that don't have valid digital signatures and in any images that are not Microsoft showing up just as white and the things you're going to want to look for are of course the red things anything that's yellow means that prata ones can't find the image so these generally aren't bad in fact there's some just locations built into Windows where there's kind of orphaned pointers off to things that aren't there so not not need to be too concerned about those for those that are showing up though and by the way there's different ways to look at this like here's the log on location here's one the Windows host run that we saw and what you can do at this point is take a look at when it was made so I made this a while ago you can see that's version information you can jump to the location in the registry where that's configured you can jump to the file system location you can search online for it or you can look at the properties for it now what I'll do at this point is uncheck it and that basically disables it there's a few more things that I want to point out with Auto runs disabled to do is its able to scan offline systems so you can load registry hives of a system say boot off of windows to go for example or connect a external drive and then point autoruns at the root windows directory and you will can scan it for auto auto starts and do your cleaning from there you can also scan other profiles on the same system so if you've got that situation where it's a standard user account that's been infected you've got another admin account that hasn't been you can do the scanning of that standard user account from the admin account to clean the malware off this and there's a couple new features I'll mention here briefly one is that I added a timestamp column in about a month ago so now I'll show you the last modified time for the entries which can be useful in the scenario where you believe that you got infected just in the last few days now you can go look at timestamps and see if those correlate with the activity that you've met correlating with the malware also there's an auto runs C tool that I'll mention this is if you're running in a corporate environment other ones see you can have it scan the same way that auto runs does with the same filters and you can even have it print out in CSV format so that you can scan your corporate networks regularly pull them up into Excel dump them into sequel or whatever and be looking across your network to see if you've got suspicious Auto starts showing up on your domain controllers I mentioned delete the auto starts this is just troubleshooting 101 try not to do things you can't undo because you never know if you're gonna make a mistake and go oh crap I shouldn't have done that if you just uncheck vs. delete then you're able to go and undo it sometimes things come back so that's we're going to use process monitor to trace activity how many people have used process monitor so quite a few of you process monitor makes Network tracing or system tracing relatively easy in fact I've got a slogan it's called when in doubt run process monitor it's actually Dave Solomon came up with that let's say it together when in doubt run process monitor okay you're not very good at it yet that will work on that and let's just take a quick look at what we see time stamps process name with the tooltip that shows us version of version information operation path the result of the operation and in special information over here in the detailed columns about the operation we're going to spend some time looking at real malware so I'm not going to take a close look at that but just highlight a few of the features by the way when my daughter comes home from school with homework questions I have a run process monitor first there's process properties if I double-click on this it looks a lot like process Explorer not unintended n't so we see the path the command line parent process ID start time and integrity here's the start time and the list of dll's that are loaded into it filtering is a key kind of technique mask that you should master as you use process monitor to get rid of all the noise and focus on the things you want to focus on and there's lots of different ways to do filtering like I can just right click on a particular entry row column and say filter by that include it exclude it highlight it copy it to the that pet road to the clipboard exclude items before this exclude items after this so if I save this and then I can click on the filtering icon and do more complex filtering up here like company is contains and then say anything from Lenovo for example I could do filters for that so lots of different ways to filter the filter that's most useful for looking at a situation where you've got malware reinfecting machine or you've got an example where you can watch what how a malware infects the machine is category is right category is right will only show you modifications to the system so we see that Explorer is doing some modifications to the user assist count registry value and it's updating it with some information there so you can see there's typically not a lot of modification activity going on the system but if you've got a malware infection you're going to see that being impacted as we'll see shortly the last thing I want to talk about for process monitor before we move on is the process tree it looks a lot like process explores process tree except with a nice cool difference and that is that sees everything so if I do a short live process like IP config which might not have been captured in process monitor process Explorer I can go down and see it right there in other words they can run but they can't hide from process water all right so enough preamble so I've kind of introduced you to the tools with some pseudo malware that I've created that I'm quite proud of to get the feature feel for the capabilities of process monitor for auto runs and process Explorer let's take a look at some real cases now I've got a bunch of real cases the first one is a piece of live scare where called winweb sac and I picked this one because if you look at this from the latest Microsoft security incident security intelligence report you'll see that when it comes to scare we're a wind web sack is still currently the second most prevalent piece of scare where and it's been the most prevalent up there floating around for several years now as really impacting people if you go to this link down here which I've got opened up in the browser where did the browser go I didn't mean to do that then you'll see that winweb sack comes with a whole bunch of different aliases so it's one of those antivirus and scare where engines that skinned and that's the way sysinternals antivirus is also skin off an engine like this let me pull up let's get winweb sack ready to go this will come up in a second here and when it does I'm gonna launch winweb second I'm at a half process monitor watching and we're gonna see how this thing more aggressively takes over the machine over the next few minutes as I try to use the machine [Applause] okay connecting and so what I'll do is launch it right now and it's going to install our lunch process Explorer and I'll launch Auto runs and so it's letting me run these things right now as it starts to scan my system and it's gonna believe it or not on this clean windows 7 install find a lot of malware believe it or not it's gonna get wound up here in a second okay I promise Ericka's let's take a look at what it's finding while it's climbing it and I'm not sure why we're having these hiccups here because normally it just blasts on through I'll keep my focus all right let me try this I'm trying to zoom in for you here we go and let's see what it's found KBD its found trojans its found though table that's one that you might have heard of netsky another one it's found nslookup oh that's a really bad one a ping that's even worse so you'll see that it's just making crap up here at this point and i think you know these guys have a sense of humor when they write these things and so let's say you know what I'm done I'm convinced stop you're scaring me well 23 infections found can lead the system crash two slowdowns but you know what I don't really mind those things I kind of live with them on a daily basis anyway so I'm gonna continue unprotected are you sure yes I'm sure well at this point it's gonna start to get unhappy with me yeah because I'm not buying into the thing oh like oh you better turn on virus protection Windows is now bothering me turn on now no I don't want to oh there's no close button on that oh by the way let's see who's launching this it is this thing down here which is a piece of malware it exhibits the characteristics we talked about a lot of them anyway it has no description and no company name and it's sitting inside of the user profile instead of in the places where you'd expect it to see it in the Program Files director in files directory and the reason that malware is sticking itself in this directive use directories now is because they don't need admin rights to write there and so malware is becoming more and more standard user familiar well so let's say that I you know what I'm just going to move this out the way I don't care about it but at this point it's gonna get really irritated with me and launch Windows Update no it's that's not what it's supposed to do it is going to come up on there it tells me calc is infected with something and at this point it's like my machine becomes completely unusable and I'm forced to do something about it unfortunately in this case we not able to run Auto runs even so let's go take a look at how we'd clean a system like this and the technique we're going to use is to boot into safe mode how do you boot into safe mode on Windows 7 machines it's just in pre prior it's as simple as rebooting the machine pressing f8 and saying safe mode on Windows 8 it's this big dance of going through PC settings and general and startup repair and then picking rid now I really want to repair no I really want to do an advanced thing out of those advanced things I want to do Sigma so there's another way to do that in that's just create a windows 7 USB key and then boot that int off the system or Windows it windows to go so and do it offline booting Windows 8 into safe mode is it's a IQ test on its own so I generally try to avoid it but now we're Booty to this that's not safe one what happened here reboot Oh what I've done here is before the system comes up what is happening is that this thing actually doesn't write itself to the autorun key so we if we'd run autoruns we're not going to be able to even see it write to any key and but when we reboot the machine it's going to come right back and the reason that comes back is that it is actually putting itself whoops continue I'm protected yes it's putting itself in the run once key and it's putting itself in the run once key here and as you can see run once on its shutdown and the way that I captured this is I did a Windows process monitor great new database update did a process monitor boot log so if I'm able to boot logging what process monitor is going to do is install its driver capture this shut down capture the startup and then what I'll do is save the trace load it up and see exactly what the malware did during the system startup and during the system shutdown and that's how I captured this fact that it is writing itself to the registry during shutdown so it's a case where autoruns wouldn't have shown us anything that process monitor will tell us how this thing is getting activated with the run once key it turns out that that is enough for me to know how to clean this thing off let's say that I didn't know where this thing was and can't delete the file for some reason I turn the malware is this easy to clean off the machine as rebooting the machine before it's shut down because it doesn't get a chance to do this clean shut down and write itself example of how malware is being even more stealthy by not persisting itself while it's operating so that when you're going to analyze the system it's not going to show up so you're killing them killing this thing is as easy as rebooting into safe mode and terminating it from there and let's take a look at customers at somebody else's real example of rebooting into safe mode and cleaning malware off a system this is a case of a friend asking a friend how many people have been asked by somebody like hey come over let's have a barbecue and a beer oh by the way you want to check out the kitchen PC oh I'm going to show you some cool pictures oh I can't because of malware or maybe you could help me clean it off now this is example of that where the friend has the friend look at it and it's obviously infected with a piece of scare we're very similar to what I saw what we just saw the user tried running process Explorer and process monitor but it was blocked just like what we saw that malware blocking processes they tried going to sysinternals comm to see if there was something that could run and even sysinternals comm was blocked now when system kernels come when you can't reach this internals comm I say you give up on the PC all they got right there it's just not worth using anymore now actually you can booty what they did is boot into safe mode and when they put into the safe mode they ran amis config saw nothing unusual so this is actually a view of safe mode and how safe mode doesn't show you a lot of locations that autoruns does they loaded up otter runs and I've got that file here and when they pulled it up it stuck out like a sore thumb there it is randomly named sitting in the run once key just like we saw win web set create sitting in program data the root of program videos so this one did have admin rights but cleaning this thing off then was as easy as unchecking it and they rebooted and the malware was off the system there's more aggressive forms of scare we're now ones that actually make it look like you're the law enforcement is after you so let me pull one of these up and I've got some examples of screenshots of this new kind of scare where look there we go comply the way this one right here it's so bold that it even asked you to elevate it to admin rights yeah and I think that my mom would probably click yes this one says we have detected spam and this is the one that gets people to because at this point they're like really you know what I don't want to take the chance that I might have it on my system because if I go to law enforcement or take a diggie squad or whatever and they find that stuff on there then who the hell knows what kind of legal crap I'm going to be dragged through so let me go ahead and pay this thing off to get this thing off my system here's another one going around Germany here's another one here's one that makes you buy something first and here look they're even internationalized themselves here's another one in Russian here's another one from the FBI FBI asking for your money pack payment it's a little suspicious the Department of Justice they seem to like money pack a lot and by the way you can get them at your finer Walgreens Kmart's and so on let's go back to the one that I've got here it's called lock screen and lock screen CT and what this is going to do is not even it's not the scareware type it is the we've taken control of your system and it's hostage here it is at this point I can't do anything it looks like the start meeting is there but I can't touch it the only things I can do are enter unlock code that I've got to go pay for and launch a program like Explorer or Internet Explorer boom it disappears I've got a second desktop running here with process monitor watching what's going on and auto runs as well and I can't interact with them because this thing has created a little window for the mouse that is exactly where that little entry dialogue is so I can't click anywhere you can see I can click here watch this I can't click on that if I say window key M then I can minimize everything and it can see that kind of the boundary box right there there it is where I can draw but what I can do is take a look at where we see what we see in autoruns and I also can open process Explorer and there's lock screen it shows up with the purple highlight right there it's got a Russian name it it's got a Russian description it has no digital signature and what otter one shows us is this sitting there in the wind in a couple places wind log on shell and the run key the problem now is that obviously I can't clean these things off without with because it's going to stop me from even running anything so the only way that I can launch this or in clean it is to boot into safe mode there's a few different types of safe mode there's vanilla safe mode safe mode with networking and safe mode with command prompt don't use safe mode the vanilla one don't use safe mode with networking the reason why is that these Mel this malware puts itself in places that those two safe modes will execute anyway because those use the shell so for example this wind logon shell right here gets executed safe mode with command prompt will skip the shell oriented the shell auto starts so that was the one that you'll be able to clean the system off of and I've got lock screen right here booted into safe mode with command prompt and you'll see at this point I can launch autoruns and it'll come up and and show me the exact same thing that I just saw Auto runs by cheating on that second desktop desktops is a sysinternals utility and there it they pop up now these are the sysinternals tools that are debug and unsigned and at this point I can clean the system like this and then go delete those files and I'm done with that ransomware here's another example of a real piece of malware this one is what I call the case of the runaway CPU this is a user actually sent me this case they notice that their fan so they've got this monster you know tower under their desk at home and they notice that the fan is out of controls really loud it's like what they get when they play a game that's very graphics intensive and so they're like that's funny I'm not doing anything on the system it should be idle why is the fan on they launch process Explorer and they suspect that the that it might be the GP because the only time that they ever hear the fans spin that loudly is when they're playing a game that's GPU intensive process Explorer has GPU support in it there's a GPU column up here right there and if I run something that's GPU intensive you'd see these things spin up I can also add the GPU columns like this person did it process GPU here GPU usage and I see a little bit of GPU activity from DWM down here first did it where'd it go DWM and if I do things like move this around a lot that's gonna generate some more usage where'd it go it's running away from me a little bit of usage anyway and what they noticed when they ran is that there was a lot of GP usage down here by this thing Java av sked eggsy 900 percent of the GPU no description no company name looks very suspicious so they killed the process the fan stopped how did the process get launched so they looked at the binary they uploaded to virustotal and virustotal said this thing was a Bitcoin miner how many people mine bitcoins in here nobody few people but bitcoin is this currency system that is kind of open right now everybody can go generate their own coins by performing these complex hash algorithms on your hardware your CPUs or your GPUs then malware was still actives even though they terminated that process there were still as something active so they couldn't run auto runs so they open the registry and went to current version run where they were hoping they'd find something and sure enough they found this sitting here something sitting inside of app data roaming cyst week something called Tweaker which isn't it again it sounds potentially legitimate they deleted this auto start location and the problem was solved I've got an example of a real Bitcoin miner piece of malware it's called vison or vise Noir and where it's my store and if we go take a look at the Microsoft report for Vice Noor it says it's a family of trojans that user computer without your consent agenda is specific digital currency notice what coins what malware authors are doing now instead of taking you ransom and making you pay something they're using your computer to generate money for themselves because anybody can go generate these bitcoins and all you have to do is configure what Bitcoin to count the GPU usage should be counted towards and so the malware downloads of your computer connected to their Bitcoin account and starts generating coins for themselves so big botnets now are enlisted in the for the task of generating money for these guys this vise nor unfortunately it's a GPU based minor so we're not going to see it consume the seep and I don't have a GPU he's sitting inside this virtual machine but here it is and what it's going to launch as a child process is the minor D process this minor is the minor process for Bitcoin and if we take a look at minor D it's command-line options you'll see that here's the Bitcoin account I spilled soda dot are you is what this goes to so I go to I don't even know I spilled soda are you dot I spilled soda dot are you and apparently that is not active anymore although it has been found in other pieces of malware your thread expert says that they've seen this account thing is now what is the account hit password here you can see get the passwords the X and the username is their fz1 so if we wanted to and that account was still active we'd have access to that Bitcoin account unfortunately don't but but this is a standard piece of of Bitcoin malware there's a the reason that I don't see activity like I said is this is gpu-based minor but there's also cpu-based miners so what you'll see is now even on systems without high performance GPUs that Bitcoin mining can be done on those GPUs of course it's a lot less efficient but when they're using your computer and out there's yeah that's okay I'm going to get this thing ready to go and when I come back and talk about another case this one is the case of the unexpected FTP connection so this case actually came in to Microsoft support this was a corporate customer they customer detected through some of their network monitoring that a particular server which was an exchange server was making outbound FTP connections now that's not suspicious is it for front to put make matters worse worse after they detected these outbound FTP connections they went and looked at their antivirus logs and saw that forefront endpoint protection had cleaned some malware off the machine but the thing was still making outbound FTP connections so they had a problem on their hands what support had them do was capture a process monitor trace let's take a look and then send it into support let's take a look at that trace and how support figured out what was going on the first thing they did was said okay so we've got potential outbound FTP let's take a look at the process tree and see if there's any processes that might be generating outbound FTP anything that looks like could potentially do FTP activity anything do you see anything that looks like it could be FTP yeah they're said there's an FTP right there now they look at the command line for FTP which I can do right here and they'll see that FTP what is doing this - I or dis - s says go execute the script and the script that this thing is executing is called J what is J they wanted to know when where is J work and I look at it to see if this thing is really you know something malicious maybe this will give us a clue so what they did was set a include filter for this and then search this trace for J and you can see this creating J in a particular directory called I 9 8 - 9 - you can see it reading J right here it's a 58 byte file so they had the customer go look to see if J was there and J is not there so no evidence left behind what the script is doing whether it might be part of some piece of software legitimate software they got on the machine who knows so they went back to look at what launched the FTP process let's go take a look at its parent process so the parent process of this FTP is this command prompt and we take a look at this command prompts command line and you can see that it's launching another command prompt which is then creating a directory name because we picked a different one I nine nine to five changing directory into that deleting anything that's in there then starting to echo stuff out to J let's see what a that goes out to J so I'm going to copy the this command prompt this command command line here and what I can do whoops is I'm doing f3s and just pressing return to replace those with carriage returns and now you can see the first line open up J pipe an open command obviously aimed at FTP into J that's the URL that it's going to connect to creates a new connection sets the binary mode does it get of all the executables off the FTP server deletes J and then for every file that it downloaded goes and runs the sticks them in a bat it pipes it to about that I'll put a Bop file and launches them all and then deletes the outputs of the batch files after it launches the batch files so the this is obviously just aimed at just downloading whatever the botnet herder wants to put on their FTP server so that this machine now pulls down the malware and executes sit what is this thing if we do a lookup for this there's a sysinternals tool called who is that will conveniently do lookups for you and this thing is in it's my house no it's not it's not my house I do happen to live in Bellevue but the reason that we're seeing Bellevue is that there's a company there called who is privacy protection that is protecting the true owner of that you of that domain name so we can't we've got a dead end there so what the admin what the support person did is go back to the trace to say alright what is this thing connecting out to process monitor besides catching file system and registry activities also captures network activity so if I disable file system in the registry or filter file system and registry output out of the trace what we're going to be left with is all of the network traffic that this exchange server is performing and if we scroll through this we can see that looks like legitimate traffic that for the exchange server but then we're starting we see here batches in between of random URLs well this 105 let's see let's filter out anything with exchange in it well and the way that you can do this this is a new feature edit filter and I can say path contains and I want to do exchange because I'm not looking for any I want to filter out any traffic that is and I want to say exclude that is the exchange servers legitimate traffic what I'm going to be left with are mostly outbound connections and in here when I keep I'm having bad luck here we go 191 192 is internal 209 there we go 209 dot well I thought I saw two you Lana two to nine alright what is two to nine let's do a copy of that I'll paste it into notepad and actually uh this I pick a new IP address because there's lots of them to pick from and then let's go to a site which will tell us where this URL is located like look IP org it's a good one that Ornette look up I oh look up IP address that org and let's see what this tells us actually what is the that's not look up sorry look up i do't net sorry that's not that good one either there's a whole bunch of these unfortunately by the way a lot of these are serving malware too which is something to be aware of okay so this one can't find it but I happen to pick a bat unlucky one here's one 1:05 I should have picked that 1:05 address we saw that 1:05 address maps to this place in Morocco the company has obviously no sites in Morocco and so this is something that scared them in the other your IP addresses I just got unlucky point to Tunisia and China as well so this thing was actually infected probably by multiple botnets all using the same entry vector and putting the same kinds of malware on the machine to get access to the outside and that's all visible in the trace here so they ran at this point what they said well wait a minute what is the parent process for those for those transfers let me go find one of them here's this 105 who is which process on the system is talking to Morocco it's not even that FTP process is the sequel server itself which the sequel server is not even supposed to be on the internet much less what not even supposed to be on this box with this exchange server much less talking to Morocco so at the so at this point what the support guy did was take a look at the sequel profile the security was using a standard script that said hey can I login to the sequel server using anonymous and sure enough sequel admin password was blank and so and it was set up so you could do XP command shell and launch something from it they went back to the customer told them this what the customer believed had happened is that at some point in the past an administrator for some reason was doing something on that exchange server installed sequel server didn't realize that it was going to be on the open Internet had a blank password had with XP command shell for did whatever they were doing forgot about it left it there and botnet rolls scanning the internet found this sequel server sitting there on the wide open and infected it and we're now launching these ftp scripts to go pull down and infect the system even further at this point Microsoft support said hey you should wipe this thing and move on and that's what the customer did so good lesson there make sure that you understand what you're you got running on your servers and looking for suspicious traffic I want to conclude with a look at a very sophisticated piece of cyber warfare where cyber espionage depending on how you look at it kind of a similar vein to what we just saw of corporate systems getting infected this piece of malware how many people have heard of flame by the way so quite a few of you flame is associated with one of the most notorious viruses and or the most notorious virus in history call it Stuxnet so to understand flame and I've got flame ready to go I'm gonna give you a little bit of background on Stuxnet here let me find flame here we go what I'm gonna do is launch flame while we're waiting cuz flame takes a few minutes to infect the system and I've got to do it using this load library because here's the main payload of flame it's this ocx file and the way that I'll know that flame and I've got process monitor sitting here ready watching with a category is right filter the way that I'll know that flame has fully infected is that there's a file that will show up in here called CC calc so it'll show up right in between these two files and it'll be there in a few minutes so we're going to come back to that after I explain what flame is Stuxnet was discovered in 2010 when a company's computer a company based on Iran's computer was crashing during the reboot and they thought they might have malware on the system so they contacted their antivirus company called virus blocked ax sitting in a company based in Belarus and they said we think we might have malware this antivirus company takes a look at the machine and lo and behold they discover something that looks very sophisticated device drivers that are digitally signed with valid digital certificates that are acting as rootkits they start to they expose the story they talk about it in a few days later Kaspersky Microsoft Symantec all discover more variants of it now that they've got something to look for and the story breaks wide open in a July of 2010 that a very sophisticated piece of cyber weaponry is infecting I'm a bunch of machines on the orders of tens of thousands almost entirely based in Iran and that this piece of malware as they research the behavior of it is an amazing piece of malware it's got the way that it purp propagates is using five zero day vulnerabilities in Windows two of them to gain admin rights on systems where it doesn't have admin rights making it clear that this thing was designed for lockdown systems like you might have say in a nuclear or weapons facility it has two vulnerabilities that let it spread remotely on the network and these are vulnerabilities not patched by Microsoft it's got one that lets it jump from a USB key using an autorun an infection of a link parser bug in Explorer so it can hop off the key onto the system and that's the primary propagation technique they believe not only that but it's got drivers that look like they're signed by real Tech and micron valid digital certificates by these two Microsoft Hardware OEMs that happen to be in the literally the same office park a few hundred yards from each other in Taiwan so somebody's stolen these certificates somehow either physically in that Park or infecting both those companies and getting the certs out and then sign this piece of malware so it wasn't showing up as something with malicious because it had these trappings of a legitimate piece of software they then discovered that they had a secondary payload which was another rootkit not for Windows but for the steamin step 7 PLC program a logical controller which happened to be the same exact type of logic controller used to control Center few jizz used by Iran's nuclear enrichment program and Natanz and this rootkit inside of it aimed at this caused those centrifuges to spin faster and slower than they were designed to at variable speed to the point where they would burn out all the while projecting back false information telemetry information to the operator on the Windows system that the centrifuge was operating normally so what was happening is these centrifuges are burning out Iran doesn't know what's going on they start to fire or behead their nuclear scientists and then they're still happening so then they're really fed up and then this story breaks out in the press and Iran's like oh ok we know what's going on there's Mahmud touring the nuclear weapons facility going house Stuxnet so it's got us and then about nine months later flame was discovered also floating around the Middle East some people even like Eugene because first we call that the most complex piece of malware ever discovered this thing is also the biggest 20 megabytes in size with multiple engines in it ones that know how to monitor Bluetooth networks ones that know how to turn on the webcam and record things ones that know how to turn on the mic and record things all very modular not only that but written in the Lua scripting language nobody's ever seen malware written in a scripting language before and it's got even more so they put two into CUDA together there's some hints of the same code that was in Stuxnet in flame and people believe it's part of the same program us and I Israel collaborating in a program the New York Times said it started before Obama took office by Bush to sabotage the Iranian nuclear program enrichment program and Iran admits that destroyed two to three thousand centrifuges that flame was probably part of an espionage intelligence gathering as part of the Stuxnet program to figure out what was going in so on inside of these networks so that they could then develop Stuxnet so by recording what the scientists were doing by watching them they could gather Intel to help with targeting their cyber weapon called Stuxnet and what I've just launched is flame inside of this VM and they're CC kalksus 32.6 let's go back to process it monitor and at this point and by the way there's a couple of things that are noteworthy about flame one is it's afraid of process Explorer if I had process Explorer running and which is why I didn't have it running flame would go away and hide and not activate so and it's actually rumored that it's the CIA that created flame so yeah CIA there you go the other interesting thing is it took me a while to figure out how it will activate this thing once I had the sample until I figure it out huh maybe I need to to make it feel like it's at home and seriously that is required to make flame activate and then so let's go take a look at flame what flame is writing so it's dropping here Ms bat into MS Security Manager this massive payload down here which happens to be a sequel Express database how many pieces of malware have you seen that used T sequel to store configuration and we'll also see it drop ms the messenger ocx file in CC calc not sis a few different parts of its payload it also has an auto activation point that doesn't show up in ms config but you can find it in the process monitor trace you can also see it in auto runs but I'm going to just find it because what it does it's put places itself in a very sneaky part of the system by the way it was also free to zoom it which is why don't I'm soon but running in there it's read set value H key local machine system current control set control LSA authentication packages and here it is pointing at MS there's the payload that we saw that I launched the ocx file and this is how it launches every time the system boots a place that almost no other anti auto start location scanning tools will even bother to look at but auto runs does look at that location so that is using the system terminals tools to look at malware and I want to spend a just a couple minutes here wrapping up with a view of my state of malware these days because I what I see are two kind of extremes of malware there's the junk crap that we were looking at earlier in the presentation that is hey it's just hanging out there wide open no strings no company no company name no description no icon packed show up like with flashing red lights and process explorer because they can on the other end of the spectrum we've got this kind of stuff like flame which is getting more and more sophisticated and it's just going to get harder and harder because what we have is a trickle down cyberweapons thing going on where something like Stuxnet comes out the virus and malware guys see techniques being developed by China and the US big funded kind of organizations and they'll adopt the same techniques themselves to stay on a system a hidden so it's going to get harder the goal to is to prevent which has always been the malware from getting on your system but also detect it there's a new philosophy now we've got in the the world of cybersecurity which is a the breach you will get breached every one of you will get breached FBI Director Robert Mueller said at lo RSA Conference two years ago there's two types of companies those that have been hacked and those that don't know they've been hacked so and by the way now that the official time is over some of you might know that I've written a couple of cyber thrillers cybersecurity thrillers I thought I'd share one it's called zero day does anybody read zero day that's good to see and that I've got a sequel to it that I came out with a few months ago it's actually talks about Stuxnet because it Stuxnet happened right as I was in the middle of writing this plot and I just want to show you really quickly a trailer that will that I made and [Music] [Music] [Applause] [Music] [Applause] [Music] [Music] [Music] [Music] the technology is the bullet everyone is the target Trojan twice but new technologies in events [Music] took me forever to make my voice sound like that by the way there's there's one thing that I'm especially proud of I don't know if you noticed but the foreword was written by kevin Mitnick and a lot of you probably know who kevin Mitnick is he's the one of the most notorious hackers ever what amazed me and i didn't even realize it until afterwards is that i got him to open a document called Trojan horse and that anyway I'm doing a book signing from 12:00 to 12:30 of all the books sysinternals Windows internals zero-day and Trojan horse from 12:00 to 12:30 and I'll be back here in the same room at 1 o'clock for Casey and explained I hope to see you there I hope you had a great time and learn something and complete malware off your system [Applause]

Info

Channel: Mark Russinovich

Views: 67,097

Rating: undefined out of 5

Keywords:

Id: A_TPZxuTzBU

Channel Id: undefined

Length: 78min 10sec (4690 seconds)

Published: Thu Jul 23 2020