Advanced Windows Malware Removal - PowerPoint PPT Presentation

1 / 81
About This Presentation
Title:

Advanced Windows Malware Removal

Description:

... Defender: Hacker Defender is a full-feature popular Windows ... Hacker Defender avoids removal by trying to avoid detection. Advanced Windows Malware Removal ... – PowerPoint PPT presentation

Number of Views:189
Avg rating:3.0/5.0
Slides: 82
Provided by: toor4
Category:

less

Transcript and Presenter's Notes

Title: Advanced Windows Malware Removal


1
Advanced Windows Malware Removal
Brandon Enright, bmenrigh_at_ucsd.edu
Available at http//noh.ucsd.edu/bmenrigh/adva
nced_malware.ppt
2
Part 1 Preparation
3
Obtaining the tools
  • General Purpose
  • Process Explorer (www.sysinternals.com)
  • Autoruns (www.sysinternals.com)
  • TCPView (www.sysinternals.com)
  • Special Purpose (rootkits, etc)
  • Rootkit Revealer (www.microsoft.com)
  • RKDetector2 (http//www.rootkitdetector.com/)
  • IceSword (http//www.xfocus.net/)
  • GMER (http//www.gmer.net)
  • RKUnhooker (http//rkunhooker1.narod.ru)

4
Preparing the Infected Machine for Cleanup
Any software that can slow down or interfere with
malware remove should be stopped or removed.
This includes anti-virus software, system
restore, recycle bin, etc.
  • Some of the changes to make include
  • System Restore (off)
  • Recycle Bin (off)
  • Disk Cleanup (no extra files)
  • Folder Options (no hidden)
  • Power Button Shutdown (off)
  • Hibernation (off)
  • Reboot on BSOD (on)
  • Data Execution Protection (off)
  • Unmount unneeded volumes (optional)

5
Turning off System Restore
6
Turning off the Recycle Bin
7
Un-hiding files and options
8
Removing Clutter
This should be done so that tools that scan the
hard drive have less to examine.
9
Allowing Hard Shutdowns
This should be done so that a machine can be
forced off without notifying the Operating System.
10
Turning of Hibernation
This is a precautionary measure usually only
needed for laptops.
11
Enabling Automatic Restart on BSOD
It is often useful BSOD the machine to shut it
down once winlogon.exe and other services have
been killed.
12
Disabling Data Execution Protection
DEP can stop malware or restart the machine
unexpectedly during removal. If this happens at
the wrong time you may have to start over.
13
Unmounting Unnecessary Volumes
The fewer files exposed to the malware and
removal tools the better.
14
Part 2 Removal
15
Example 1 Gaobot (a common IRC bot)
16
Gaobot
Gaobot/Agobot is an open source IRC bot designed
to spread to a wide variety of Windows machines.
The Gaobot source was the basis for the Phatbot
family of bots some of the most sophisticated
IRC bots yet made.
Gaobot has a few anti-removal techniques that are
more sophisticated than the typical worm
  • Anti-Removal techniques
  • Runs as a service
  • Re-spawns when killed
  • Fixes its registry keys when tampered with

17
Virus Total Scan of Gaobot
18
Process Explorer View of Gaobot
19
Re-spawning Action of Gaobot
When killed (process in red), Gaobot uses a
Windows Service feature to restart itself
(process in green).
20
The Gaobot Service as Seen From Autoruns
This is how Gaobot loads when the computer boots
(uses redundant methods).
21
The Gaobot Service as Seen From the Services
Snap-In
An alternate view of the Gaobot Service.
22
Suspending Gaobot
Suspending Gaobot stops it from running without
killing it. This allows for removing the service
without it being re-made.
23
Killing Gaobot
Once the service is removed, Gaobot cant
re-spawn when killed.
24
Example 2 Backdoor.CAY (a stealth keylogger)
25
Backdoor.CAY
This backdoor is a stealth keylogger. It employs
some rootkit-like techniques to hide its process
and files.
Backdoor.CAY uses several techniques to stay
hidden and resist removal.
  • Anti-Removal techniques
  • Injects DLLs into Explorer
  • Hides main process
  • Hides folder and files from Explorer

26
Virus Total Scan of Gaobot
27
Viewing the Injected DLLs
The only obvious indication of the infection are
the injected DLLs in Explorer.
28
The Startup Method
29
Trying to View the Folder
The fa folder doesnt show in Explorer.
30
Rootkit Revealer Shows the Hidden Files
31
IceSword can Reveal the Process
32
IceSword Shows the Keyboard Hook
33
RKDetector2 shows the Folder
34
Deleting the Files with RKDetector2
35
Forcing a Reboot
Killing Winlogon will force a BSOD which will
restart the computer without any process being
given warning. To kill winlogon.exe without cau
sing a BSOD first kill smss.exe.
36
Backdoor.CAY Faling to Start After Reboot
37
Explorer Now Can See the Folder
38
Example 3 Hacker Defender (a full feature user-
mode rootkit)
39
Hacker Defender
Hacker Defender is a full-feature popular Windows
Rootkit. On its own it provides little more than
cloaking for other tools. In this example it has
been packaged with a set of IRC zombie tools.
Hacker Defender avoids removal by trying to avoid
detection.
  • Anti-Removal techniques
  • Can hide files
  • Can hide processes
  • Can hide registry keys
  • Can hide TCP/UDP ports
  • Can hide disk usage

40
Virus Total Scan of Package
41
Process Explorer Doesnt See Anything
42
Process Explorer Frequently Crashes
43
IceSword Shows Several Hidden Processes
These processes could not be seen with Process
Explorer.
44
IceSword Shows a Hidden Port
45
Even Invisible, the Port can be Telneted to
46
IceSword Shows Hidden Services
47
Stopping the Service Removes Hacker Defender
Hacker Defender can also be removed with IceSword
by killing the process and performing basic
removal.
48
Example 4 Autoflooder (an ADS hidden injected D
LL)
49
Autoflooder
Autoflooder was one of the first widespread
malware to use NTFS Alternate Data Streams to
hide its presence. This sample of Autoflooder is
over 3 years old and even though most ant-virus
can detect the DLL alone, few can detect it in an
ADS and even fewer can remove it.
  • Anti-Removal techniques
  • Uses an ADS on the systemroot\system32 folder
  • Injects into all user processes
  • Remakes registry keys when tampered with

50
Most AV Can Detect the Autoflooder DLL by Now
51
ADS DLL Can be Seen Injected into Process
Explorer
Autoflooder has injected itself into every user
process.
52
RKDecetor2 Can show ADS on System32 Folder
53
Editing the ADS Reveals Some Interesting Text
All version of Autoflooder carry a similar
notice. It is doubtful the malware wasnt
released deliberately. The removal method given d
oes work correctly.
54
Scheduling a Interactive Command Prompt
By scheduling a command prompt one minute in
advance we can elevate to SYSTEM privileges.
55
CMD.EXE running as NT AUTHORITY\SYSTEM
56
Overwriting the ADS
Output redirection is one of the commands that
will accept an ADS as a valid path.
57
Deleting the ADS
58
Example 5 Look2Me (a virulent Winlogon hijacker
)
59
Look2Me
Look2Me is an adware program on the grey side of
the law. Once installed it is extremely
difficult to remove. The primary method of
removal evasion used by the Look2Me family is DLL
injection and Winlogon hijacking.
  • Anti-Removal techniques
  • Uses many randomly named DLLs
  • Injects into Winlogon.exe
  • Remakes registry keys when tampered with
  • Remove debugging privileges from all users

60
Look2Me as Seen by Virus Total
61
The Injected DLL in Winlogon
Killing Winlogon BSODs the machine. This must be
attacked another way.
62
No User Debug Policy Has Been Set
The ability to view or kill most processes has
been removed.
63
Viewing the Winlogon Hijacking Method in Regedit
Look2Me uses the notification facility in
Winlogon to start.
64
Removing All Permissions From Notify Key
65
Restoring the Policy
Although this tool is meant for removing VX2 A
Better Internet, it provides an easy way to
restore the debug policy. There are many other wa
ys to restore this policy. The NTRights.exe
program is the canonical way to do it.
66
Example 6 Small Dropper/Qoologic (a creative hy
brid rootkit/adware trojan)
67
Qoologic
Qoologic is one of the most virulent
sophisticated adware programs spreading on the
Internet. It injects DLLs into every user
process. It also hides its other processes and
its files. Because each process checks up on the
others, removal is not a simple task.
  • Anti-Removal techniques
  • Uses many randomly named DLLs
  • Injects into all user processes
  • Remakes registry keys when tampered with
  • Hides registry keys
  • Hides files
  • Uses a Control Panel Applet to install
  • Remakes file when tampered with
  • Modifies behavior based on the tool being used

68
Virus Total View of the Dropper
69
Process Closes when Process Explore Opens
Right as Process Explorer opens this process
closes. This is behavior modification the
process is still running but hiding itself.
70
A DLL is Injected Into Process Explorer
A DLL (sometimes 2) has been injected into all
user processes.
71
Rootkit Revealer Reveals Nothing
Qoologic knows not to hide from Rootkit Revealer.
72
At Least one File is not Visible in Explorer
Explorer can not see most of the injected DLLs
and any of the EXE processes.
73
RKDecetor2 Does not Show Files as Hidden
74
Autoruns Does not all Show Start Methods
Only a small portion of Qoologic is not hidden
from Autoruns.
75
IceSword Sees Process Although Doesnt Show it
Hidden
76
Unloading the Injected DLL
Unloading the DLL from every injected process and
killing the Qoologic process stops the malware
from running.
77
Viewing Some of the Startup Methods
78
The Message Hook Used to Hide From Some Tools
79
Deleting the File
80
Removing the Dropper
81
Part 3 Discussion
Write a Comment
User Comments (0)
About PowerShow.com