Title: Advanced Windows Malware Removal
1Advanced Windows Malware Removal
Brandon Enright, bmenrigh_at_ucsd.edu
Available at http//noh.ucsd.edu/bmenrigh/adva
nced_malware.ppt
2Part 1 Preparation
3Obtaining the tools
- General Purpose
- Process Explorer (www.sysinternals.com)
- Autoruns (www.sysinternals.com)
- TCPView (www.sysinternals.com)
- Special Purpose (rootkits, etc)
- Rootkit Revealer (www.microsoft.com)
- RKDetector2 (http//www.rootkitdetector.com/)
- IceSword (http//www.xfocus.net/)
- GMER (http//www.gmer.net)
- RKUnhooker (http//rkunhooker1.narod.ru)
4Preparing the Infected Machine for Cleanup
Any software that can slow down or interfere with
malware remove should be stopped or removed.
This includes anti-virus software, system
restore, recycle bin, etc.
- Some of the changes to make include
- System Restore (off)
- Recycle Bin (off)
- Disk Cleanup (no extra files)
- Folder Options (no hidden)
- Power Button Shutdown (off)
- Hibernation (off)
- Reboot on BSOD (on)
- Data Execution Protection (off)
- Unmount unneeded volumes (optional)
5Turning off System Restore
6Turning off the Recycle Bin
7Un-hiding files and options
8Removing Clutter
This should be done so that tools that scan the
hard drive have less to examine.
9Allowing Hard Shutdowns
This should be done so that a machine can be
forced off without notifying the Operating System.
10Turning of Hibernation
This is a precautionary measure usually only
needed for laptops.
11Enabling Automatic Restart on BSOD
It is often useful BSOD the machine to shut it
down once winlogon.exe and other services have
been killed.
12Disabling Data Execution Protection
DEP can stop malware or restart the machine
unexpectedly during removal. If this happens at
the wrong time you may have to start over.
13Unmounting Unnecessary Volumes
The fewer files exposed to the malware and
removal tools the better.
14Part 2 Removal
15Example 1 Gaobot (a common IRC bot)
16Gaobot
Gaobot/Agobot is an open source IRC bot designed
to spread to a wide variety of Windows machines.
The Gaobot source was the basis for the Phatbot
family of bots some of the most sophisticated
IRC bots yet made.
Gaobot has a few anti-removal techniques that are
more sophisticated than the typical worm
- Anti-Removal techniques
- Runs as a service
- Re-spawns when killed
- Fixes its registry keys when tampered with
17Virus Total Scan of Gaobot
18Process Explorer View of Gaobot
19Re-spawning Action of Gaobot
When killed (process in red), Gaobot uses a
Windows Service feature to restart itself
(process in green).
20The Gaobot Service as Seen From Autoruns
This is how Gaobot loads when the computer boots
(uses redundant methods).
21The Gaobot Service as Seen From the Services
Snap-In
An alternate view of the Gaobot Service.
22Suspending Gaobot
Suspending Gaobot stops it from running without
killing it. This allows for removing the service
without it being re-made.
23Killing Gaobot
Once the service is removed, Gaobot cant
re-spawn when killed.
24Example 2 Backdoor.CAY (a stealth keylogger)
25Backdoor.CAY
This backdoor is a stealth keylogger. It employs
some rootkit-like techniques to hide its process
and files.
Backdoor.CAY uses several techniques to stay
hidden and resist removal.
- Anti-Removal techniques
- Injects DLLs into Explorer
- Hides main process
- Hides folder and files from Explorer
26Virus Total Scan of Gaobot
27Viewing the Injected DLLs
The only obvious indication of the infection are
the injected DLLs in Explorer.
28The Startup Method
29Trying to View the Folder
The fa folder doesnt show in Explorer.
30Rootkit Revealer Shows the Hidden Files
31IceSword can Reveal the Process
32IceSword Shows the Keyboard Hook
33RKDetector2 shows the Folder
34Deleting the Files with RKDetector2
35Forcing a Reboot
Killing Winlogon will force a BSOD which will
restart the computer without any process being
given warning. To kill winlogon.exe without cau
sing a BSOD first kill smss.exe.
36Backdoor.CAY Faling to Start After Reboot
37Explorer Now Can See the Folder
38Example 3 Hacker Defender (a full feature user-
mode rootkit)
39Hacker Defender
Hacker Defender is a full-feature popular Windows
Rootkit. On its own it provides little more than
cloaking for other tools. In this example it has
been packaged with a set of IRC zombie tools.
Hacker Defender avoids removal by trying to avoid
detection.
- Anti-Removal techniques
- Can hide files
- Can hide processes
- Can hide registry keys
- Can hide TCP/UDP ports
- Can hide disk usage
40Virus Total Scan of Package
41Process Explorer Doesnt See Anything
42Process Explorer Frequently Crashes
43IceSword Shows Several Hidden Processes
These processes could not be seen with Process
Explorer.
44IceSword Shows a Hidden Port
45Even Invisible, the Port can be Telneted to
46IceSword Shows Hidden Services
47Stopping the Service Removes Hacker Defender
Hacker Defender can also be removed with IceSword
by killing the process and performing basic
removal.
48Example 4 Autoflooder (an ADS hidden injected D
LL)
49Autoflooder
Autoflooder was one of the first widespread
malware to use NTFS Alternate Data Streams to
hide its presence. This sample of Autoflooder is
over 3 years old and even though most ant-virus
can detect the DLL alone, few can detect it in an
ADS and even fewer can remove it.
- Anti-Removal techniques
- Uses an ADS on the systemroot\system32 folder
- Injects into all user processes
- Remakes registry keys when tampered with
50Most AV Can Detect the Autoflooder DLL by Now
51ADS DLL Can be Seen Injected into Process
Explorer
Autoflooder has injected itself into every user
process.
52RKDecetor2 Can show ADS on System32 Folder
53Editing the ADS Reveals Some Interesting Text
All version of Autoflooder carry a similar
notice. It is doubtful the malware wasnt
released deliberately. The removal method given d
oes work correctly.
54Scheduling a Interactive Command Prompt
By scheduling a command prompt one minute in
advance we can elevate to SYSTEM privileges.
55CMD.EXE running as NT AUTHORITY\SYSTEM
56Overwriting the ADS
Output redirection is one of the commands that
will accept an ADS as a valid path.
57Deleting the ADS
58Example 5 Look2Me (a virulent Winlogon hijacker
)
59Look2Me
Look2Me is an adware program on the grey side of
the law. Once installed it is extremely
difficult to remove. The primary method of
removal evasion used by the Look2Me family is DLL
injection and Winlogon hijacking.
- Anti-Removal techniques
- Uses many randomly named DLLs
- Injects into Winlogon.exe
- Remakes registry keys when tampered with
- Remove debugging privileges from all users
60Look2Me as Seen by Virus Total
61The Injected DLL in Winlogon
Killing Winlogon BSODs the machine. This must be
attacked another way.
62No User Debug Policy Has Been Set
The ability to view or kill most processes has
been removed.
63Viewing the Winlogon Hijacking Method in Regedit
Look2Me uses the notification facility in
Winlogon to start.
64Removing All Permissions From Notify Key
65Restoring the Policy
Although this tool is meant for removing VX2 A
Better Internet, it provides an easy way to
restore the debug policy. There are many other wa
ys to restore this policy. The NTRights.exe
program is the canonical way to do it.
66Example 6 Small Dropper/Qoologic (a creative hy
brid rootkit/adware trojan)
67Qoologic
Qoologic is one of the most virulent
sophisticated adware programs spreading on the
Internet. It injects DLLs into every user
process. It also hides its other processes and
its files. Because each process checks up on the
others, removal is not a simple task.
- Anti-Removal techniques
- Uses many randomly named DLLs
- Injects into all user processes
- Remakes registry keys when tampered with
- Hides registry keys
- Hides files
- Uses a Control Panel Applet to install
- Remakes file when tampered with
- Modifies behavior based on the tool being used
68Virus Total View of the Dropper
69Process Closes when Process Explore Opens
Right as Process Explorer opens this process
closes. This is behavior modification the
process is still running but hiding itself.
70A DLL is Injected Into Process Explorer
A DLL (sometimes 2) has been injected into all
user processes.
71Rootkit Revealer Reveals Nothing
Qoologic knows not to hide from Rootkit Revealer.
72At Least one File is not Visible in Explorer
Explorer can not see most of the injected DLLs
and any of the EXE processes.
73RKDecetor2 Does not Show Files as Hidden
74Autoruns Does not all Show Start Methods
Only a small portion of Qoologic is not hidden
from Autoruns.
75IceSword Sees Process Although Doesnt Show it
Hidden
76Unloading the Injected DLL
Unloading the DLL from every injected process and
killing the Qoologic process stops the malware
from running.
77Viewing Some of the Startup Methods
78The Message Hook Used to Hide From Some Tools
79Deleting the File
80Removing the Dropper
81Part 3 Discussion