Malware Hunting with Mark Russinovich and the Sysinternals Tools

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
test test oh okay we're live so uh i don't think any more people are gonna show up so we might as well go ahead and get started and that'll give me a few extra minutes so we're starting about five minutes early so that i can use all the time i can get and actually the session after this is lunch so if i can go a few minutes over into lunch is that okay with you guys all right cool welcome to malware hunting with the system turtles tools good morning everybody good morning everybody yeah that's much better how's tech head going good just okay it's i heard it sucks that's not good oh the internet sucks okay that's better so let's talk about what we're doing here today this quotation which i had up while you were floating in is one from a google research paper from last year uh well that's actually this one's a university paper there's actually a different one that's the google paper that has basically the same statistic and this statistic right here is basically states that these researchers looked across the web identified malware using heuristics and then found that less than 40 percent of the malware that they identified when they went and actually verified that the heuristics were accurate were as detected as malware by antivirus engines by the top four anti-virus engines on the market and so this is a pretty representative statistic in fact i think even 40 percent in many cases is high for malware detection rates this is what i call zero-day malware malware that does that flies under the radar and in fact the situation's gotten so grim with the rate of malware proliferating evolving morphing that that has prompted one of the number one antivirus vendors in the world to come out and publicly state that antivirus is dead that's a pretty shocking thing because some of us have been saying antivirus is dead for a while in fact well actually when i read when i read this thing uh i heard i'm not dead yet and then i was like where's that coming from and it was coming from microsoft anti-malware sitting on my computer actually anthony malware does play a role it's good for cleaning off the stuff that's there but obviously a lot of stuff is slipping through and here's another headline out you've been living in a different world so the reason that we're here is because there's a lot of malware that float that gets onto people's machines that anti-malware doesn't stop and then doesn't detect and that causes us problems how many people have been infected with malware in the lab no wait in the last month in the last week a few people in last week uh today anybody have malware on their laptop today here in the room nobody there's always one person that comes to this session because they've got malware and they want to know how to clean it off [Applause] i guess you're not admitting it whoever you are so let's talk about the the goals of this presentation today obviously i'm going to focus on the sysinternals tools to show you how you can analyze understand the impact of malware's having on a system and then clean it off the system and i want to make it clear that this is not professional and malware analysis the professional malware analysts their job goes a lot deeper than what i'm going to be showing today because their job is to really fully understand exactly what the malware is doing the full extent of it of its purpose whether it's who's behind the malware understanding how it's infecting the system because there might be new infection techniques going on how it's hiding on the system our goal today is just simply to figure out how to get that crap off your system or figure out what it's doing on your system the fact is though that using the techniques that i'm going to show you today it's pretty effective against the bulk of malware outs out there on the market today and i'm going to show you a bunch of real world examples of cleaning malware off systems and understanding advanced malware the current current with current samples off of systems and what's really rewarding to me is that a lot of times professional malware researchers i'll go read the reports and they'll show sysinternals tools as part of their research it's great for them as kind of a first wave reconnaissance to understand what malware's doing and then they can dive deeper with more sophisticated tools even if you don't understand how to clean the malware it's useful to look at what the impact of the malware is so you can understand if this thing is spreading throughout your network and what its impact is this recipe for cleaning malware i came up with back in 2005 if you've been to this session before you know this is the same recipe that i've been talking about for a while and this recipe you can see has a number of steps starting with disconnect from the network when i came up with this recipe back in 2004-2005 this step was absolutely essential to even get a a grip on the system to be able to clean malware off it because back then there was a scourge of adware and spyware where you'd get infected by one piece of it and then it would start dragging more stuff down on your computer and i'd be sitting there trying to clean malware off a system and as i was cleaning it more stuff would just get piled on and it was like i can't get it ahead of this and so i disconnect from the network and that would stop malware from getting on the machine another very important reason to disconnect from the network is that you stop the exfiltration of data at that point if somebody's actually in your network sucking data off your pc or off your corporate network this will stop that there are some downsides to disconnecting from the network that i'll cover as we go along second step is identify the malicious processes and drivers this is kind of the recon phase looking through your system to find out what might be suspicious once you've identified something that's suspicious with enough degree of confidence at that point you terminate those processes and the reason that you do this before moving on to the next phases of cleaning the thing off is because a lot of malware has defense measures active defense where when you try to clean the malware off the system it protects itself it'll put itself back into registry keys it'll restore its files and uses other techniques like that so terminating the malware at least gets the active defenses out of the way while allowing you to proceed to the next steps of cleaning and then you need to figure out how does this thing activate most malware activates itself every time you log onto the system or boot the system or run a particular like ie or another process so your job is to figure out how it's activating so you can terminate those activation points and clean those off and then finally as an extra measure you go delete the malware itself cleaning the auto starts theoretically is enough to clean the mower off the system but just to be safe go delete the malware off the the malware files and executables you found because if nothing else if you missed something as far as an autostart you might the malware and prevent it from reactivating if you delete some of its key files this is like the old shampoo commercials you need to rent lather rinse repeat on this one because you might have missed something even after going through these steps so go back look for the original symptoms after you've gone through this reboot your machine make sure that the system appears clean and then you can move on and by the way speaking of keeping making the system clean in this way there's schools of thought around the risk of cleaning malware off a machine when you don't really know what it is there's one camp that says hey you find your machine infected just flatten it because that's the safe thing to do and then there's another camp which i'm tend to be in which is if you have enough confidence that you understand what the malware is doing clean it off and then that way you don't have to go through the pain and hassle of re-imaging your machine this is really an important consideration in corporate environments where flattening your whole network especially in cases where the malware has gotten into very sensitive places and servers flattening those things could cause your business downtime of days or weeks and even microsoft consulting services will come in and say we feel like we understand the malware we've got a high degree of confidence ask the customer what do you want to do would you rather flatten and really be sure and even then you can't really be sure because there might be malware floating around endpoints that you're not aware of and you get re-infected but then make the call and so that's why i talk about cleaning so let's talk about how you identify malware processes there's a few things that you look for as you scan the system looking for suspicious processes and these characteristics are ones that i've come up i came up with like 10 years ago and they're still valid today fortunately and these are processes images that have no icon that have no company name or description in their version information that they say that they're from microsoft but they're not digitally signed they live in the windows directory and this is a relatively new one as of uac and window and vista because a lot of malware these days doesn't need administrative rights and so they'll stick themselves in the user profile rather than in the windows directory so that's another suspicious place to look they're packed and i'll talk about what pac means in a little bit if you look inside the images you might find interesting text that reveals the fact that they're malicious likes pointers like urls to suspicious places on the web they've got open tcpa tcp endpoints because they're talking out to the web beaconing or sending data out or they host suspicious deals those dlls or services so it might be a process that is actually hosting some malware inside of it how do you look for this kind of stuff how many people use task manager to look for malware let's see raising hands that's really really sad that's like walking into a a dark room with a blindfold on and looking for the furniture what you should be using is what process i didn't hear that loudly enough process explorer right process explorer process explorer of course the first internals tool we're going to talk about how many people have used process explorer how many people have not used process explorer really you're going to raise your hand [Applause] so process explorer has a lot of troubleshooting capabilities like you can look for dll versioning problems you can look for locked files you can look for hand memory leaks what i'm going to be focusing on in this session is just the malware hunting capabilities that i've added and that act it generally has just by nature of being a system tool in the case of the nx plane that's where i go into the other type of features that it has so let's pull up process explorer and just take a quick tour for the one guy that's never run it before and take a look at what we see here in the process view the process view of course shows you the list of processes running on the system the view is different than task manager as you can see it's got this nested view and that represents the parent-child relationship of the processes the place one of the places you can see this most clearly is in this part of the tree which is explorer explorer is the shell by default it's what windows runs when you log into the system because it's specified in a certain registry key that you'll see in a little bit and whenever you launch something in your interactive session when you do it it gets launched from explorer so everything under explorer nested within it is a child of explorer part of your interactive login session there's cases when there's processes that are left justified and there really are those are ones with that have no parent process the parent process is terminated this would happen if for example you launched something from explorer like a command prompt launched something from that and then terminated the command prompt so you've just left that process a sad little orphan and it'll show up left justified in the tree for each process you see the process name you see cpu memory statistics you see a description in company name that's what i was referring to and when you're looking for suspicious processes processes that are malicious oftentimes don't have a company name or a description one or the other and the reason that they don't is because task manager for a long time never showed you either even or by default and task manager doesn't show you it's either the description of the company name even today whereas ms config the auto start viewer that's built into windows shows you description or company name one or the other and so people even that are mildly sophisticated and using those kinds of tools the malware would just blend into the system it wouldn't show up as as uh missing something like it would here in this view that shows you both so you can see i don't have any processes that are missing company name or description except for the system and system idle process those are system processes the other things that you can see are here some uh tools like the window finder up here in the toolbar this is useful for looking for who owns a pop-up if malware is popping up windows on you which more more and more rarely these days does that happen most malware these days is just takes over the browser completely or is sitting there in the background being a bot net on your system but if it is use the window finder so for example if i launch this applet right here it's really hard for us to see who owns that process just by looking at the wind at the process list there's nothing in this list that says time in it even though that's the time date dialogue but if i move the window finder over it it takes me to this run dll 32 process so that is the process that owns that particular window she identified with the windows finder there's also a search online capability one that's actually been taken back into task manager in windows so if you right click on something it'll do a search using your favorite search engine so you can google it using bing or bing it using google whichever one you want and here you can see that i've just done a search for explorer and it finds some information many of these like uh kind of malware directed sites that uh tell you information about images but it's really a ploy to just serve you ads unfortunately that's most of the junk that you're going to find with search online these days and in fact search online has become a little yes useful over time because a lot of malware uses randomly generated names sometimes even very cleverly by taking strings off the paths that are on your system and concatenating them together so it kind of looks legitimate and so you'll it'll blend in with the noise of windows just by having pieces of real names of files and pro and directories and yet it won't show up in a search online because it's been randomly generated off your particular computer so search online isn't that useful anymore one of the things that you'll notice as you use process explorer is that there's a various colors in the display let's talk about some of the colors here like the pink colors if you've been to my case to explain you know what pink represents what's it represent girl girl processes correct yeah girl processes and the blue or the boy processes i bet you didn't know that that they had gender but they do no i'm just kidding of course the pink processes are service hosting processes they're ones that host windows services these background tasks that execute no matter who's logged in generally and then the blue processes are ones running as used so that's why you can see down here in the explorer part of the tree everything is blue down here because that's all log launched as me there's some other colors here like you can see this cyan color that is a modern or i mean sorry a met i mean a app a windows 8 app store app modern universal no uh whatever you know what it is and that uh you can see the explorer knows how to be one of these dual kind of things if i scroll up here i've got some other ones up here that are running is over on that other world that exists in windows 8. and then there's some other colors that aren't shown here because i don't have any processes that are highlighted by that there's a purple one down here these two purple processes and i'll talk about that in a minute but let's talk about refresh highlighting and that is refresh highlighting is this ability of process explorer to show you new processes like there's a green right there when i launch notepad and if i terminate notepad it'll turn red and that shows you processes as they're coming and going so if you see red and green that means processes are being launched and terminated the default refresh duration is only one second but you can change that up here in the options so you could say difference highlight duration and set this up to nine seconds the problem with this and i just set it to nine is that even there processes can be so short-lived that they don't show up in process explorers refresh so if i do an ipconfig ipconfig never showed up as green or red there because it's was short-lived enough even with all the junk that it spits out these days that it lived between refresh intervals and so process explorer never saw it so question is how do you catch processes that are short-lived like that and i'll answer that in a little bit when we go to another tool so the blue processes the the purple processes that i was mentioning before those are what are called packed processes pack processes are ones that meet certain heuristics that a lot of image packers like upx if you're familiar with that used to compress images or encrypt them and the reason that i highlight them in purple is because a lot of malware uses compressors or encrypters to obfuscate the contents of the image itself unrolling the contents into memory when they launch and so when you look at the file on disk you don't see anything but garbage when the thing on launches in the memory then that's where the malware gets active and so there's legitimate software that'll show up with that heuristic sometimes but most of the time that represents a strong signal that you've got a piece of malware and i do have an interesting process like we saw before sitting here in fact two copies of it a process called win host and this win host advertises itself as the windows host support service from microsoft corporation already we've got a few signals that this might be malware first of all it showing up in the windows directory so it's showing up in the windows directory as opposed to a program files directly but it's launched as part of underneath explorer and second it is showing up with the packed image process so it it's potentially packed if i double click on this and we go to the this tab it also tells me here that its image is probably packed this is the process properties the other things you'll see here are command lines current directories auto start locations which i'll talk about in a little bit and then there's tool tips the tool tips that you've seen floating popping up as i've moved the cursor around this part of the tree show you more information some of it that you saw that image properties dialog like the command line like the path and for processes that are hosting components so their job in life is just to host things just as a container you'll see what's hosted inside of it the most common example on a windows system is this service host process which is as the name implies just hosts windows services and so if you hover the tool tip over one of these like this one right here you can see that this service host is hosting this windows image acquisition service we saw that run dll32 down here and the way that that gets launched we can see through the tool tip here because run dll32 launched with this command line to execute timedate.cpl run dll32 is another hosting type process very commonly used by malware to hide itself and so you can see what is inside of run dll32 by hovering over with the tooltip process explorer even decodes information about that dll so you don't have to go into the dll view which we'll see in a second to see that this is the time date cpl for microsoft corporation now let's take a deeper look at that win host because that thing shows up as suspicious and how can we get some more signals as to whether that thing really is malicious or not one is to check the digital signature on it almost all microsoft software is digitally signed these days in fact it's a rule that you can't go out of microsoft publish software without it being digitally signed so how can we check if these things are digitally signed there's a few ways one is to double click and click on this verify button right here when you click on the verify button it'll tell me up here information about the signature and in this case it says no signature was present in the subject so even though it says it's from microsoft there's no valid digital signature on it means that no signature at all or the signature is expired or the signature's been revoked because it was a falsely created certificate if we take a look at explorer when we do a verify you see that in this case it is digitally signed but going through one by one when you've got a system that's in fact potentially infected with malware like this is kind of tedious so there's a easier way to do this and that is to add the verified signers column here in the process in the column picker and then go to the options and say verify image signatures and that's what i'm going to do i just check that and now what's happening is process explorer in the background is going to go and verify all the signatures if you sort by that you can see that there's third parties tools that are signed and then down here at the bottom you can see that there's one uh here's a legitimate piece of software that's not signed from it's a screen grab tool that i use some of my system journals tools that i've done builds on that are i haven't published yet they're not digitally signed and then finally sure enough we see that this win host isn't signed by the way windhost if you haven't figured it out is a little piece of fake malware that i created just for demonstration purposes and i was like huh what's a good name for a piece of fake malware i'll just come up with windhost but what really pisses me off is if you do search online there's like real malware that's copied it now load the lolo jack hijacker so somebody's uh using my process name without my permission which is really annoying i mentioned one of the downsides of disconnecting from the network is that you that you uh the malware can't or the pluses is that the malware can't talk out to the network one of the downsides is if the digital signature has been revoked and process explored to do the image verification the signature verification needs to go to the web to check the certificate revocation list servers if you're disconnected from the network it's not going to be able to pull that information down and so you might end up seeing some things legitimately signed if you're disconnected from the network even though the certificate has been revoked so that's one potential downside this is new how many people knew that i've integrated malware scanning into process explorer so a lot of you aren't aware of this this is literally in the last three months or so about three months ago i added this and published this capability integration with a website called virustotal virustotal is an online malware scanning service it's basically i call it antivirus as a service or ass and if you go to virustotal actually we'll we'll go to virustotal in a second let me show you the quick and cool way to go to virustotal when you're scanning a machine is to select columns add virustotal here where's buyer's total virustotal and then go to oops uh it says i've here you get a tip that you need to enable it actually to see something in that column so we're going to go enable it and you say virustotal.com and then you say check virustotal.com what this does is if when you check it it's process explorer is going to automatically send up the hashes of all the files that it sees for images as it as you're looking through the process list in the dll list to virus total and then report the results of any previous scans there and if the image has been scanned it will report its detection ratio against about 40 or 50 anti-malware engines that virus total runs automatically if it hasn't been scanned yet it's not never been seen you'll see unknown and if you see unknown but you want process explorer to submit an image and we'll do that in a second see it's hash submitted over here and let's drag this over and in a few seconds this is going to populate with the virustotal scanning results and there you can see it and this is kind of interesting because there's a couple of antivirus engines that are flagging wind host as malware even though it's you know it's my own little private thing i've never released this out in the wild so i don't know how they got a hold of it but unless somebody from one of those antivirus companies came to one of my sessions and thought it'd be funny to add it but so here mcafee so i just clicked on that link it's a hyperlink it takes you to virustotal and shows you the report and you can see that this was scanned in october seven months ago the detection ratio is 248 which you saw on the list and you can see the hacker and mcafee both say think this thing is possibly suspicious so those guys i give them credit there for being correct that is a suspicious executable but that's a very easy way to to look for malwares to automatically have it scan now the you'll notice that as we go through this that the virustotal you'll see some nmr even really well-known anti-malware or malware rather only be detected by some of the antivirus engines out there that is really what you're going to see is a graphical state of the world when it comes to how antivirus really is failing us at this point just because of the sheer volume of malware and you can see that that's why it's instead of saying yes it's malware you see the ratio here because these could be false positives like in this case it's it's really kind of a false positive so you really need to go look at take a look at the report and it's just another signal as to whether something's potentially malicious or not then finally i've got a sig check which if this is what i recommend people do when they're scanning malware scanning a system is to run a tool called sig check which you can it's basically a file versioning tool and for example if i do uh sig check on win host it will tell me that it will check the signature tells me it's unsigned and it gives me that other information but the way to look for malware is to do a dash e which says look at all executables at dash u which says show me the stuff that's unsigned and dash vr and then say dash s to do a a recursive search let me zoom in here dash s to do recursive search and then star or c star kong colon backslash and that will scan everything under the c drive that's an executable checking virustotal with the hashes and then opening the browser for anything that reports a non-zero detection if i do that on this directory sig check dash u dash e dash v r star it's actually going to find it will find two executables and open me the reports for them and one of them here is win host that we just saw and the other one is this one which is identified here as temp 1c3.temp but it the file name here on my system is undexed.exe so and this is uh signed and it's from uh it's uh looks like a hardware driver although one piece of of one antivirus engine rising i've never heard of that thinks that it might be a dropper so so i don't know maybe i'm infected with a dropper at this point but we'll clean that off later next is strings another signal is to look at what the image strings are inside the image and let's take a quick look at what strings are inside of of this win host by going to the strings tab the thing about the strings tab is that it shows you the by default the strings that are in the image on disk and for a packed image like this that might be garbage because it's compressed or encrypted so there's this check radio button down here called memory and then what you should do is look for things like suspicious urls in the image and then that's another strong signal that this thing is malicious and then there's this command line version of string of that capability in a tool called strings also from system terminals finally the last thing we'll take a look at is the dll view and this you pop open with the control d switch this will also do automated verified signature checks and virus total checks here across all the dlls and so this is another quick easy way to look at inside of a a hosting image to see what dll's it's hosting if you think that the host might be suspicious the same kind of information you see there and the same strings capability here on the dll properties that you saw in the process tab now we've identified some suspicious process let's get rid of them don't just terminate them though why not because that's cruel and inhumane so what you should do is put them to sleep then kill them and then they don't know what's happening now the reason that i actually have that advice and it's real advice to do that is there's lots of malware out there that has the buddy system including my fake malware right here if i delete this guy you'll see it pops right back to life down here with a button because it's buddy is watching it so you can either try to race against the buddy system which is kind of challenging and delete both of them before they respond each other which is really fun way to spend a few hours or or you can just suspend them like this by right clicking and say suspend and now they show up dark gray and now you can terminate them and now they're out of the way so we've cleaned them our processes off the system let's take a look at how these things got started and for that we're going to turn to ms config right anybody use msconfig nobody oh good you're learning not to oh no no you're not learning not to raise your hand now the reason that uh you don't use ms config well actually ms config i have to i have to give ms configa the guys in windows a lot of credit because ms config in the process of reimagining windows 8 they reimagined ms config as well and so it's it's really quite reimagined here so if you go to task manager we're not going to bother going to task manager because it's really doesn't know about all of the locations that malware can hide if we went to task manager right now wouldn't even know how wind host got launched just to give you an example so the tool we're going to turn to is auto runs how many people have used auto runs raise their hands so quite a few of you let's take a look at a quick look at auto run scanning my system and i launch it and what it's going to do is pop up here in a second and scan hundreds of locations literally hundreds of locations where stuff can get started automatically when you boot when you log in when you run a program driver services scheduled tasks codecs security providers boot execute image hijacks just the list goes on and on and you can see that there's just an incredible amount of stuff that just on a on a clean system like this gets launched this is overwhelming so what i recommend you do and actually this hasn't finished scanning yet because it's hitting some msit stuff that's on the corporate network that i'm not connected to so that's going to time out here in a second but what i recommend you do is when this is finished let me just cancel it it's is go to the options and tell autoruns to only show you unsigned or uns images that are not signed by microsoft and that way you can find all the third parties things on your system as well as the unsigned things that could be malware and some of these days some of the malware can be even signed this is taking a while to cancel so we'll come back to that in a second what you can see here is autostart entry point so where the thing is registered you can see the things that are inside it process sorry image name description company name just like you see in and process explorer as well as the path to the executable if i scroll down here and actually i think this is holding up we're not going to see wind host in here actually let me take a look in the host yeah it's not scanned for wind host yet because this uh msit thing is holding me up we'll come back to that and i'll show you how it identifies wind host but i want to say that there's a couple new things here in auto runs one of them is this right here the wmi tab this uh is in the release that i posted earlier this week because malware now is starting to use wmi to put auto starts into it so now if you there's something that's auto starting using wmi in the wmi database you'll see it now show up here in process and auto runs and you'll be able to disable it for those new types of malware so this is just constantly evolving based on the hackers just finding new and new newer and newer kind of cool techniques to get themselves auto launching okay this is done now so let's go take a look and i'll find wind host oh it's not showing up oh it's as i canceled the scan all right let me try this again so i'm going to say here verify code signatures and hide everything and then rescan and hopefully this will go faster this time and now this is just the unsigned stuff third-party things as well as unsigned things and here's win host right there in explorer policies explore run this is a place that task manager and ms config don't know how to look at this point this is the way you get rid of it it's just to uncheck it do not delete it because if it's something that's real legitimate you might have just broken your system and you want to be able to fix it later so always try to do the minimal damage this also has the ability to search online to look at the properties and to even jump to the place in the system registry or the file system where this thing is registered to uh to launch so you can go take a look at the original target location autoruns also has the ability to scan offline systems this is important if your system is so infected you can't clean it while the system is online boot into windows to go or boot into another image and then you can point auto runs at that target location and clean it one other new feature here is the time stamp column this is relatively new and what this will do is if you've got something that looks suspicious look at the time stamp look at when this when i added wind host to this system when i registered as an auto start it was literally uh it was back in january so that that's when i added it and that will tell you that hey this thing potentially is correlated with some other activity on the network and that's the purpose of that so i've told you how to delete them refresh after you delete so press f5 to see if the malware has come back and the reason why you want to press f5 is that like i said malware has self-defense mechanisms and they'll put itself back the way that you can figure out who's putting it back if it does come back is using process explorer so this is the tracing malware activity part which is okay i've gone through the first phases the stuff keeps getting back where is it coming from let's turn to process monitor this can this tool is so useful at finding all sorts of problems as you'll see in the case i explained that dave solomon's come up with an expression when in doubt run process monitor and every tech ad i try to get the audience you guys to to take that home with you if you're going to take home one thing from these sessions is to take home when in doubt run process monitor so i ask you to all say it together let's see how good we can get at this run two three when in doubt run process monitor wow you're the best tech ed audience this year it's awesome let's take a look at what process monitor shows so time of day process name operation path of the operation result and detailed status or detailed information about the particular operation so you can see this is a file open and you can see the open information like what type of open it is and what sharing mode it has and so lots of extra information about each operation i'm going to compress the display by getting rid of the time of day because we're not going to be really referring to that there's a bunch of different things that process explorer will show you in addition to what's in the default display all of the data collected for an event is shown on this tab right here so you see some additional information like which thread you can see the duration of the operation and then here's the details that we saw in that detailed column there's an overwhelming amount of information in this display so filtering is the key to using process monitor effectively and there's a number of different ways you can filter like you can right click and say i want to see everything that here i want to only include that path right there or i want to exclude certain types of operations like i don't want to see create files so i can say exclude i don't want to see anything before a particular time stamp so exclude performance before and then you can type control r or you can go to the advanced filtering and edit the filters directly from there including disabling them temporarily so i could say whoops i didn't mean to do that let me undo that but i might want to put it back so i just uncheck it and that way i can toggle the filter on and off the most powerful filter for hunting down malware's impact on a system is category is right so category is right will show you only the changes being made to the system and you can see that in just a normal operation a lot of things are modifying registry keys and files but when you target this at a particular process which you can do and here's another way to target a particular process is open the process tree view shows you the list of all the processes that have been running throughout the trace and let's say that i want to see just a command prompt and i want to see so i say include subtree i haven't done anything in this command prop but now when i go to the temp directory and i say echo hello test.text then that will show up because that's a modification of the system made by that process so that's a the tip on filtering all right we've finished the tutorial on the tools time to get to some real malware what do you say all right let's start with scareware it's pretty scary stuff like this piece of scare we're right here some of you probably seen this before because i've shown it this is also really annoying because they're using my name on this fake antivirus system turtles and so i've sued them and then this is really annoying because i had no idea there was another mark racinovich so i need to find this guy let's take a look at this piece of malware called fake pav and fake pav here's the in the prevalence report fake pav is this line right here wait fake pav is right here so fake pav uh you can see its prevalence went down but it was really active back in 2012 still making its way around the internet and for all of these pieces of malware i've got links to them here so this is fake path great information here in the microsoft anti-mount in the malware center so lots of detailed information about the way this thing works you can see technical information yeah it's just awesome source of information let's take a look at fake path and i've got fake pav ready to go here so i'm going to turn on this virtual machine and we're going to start fake path and fake pav it's got the audacity to actually ask for admin rights which my mom would probably give it and then it presents itself as a windows activity booster and you can see that it turned off uac and so it's actually going to force the reboot to get that active now we're going to skip what this thing does is launch itself when the system reboots and does a scan of your system and while it's scanning it's going to i wonder if it'll find anything on the system so this is what it looks like it does have a bug so i've reported this negative and that'll take a minute because it really wants to make it look like it's doing something so we're not going to wait for that let's go and see what the end result is and i've had of course the two system internals tools ready and monitoring what's going on there so we can see what this thing did this is it's finished it's found a whole bunch of crap on my system trojan downloaders worms a rootkit found a rootkit it's found a hoax that's probably the blue screen screen saver which i have on there and then if you try to exit it it says you can allow unprotected settings start start up in the settings which is kind of nice of it if i go to settings it's got this nice scheduler so i can do scheduled fake scans if i want to and then i can but i also can do this allow unprotected startup and if i do that then it actually gives me a warning i'm doing a bad thing and then but i can then get to the desktop all right so well actually i didn't have the system turns tools running so the trick is how do i clean this thing off the machine so let's go try to run the system internals tools and the first tool that i want to run is zoom it everybody familiar with zoom it that's what i've been using to zoom around the uh why am i not connecting to the network that's annoying let me try this because we want to get to the network that's because i'm not on the wireless and there we go so now uh actually let me try getting on the show net instead so that my vms work and disconnect from the wire and come back here sorry about this and wireless all right so let me try running zumit and oh i can't run zoom it firewall at the firewall has blocked it and it's suspected to have infected my machine and it's the type of virus that intercepts data and transmits it to a remote server and i didn't know the nsa had gotten onto my system that way so how do i run zoom it well what i did when i ran across this piece of malware as i said what what does it try to block does it try to block task manager yeah i just launched task manager it didn't work does it try to block regedit yeah does it try to brought command prompt yeah so it's blocking a lot of stuff but what about these things paint oh look i can run paint huh what if i rename zoom it to paint will that work oh no it's too smart it still knows it's zoom it but what if what if uh i put that in a different directory like here in the windows directory oh there we go zoom it so that there's a way to trick it by renaming stuff like let's name this well maybe i can just copy this to the windows directory process explorer nope doesn't like that but what if i rename it there we go so we found a in its armor and that's all we need and we've submitted the hashes to virustotal we've got uh we're looking for our heuristics and look at that stands out like a glowing beacon in the night packed no description no company name virus total by the way look 21 of 45. i can't launch ie so what i can do though is i can go and do this i can say kill it and then i oh now i can't get it oh uh let me go to auto runs now i can run auto runs and autoruns will also find it and then what i'll be able to do is now i can run command prompt and here's where the path is and by the way look at this this thing is actually digitally signed and the certificate has been not been revoked and the guy has his name in there dimitri so he's pretty proud of his work even though i found some flaws in it and let's go find this thing sig check so i can do a sig check and go to virustotal and sig check c users abby app data roaming guard ferp and we want to do a vr and that will open up and i'll say why and that will open up virustotal and we'll see which anti-malware doesn't know about this thing so we see 21 of 45 and these are all the guys that don't know about this that's just lame lameness so that's the state of anti-malware right there right in front of you of course microsoft we know what it is so so that's a look now uh cleaning this thing is as simple as going to auto runs and doing this actually that's not a good way to clean it because this thing is taken over as the shell which has a couple of implications one is that if you boot into safe mode this thing will still run the only way to get this thing not to run is to boot into safe mode with command prompt which overrides the shell value and launches command.exe but what you really want to do here is to jump to entry and this is just a good thing to know in your malware cleaning toolbox is that shell should be actually i've deleted the shell value let me put it back by doing that if i do jump to entry shell should be explorer.exe as we saw earlier and that fixes the machine so now we can delete the file we've cleaned the autostart we've got our shell back and this machine is now clean from this piece of malware let's take a look at another one unwanted software actually i'm going to skip this one and go to one that's more interesting so that we have some more time to spend on another case later this one is my mom my mom calls me and she says mark what the what the oh what the is on my computer i'll try that what the is on my computer i can't this is my ie startup page it's this browser thing artemis portal even though i've got bing as my startup page as you told me to put it and then she's also getting this thing this little toast every all the time that says that her system's not backed up even though i've got her system backing up to the cloud too so she says uh i need you to clean this stuff so i remote into her system and i decided i'm gonna go after the backup toast first and what i did is i just launched process explorer i used the windows finder to find where the backup toast was coming from it's coming from this thing right here my pc backup there and then i launched auto runs and here's you can see this thing is digitally signed too so this is what we call unwanted software i'll talk about that in a second and so then i disabled that so that had cleaned the unwanted software and then i i deleted the files off the disk so that got rid of this my pc backup thing and then the next thing i had to go after was this hijack of the browser start page i go to her internet options and sure enough she wasn't lying to me she had bings up there so but when i launched ie i did get that same startup tab so i'm like how the hell is this thing still overriding this when i i looked at the process list in explorer i saw nothing there there was nothing at auto runs how is this thing hijacking the start page so what i did was turn to auto runs uh sorry process explorer let's take a look at process explorer log file that i captured so i captured a startup of ie i went to the process tree here's ie's startup right there and i took a look and look at that it starts up with this command line which if you enter that that looks familiar that's what it is so how's this getting there so i'm like how's this command line getting there when i don't see anything in the registry i don't see any re any reference to this command line in the anywhere else in the process monitor trace anybody know what the answer is shortcut that's right it was the ie shortcut it had changed to have this as the command line so i went to the shortcut deleted it and now she had her her bing back as she wanted and that was this that was uh that case solved and of course now she's bragging to all her friends about how i cleaned her machine for her uh she's really proud of that first thing they she tells people when they come over to the house mark cleaned my computer the other day and they say oh can you clean my computer [Applause] so let's talk about ransomware now how many people have been hit by ransomware yeah ransomware has gotten really really bad and uh let me show you some pictures of ransomware i've got collected show you all the different flavors it comes in and all the kinds of things it does to try to do to scare you into paying these guys money here's one technique it's you've got porn child porn on your machine and we're the police and you know what we'll forgive you if you pay us and uh the interesting thing about that even if somebody real thinks knows that this is suspicious or fraudulent then they're like i wonder what if some like what if bad guys really did put child porn on my machine so if i go to the authorities i'll get in trouble what what's kind of interesting is that so there was this story back in january of this year that made the news a guy walked into best buy with his computer and said look i've got malware ransomware that's telling me that i've got child porn on my machine and the best buy guys took a lady's machine and he did have child porn on his machine it was his child porn and then they called the police and arrested him so that's not really smart here's one that's the german police i don't unders or some police it speaks german and they're telling you attention something pay us money and then this is uh this is the russian approach to it which is buy something and not [Applause] and then here's another russian one and uh here's the fbi what the fbi does a lot of money pack dealing and then here's another one uh this is this uh if you've got a webcam on they turn on the webcam and then look at you and they're and then so you're like oh take a picture using the webcam and then you're like oh my god they've got my picture too so we're back to the beginning this i was told this as i was wondering in the audience i didn't see this this scourge has gotten so bad this is the headlines from usa today today this morning the front page did anybody see this hackers holding computers hostage this is the front page of usa today so this is i think a timely so when i saw that when when he told me that i said oh i better add a ransomware section to the talk so i did right before we started to make it really timely i'm just kidding i had it there already so here's one let's take a look at ransom.fs i'm going to go to ransom.fs here and show you the first one so ransom.fs the first thing it does oops i need to enable this let me revert that hold on i made the mistake of not getting process model ready so lock screen and this is going to take over the this desktop i've got a tool assistant internal tool called desktop so we can go to a secondary desktop and still interact with the tools so we can look behind the scenes of what this thing is done and this will launch in a second well it'll launch and so that's why i've got this ready what it's doing is contacting the web to reactivate itself at this point so i'm going to jump ahead to the checkpoint i got with it already launched and there it is it's another one of those german guys and if i come over here i've captured a trace with process monitor of of uh process categories right let's stop that let's open process explorer we've got virus total going on and look another bright shining light this is a piece of malware it's well it would have a fake name if it really came down here but it advertises itself as heavy mud gem is the description i don't know what that means and but it's from neck computer nec computers which i didn't know they were still in business and then i'm just kidding that's sorry anybody work for neck any any c in here anybody okay so maybe i wasn't kidding no i'm just thinking um then we can uh we can't learn crap i did that again we can't launch uh ie because ie would try to launch over here and we can't see it on that secondary desktop so what i've just done is hung process explorer while it's trying to launch ie so let me just revert that real quick and come back and let's do this again turn off the trace and this would actually this if we uh launched we'd see there's still four pieces of antimower that don't know about this thing if we click on this thing and we go to strings and we go to memory one of the things i always do is just see if they've got any https in there and sure enough they do there's an http sitting in here in this http if we go to that it's some website some site if you entered in an ip tracker some i think it's in germany it's uh some place that's been hijacked probably and it's looks like it's still active but this is a example of how the strings will show you what's going on inside of the executable the other thing that we see on process explorer which i didn't highlight earlier so let me do this auto runs is here see the auto start location win log on shell very popular technique so the exact same thing we do here to disable this thing is to right click jump to entry but before we do that we've got to terminate this thing and we actually ie browse this explorer has been suspended by this thing as well as part of it so let's restart explorer and now this will work oh maybe not here we go no that didn't work anyway you get the picture uh that's still hung what i need to do is terminate that piece of mower and then iu would launch so that's a quick look at at this ransomware now the next piece of ransomware that i'm going to show you is one of the most notorious pieces of ransomware out there somebody was talking to me today as i was walking around crypto locker also known as crylocker is a piece of malware that ransomware that doesn't just lock the screen like the ones we've seen it encrypts the files on your disk and it does so not just using any old made up crypto stuff which is really insecure it uses the proper sdl endorsed technique of using the microsoft crypto libraries so this is the right way to write crypto malware if you're going to do it is to use the crypto libraries not make up your own and crypto engine so let's go launch and see how crypto locker looks in action this is uh snapped these are snapshots from a while ago cryptolocker is stealthy and they move around they move their beaconing servers that they talk to they use the tor network so this p the sample only you know you get a fresh sample it works for a week or two and then then it won't stop it'll stop working because the beaconing locations that it is uh designed to to go to i have changed so i've just launched this thing and this it's not going to do anything because it's actually going and talking to the beaconing server the beginning server is not responding so this is dead in the water at this point fortunately i've captured screenshots of this thing already active or captured in checkpoints of this thing already active so if i go back and take a look and then this is what it comes up and tells you that you have a certain time amount of time to pay up or it's actually going to delete your key so what it does is it uses a private public key the private keys up in their servers the public keys what's been used to encrypt the files and you need to upload information to that server so that it will hand with it'll verify that you've paid and then hand back the private key to decrypt the files on disk and if you don't do that within a certain amount of time they basically say we're not going to guarantee that we have your private key anymore and so your files might be unrecoverable so this is and they actually make true on that promise and that threat is that the files are really unrecoverable at that point so this is more serious than the the other ones that i've talked about let's take a look at what this thing does underneath the hood and let's take a look at what process explorer shows so first thing is that you can see that let's take a look at ie to see how many pieces how many animal engines recognize this particular variant 41 of 53 and i'm sure microsoft is oh is one never mind [Applause] what's the ironic about this is this sample was given to me by the microsoft anti-malware team so maybe they just haven't gotten around to adding it yet or they forgot about it but uh i'll make sure to let them know you can see this thing also advertises itself as the description is microsoft windows auto update but it has no company name of course it's going to be unsigned if if we do no signature was present so this shows up with many of the characteristics and if we look at what it's done under the hood let's take a look at my pictures folder so i put some picture sample pictures in here to try to lure it into doing what it does and this is now what how the pictures folders look normally we'd see icons here i made a backup this is what we should see there but this is what we see now can't open because the photo viewer doesn't support this file style of format these files have been encrypted and if we search for through this i've got category is right enabled here we're going to see it doing stuff to those pictures let me set a filter here and i'll do a look at that process tree so you can look at a filter for the process or its child processes as well and you can see here it's writing to a file chrysanthemum jpeg.temp and what it's going to do is this is the encrypted version of the file and then it's going to rename the original version and also put some information so here it's going to rename to well it started on desert.jpg here so you can see the rename here for desert but it also before it starts encrypting it sets the value to record what key it's going to be encrypting with so here's the crypto locker register key that it creates so this way when the private key comes down it knows which keys it's going to which it used to encrypt information so you can see here is its public rsa key right there that it knows how to talk to the server with so we can see all of that information here in the process monitor trace cleaning this piece of malware off the machine is as simple as going into auto runs saying f5 and then doing this and you can see it's put itself into two places into run and run once and we can delete it like that but you know what we're still screwed because our files are encrypted so that's the sad thing about this one it's really yeah you can clean it but unless you've got a backup of your files you're still out of luck so this is a strong lesson in backing up your files so that you can get back to a clean a good system now let's talk about a corporate infection this uh we see i see more and more of is people sending me cases where they they've gotten infected on their corporate network and this is an interesting case because this is another zero-day piece of mail where they hit a company and the comp this started with uh symptoms company was uh seeing signs of malware throughout their network what they would see is emails being sent to various employees contact list blast email spam they would see pop-ups on desktops and they correlated to this to everybody that came across this had a was working on an excel file called holiday.xls so they looked all these employees that are exhibiting these characteristics they're all working on this holiday.xls file i guess where they're planning their holidays together or something and so they did antivirus extra antivirus full scans on these cor people systems didn't find anything completely clean so they contacted microsoft support microsoft support came in and looked in the excel startup directory so this is excel start by default excel will launch any files or open any files that are in this directory and the file that they saw there was this file called 4.xls question was okay what's that file doing there they asked the company this is not a legitimate excel file so they deleted it a few minutes later the file comes back so at that point they turned to process monitor to capture a trace of the startup and let's go take a look at that trace right now and if you can see in the process tree this shows you an inner look at the way that processes behave you see excel spawning command prompt which spawns this attrib command as well as two other command prompts and the parameters of those command prompts are all related to that k4.xls so this thing is creating the thing hiding the thing deleting thing recreating it so it's using this file as a infection propagation vector and you can see here it's even putting it in another place as well so just a few minutes of process monitor whoops process monitor watching the startup of that thing was enough to let them know what's going on now question was how is that thing getting launched from excel so they looked at the stack for the original launch of that command prompt so we can do this go to event and that will take us to the ver first event in the list and if we go up this is the excel line the process create for that command prompt let's take a look at the stack what the stack does is shows us the functions that were invoked to that operation starting in reverse order so at the very bottom excel started its life and then called up into here to actually create that file or to create the launch that process in the middle we see vbe7.dll so the question was is this a malicious thing and it's not it's the visual basic design runtime environment so this thing is a vbs macro virus sitting in excel that is creating this excel spreadsheet to propagate itself and that's what they were able to determine using this stack trace so they submitted the holiday.xls file which is obviously the infected root file to the anti-malware team and now that they looked at it they did analyze it and now there this thing has been classified as a piece of malware by the microsoft anti-malware engine so other people that run across this particular malware we'll get it automatically clean it's the mailcab.a virus so a few bottom line there is process monitor just a few minutes there pointed right at the root cause of this thing as this this for xls file is actually the root cause and it's being generated by vbs macro virus that came out of that original highlighted.xls file so confirming the suspicions of the it pro department the last case i'm going to show you is one that's really kind of i have to give kudos to the author of this particular piece of malware because it launches in a very clever way it gains rather i'd say it gains admin rights on your its machine on the machine in a very clever way this piece of malware is called serif oh by the way i've got to share this some of you have seen this before but it's just such a classic quote this is for all of them give a man a stolen credit card and he'll eat like a king for a day teach a man to fish and he'll be set for life and of course that's from nigeria [Applause] so this serif virus you can see that this thing is also quite popular here this is the red line here from the last threat intelligence report from microsoft this thing let's get that launched uses a technique to hijack a launch of a legitimate process asking for admin rights to get admin access to your machine so i've got process monitor here ready to go i'm going to turn on tracing so we can see how it's doing it and then i'm going to launch sierra 5th so in a second here i'm going to get a uac prompt and what is that uac prompt all right no that's not a piece of malware that's legitimate software as much as uh it enables malware this is the adobe flash player and if i say yes it's you saw that it had the blue thing that says it's digitally signed so that is the legitimate adobe signature on that thing it's the real flash installer the out of the box generic flash installer i don't need to go through the rest of this because this thing is already activated it's already gained admin rights and it's already set itself as an auto start on my system how did it do that let's go back to process explorer or our process monitor and let's take a look at at what happened and we've got categories right on so i can go to the process tree and you can see sierra fifth here launching install fast player and then that install that and these are both from adobe say that they're from adobe flash and if we went and take a look at this digital signatures on them and check virus total on them these are the legitimate binaries so something serif is doing is influencing the behavior of install flash player when it gets admin rights to execute the malware how is it doing that it's not via the command lines because these command lines are generic they have no parameters except for this iv6 which is innocuous so how is this thing getting itself injected into adobe let's say include process and now we're just going to look at what serif did to the machine say close and we're going to go up to the top it's actually this is the full trace of all the things that it did to the machine and so it did some things and by the way this piece of malware only installs itself it's really aimed at corporate networks it only installs itself if you've got the google enterprise chrome client installed so there's a google chrome enterprise version that you install on corporate networks and that's installed on this machine if i didn't have that installed this malware would not activate so it's hijacking it's trying to make itself look like the google up chrome enterprise updater as you'll see and so the first things we can see it do here is drop itself into interestingly named file directories and those file directories are local google desktop which is limited directory install some goog good grid and then some funny character paths this is using unicode characters to fool most utilities that parse paths to not be able to get into that directory where this thing is sitting we're going to go in there anyway and get around it and then you can see it's setting itself as a run in the google update key and then it's also dropping this file right here ms image32.tll what is ms image32.dll there's a legitimate one right there this is the real ms image ms image32.dll and you can see that this is the gdi extension client dll why is it dropping this it let's reset the filter and then see who reads this so i'm going to just do include on that and now scroll over and there it is install flash which is the adobe installer is reading this file why is it reading that file because the dll load for that particular dll through the dll loading goes to the current directory before it searches the path so it start launches install uh this is a adobe installer with the current directory set to a place where it dropped this malicious version of that dll so that the adobe installer goes to load it loads the malicious version the malicious version activates and it's a high it's basically hijacked that ms image let's go take a look if it's there still there see user's app abby app data local temp and it's gone it's deleted so we can't get at it but what it will do is now activate itself but then also have the legitimate ms image 32 code in it so that the installer continues to function as normal but now the thing was just given admin rights loaded into the adobe acrobat so the flash player installer if i do an f5 now you can see the legitimate google updater here which shows up as verified and then you can see two instances of the autostart for this fake thing here in the run key google update and this is actually russian that's not showing up right and then in services as well so it installs itself just in case you find one and you miss the other and where is it sticking itself is in that weird funky directory so if i do copy and i do cd to that directory actually let's do this i'm going to do notepad and let's try and then you can see the russian in here by the way and you can see that i'm pressing forward but the characters that the selection is going backwards because it's using funny um unicode stuff to go left to right right to left rather let me instead do this i'll go and copy it from here that's not where i wanted where's the google update thing so i want to do serif and we're just going to go in that directory real quick so i'm going to say add to include filter and then search for update and here's the path so say copy and then say cd paste and we're in and when i do dur i don't see anything but if i do dur slash a oh i don't see anything i saw something earlier today so i don't know why i'm not seeing it is that the right directory okay well i guess every demo with malware is an interesting one but i was able to get in there and see the files that it had dropped in there earlier oh you know what i wonder if i didn't let it run long enough through the installer to or capture enough of the trace to see the ultimate location where it dropped itself but if i do this the file is there so what's going on here is that the same path uh dd hmm okay well i can't find it but what what we'd find is that this thing would show up as as malware and this thing also it reaches out to the network so if we look at network traces for this thing so if i get rid of the categories right we're going to see it hitting the network which is going to prevent it from activating fully because this thing you can see static reverse lookups here if i do this and this and then now we can see it looking up various places on the web and here's the static softlayer.com and i suspect that something in here is causing it not to to activate but in any case what we've just seen is that auto runs both points at the auto start locations and process monitor shows us exactly how it's configuring itself on the system and process monitor is also showing us how it's active talking on the network and so this is a way that you would be able to take a look at a machine see that it's potentially infected otter runs would show you what's going on process explorer again would show you what's going on but my point with showing you this is the clever techniques that hackers are using now more and more i expected things to get this sophisticated a long time ago and it's just only recently that we're starting to see these kinds of clever tricks for malware to gain admin rights on a system for example so that brings me to the conclusion of the talk and i want to summarize just that these trends have been ongoing you see people's now saying antivirus is dead you saw examples after example in this talk of pieces of malware that are well known by certain number of anti-malware engines that are unknown by others which just shows you that you're very likely to run across malware in the wild that's not known and that's why these particular tools and techniques are essential if you want to keep abreast on on your own to get an idea of what's going on with malware of course if you run across something really sophisticated and these tools only take you so far that's when you call in professional help but at least at that point you're paying good money for somebody to come in and really do a professional job if you can't get it done in many cases you can certainly with your family and friends computers you should be able to get the job done in most of the cases like i have done on my families and friends and mom systems and i want to leave you with one last thing and that is how many of you read the book zero day this is uh it talks officially over so you're welcome to go if you'd like to but those of you that have read zero day you know that i've been uh i've written several novels zero day being the first it's a cyber thriller what i tried to do was make it interesting and address an audience like you guys where you read it and don't go oh the aliens infected the satellite with a piece of mack malware so i really try to keep it authentic and each one to each of the three novels that takes us a look at a certain aspect of cyber security in the world what's going on in the world the first one cyber terrorism the second one state sponsored cyber espionage and the third one road code is coming out officially on may 20th and i've got a little video trailer that i'd like to show you here on my personal website jeff eakin xcia as head of counter cyber terrorism he predicted 911 he stopped cyber warfare from al qaeda but when he's asked to investigate vulnerabilities at the new york stock exchange someone wants him stopped permanently from the real life cyber security expert mark rusinovic the key to a world financial empire is the rogue code [Music] so it took me forever to get my voice to sound like that but [Applause] but i'm doing uh the reason i want to point this out is this book is available to you ahead of the general public in the book tekken bookstore and i'm doing a book signing at noon so i'm going to run over there real quick so i apologize if i don't have really time to take questions here on the way out but i hope to see you at the bookstore and if not there then the case then explain back in this room at one o'clock for my last session of the week and have a great lunch thanks you
Info
Channel: Mark Russinovich
Views: 62,609
Rating: undefined out of 5
Keywords:
Id: vW8eAqZyWeo
Channel Id: undefined
Length: 86min 36sec (5196 seconds)
Published: Thu Jul 23 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.