Jan 01 2006

Home Wreckers

When malware takes up residence on company computers, here's how to give it the boot.

The malware beastiary includes many different types of undesirable, malicious code, including viruses, worms, spyware and rootkits. They infect computers through a variety of means, including exploitation of unpatched software vulnerabilities, peer-to-peer file-sharing networks, e-mail attachments and specially crafted malicious Web pages. Despite all the different types and objectives of these programs, they have two things in common: They take residence on a user's computer without their knowledge or consent, and they perform no useful function.


Security tools, such as virus scanners and intrusion detection systems, will catch a good percentage of the malware spreading across the Internet at any given time, but new malware is written and distributed every day. Plus, there is always a lag between the release of new malware and the distribution of updated signatures by security vendors. If a user's machine is acting strangely — crashing frequently, running very slowly, unable to access the network — it is likely either experiencing a hardware problem or infected with some new malware program.



Even if antivirus software finds nothing amiss, there are some basic steps that can reveal the presence of malware. Once a suspicious program is identified, a more detailed investigation of the offending program will aid in assessing the damage that has been done, and minimizing the impact that the incident has on the rest of the company.




At the first report of suddenly poor system performance or unusual behavior, a systems administrator should ensure that the latest antivirus definitions are in place and perform a complete system scan (details of this process vary by vendor). If no malware is detected during this scan, there are additional steps that will help reveal a lurking problem. In general, malware exists as a running process with one or more files on the hard disk and entries in the system registry. Although it's possible to explore all these areas by using programs that come with Windows, there are freely available tools that are better suited to the task.


Process Explorer is a free tool from Sysinternals.com that is a significantly beefed-up replacement for the Windows Task Manager. In addition to simply showing the list of running processes, Process Explorer displays the files that each process has open, open network ports, the command line used to launch the program and a slew of additional details. Processes that are located in a standard Windows directory (typically c:\Windows\system32) and have no description or company name should be considered suspicious. An especially useful feature of Process Explorer is the ability to easily view and save all of the printable text strings in the memory of a running process. Strings such as strange Web addresses, e-mail addresses, usernames or passwords are a clue that a process is up to no good. Once a potentially malicious process is discovered and has been fully investigated, an administrator should write down the path and command line for that program and then use Process Explorer to simply kill that process.


Autoruns is another Sysinternals tool that will show every program configured to run at boot-up or login. Autoruns combines information from several different sources and is simpler and more thorough than manually digging around the System Registry. A particularly nice feature of Autoruns is the option to hide standard Microsoft software that has a verified signature. Once these verified programs are removed from the list, it is much easier to spot suspicious programs. If a piece of malware is identified using Autoruns, it can be disabled or deleted by simply right-clicking on the Autoruns interface.


Process Explorer and Autoruns are great tools for finding and disabling malware. However, there are times when even after malware is found and disabled, a more detailed malware analysis is required. What if there was confidential information on the affected machine? Did the malware open a back door into the network that provided an intruder with the opportunity to dig deep into sensitive company data or systems? These questions can only be answered by conducting a more thorough analysis of the inner workings of the malicious program.




Static malware analysis is similar to performing an autopsy or dissection — the files associated with a program are examined without running them, and the code is "dead" during the analysis. Although dynamic analysis — the study of a program as it runs, using system monitoring tools to observe the behavior of the malware at a very low level — is often faster and more revealing than static analysis, it is inherently more risky. (It involves actually running malicious code — on purpose!) Dynamic analysis should only be conducted in a safe, dedicated, analytical environment and will be explored in a future issue of BizTech.


The first step in static analysis is to determine whether the program being investigated has been "packed" or otherwise obfuscated or encrypted. Packing is a technique commonly used by malware authors to avoid detection by antivirus and intrusion-detection software. PEiD is a free tool that identifies code that is packed in any of more than 175 different formats.


If the malware has been packed, it can sometimes be unpacked using the same program that was used to pack it. For example, UPX is a program that is commonly used to pack malware. If malware has been packed with UPX, it can probably be unpacked by simply downloading the UPX program (available at upx.sourceforge.net) and running it with the "-d" command line option.


If the malware was not packed to begin with, or has been successfully unpacked, the next step is to examine any human-readable strings that may be embedded in the program itself. Another freebie from Sysinternals, "Strings," is one of many programs that can be used to list all of the strings within a binary file. The strings within a program will often reveal important clues about what the program does, and may provide clues (an e-mail address or URL) about the identity of the program's author. Look for file names and names of registry keys. These are often additional files or keys that must be deleted in order to clean up after the malware. Note any unique or interesting phrases embedded within the program and search for those phrases using an Internet search engine. Complaints from other victims of the same malware, or even a complete analysis of the program, will come in handy.


Most programs designed to run on modern computers rely on external libraries to perform basic functions such as sending or receiving data from the network, opening and reading files, and collecting user input. The list of external functions upon which a program is dependent reveals quite a bit about what the program actually does. For example, a program that uses networking functions from the Winsock library is either downloading or uploading information over the network. The dependencies of a Windows program can be examined using a free tool named "Peview" www.magma.ca/~wjr. Once a file is opened in Peview, dependencies will be listed in the section titled "Import Address Table." If it isn't obvious what a particular function does, definitions and explanations can be found on the Microsoft Developers Network Web site at http://msdn.microsoft.com.


For the truly intrepid, additional static analysis can be conducted by using a disassembler to examine the program's code, instruction by instruction. This type of detailed examination can be painstaking and is definitely not for the faint of heart or for those without some programming background.


The results of this and other types of static analysis can be used to clean up the affected machine, tune network defenses and aid the search for other infected machines. They provide a basic starting point for an effective defense against malware and — with sufficient practice — can provide a powerful tool in the arsenal of any IT professional.


IT Takeaway
• Always keep antispam, antivirus and other antimalware programs current with frequent signature updates from the vendor.
• Upon first report of any sudden poor performance or strange system behavior, run a complete scan and disinfect the machine.
• If problems persist, use tools such as Process Explorer and Autoruns from Sysinternals.com to discover suspicious programs and perform further static analysis to assess the damage and remove the malicious code.
• Dynamic analysis — which requires running the suspicious code to analyze behavior — is inherently risky and should only be attempted in a controlled environment and with the necessary skills.


Kris Kendall is principal engineer at Mandiant in New York City, where he leads the company's computer forensics and reverse engineering practices. He is a recognized expert on malware analysis and has instructed government special agents on the application of data-mining techniques for criminal and counterintelligence investigations.