A site devoted to discussing techniques that promote quality and ethical practices in software development.

Wednesday, September 16, 2009

Hunting Trojan/Virus experience

Several days ago, I was asked to deal with a Virus/Trojan infection situation.

The machine has AVG8 installed but seemed to be unable to protect the Trojan attack. I know with the right kind of anti-Trojan/Malware programs in hand one can make light works in eliminating them. Or could it?

This blog message is not so much about which Anti-Virus program is better than the other but is a collection of experience gained from hunting down a number of Trojans. It also contains description on how best to protect oneself from being infected and secured practices that were actually put to test in slaying the Trojan.

It is most unfortunate that different anti-virus program uses different name for the same Trojan and Virus. I am using Avira and it has identified the Trojans I am confronting as TR/Dldr.FraudLoad.fmb and TR/Crypt.ZPack.Gen. Others like AVG8 calls them SHeurs.BDEF. These are classified as downloader and in particular the FraudLoad is a fake anti-virus often called Scareware that causes the infection.

Below are some of records of my experience and lessons learned.

Always use offline Anti-Virus download link instead

Many Anti-virus program has now switched over to downloading a small stub download program and with which then downloads the remaining components. Do not use this stub program if you want to inoculate the infected machine offering it some protection because this kind of program requires a connection to the Internet, see the attack description below.

Thankfully AVG8 has offer a offline download link which allows one to download the full version.

TR/Crypt.ZPACK.Gen spreading infection mechanism

This trojan utilises the Microsoft's provided AutoRun mechanism to spread the infections to other machine. This is how it is done:
  • A process located in C:\Recycler\<SID>\WmiPrvse.exe launched and attached to Explorer.exe is responsible for spreading, where <SID> represents the SID of the user.
  • The Trojan creates an entry in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon!Taskman=C:\Recycler\<SID>\WmiPrvse.exe and the trojan causes Explorer.exe to query this registry entry periodically. You should remove this as Taskman is not a valid Microsoft Windows entry.
  • When Windows senses a new USB device is plugged into the machine, this evil process will create a fake \Recycler on the USB drive even when it is formatted with FAT/FAT3 partition.
  • It is also structurally incorrect designed to hide the malicious code using a well known folder name and to fool people.
  • It then copies the malicious code called Explorer.exe to the fake recycler folder.
  • It creates an autorun.inf file on the root directory that contains instruction to launch the malicious code with the help of Microsoft's Autorun support when it is inserted into another machine, thus completing the spread.
  • No doubt this Explorer.exe will contain code to load it into some less obvious location to burrow into that machine to infect it.
I have always thought of disabling autorun permanently is sufficient to protect oneself. This is proven to be half correct.

Disabling autorun on a machine only disabling the launching mechanism that was used by malicious code to infect the machine. It does not prevent the malicious code already entrenched in an infected machine from infecting a USB drive making it the unwitting carrier of the malicious spreading code. Therefore it is so important not to plug a USB drive into any machine that
  1. You do not know if it has autorun enabled
  2. If the USB Drive carries the attacking code.
If you do not know, hold down the shift key while inserting the USB Drive into the machine and maintain holding it for a minute or two. This is will stop Windows from executing the instructions in the autorun.inf file.

Afterward make sure you scan it on a machine that has autorun disabled to ensure that it is not a carrier.

After seeing this and examining the content of the autorun.inf, it is certainly dicing with danger in leaving autorun enabled on all drives; it must therefore be disabled.

This is the content of the fake Recycler folder captured on the USB drive I was using it (a different USB drive from the tools carrier) to retrieve data from the infected machine.

Volume in drive K has no label.
Volume Serial Number is AE6B-BD53

Directory of k:\recycler

11/09/2009 06:05 PM <DIR> .
11/09/2009 06:05 PM <DIR> ..
12/09/2009 11:55 AM 64 Desktop.ini
12/09/2009 11:56 AM 106,496 explorer.exe
2 File(s) 106,560 bytes
2 Dir(s) 112,531,456 bytes free

Use a write-protected medium to carry tools

My practice is always to use a USB Drive that has hardware write-protection mechanism to transport tools to analyze the infected machine preventing malicious code from subverting the tools. When that is not available, I frequently use a SD-Card which always has the hardware lock mechanism to protect my tools and hosted it in a SD-Card reader like this.

The above observation proves that a write-protected USB drive is a must have device in carrying out investigation.

Furthermore, it is highly desirable to have tools that
  • do not have to installed into the target machine.
  • runs from a write-protected device
  • run as command-line utility as they can then be chained into one submission.
  • Do not need the access of the Internet during installation.
Sadly not one anti-virus scanner meeting the above stringent requirement. The Panda Command line scanner one comes near, except that it needs to write to the device. Avira also has one but to get the full benefit one needs to supply the licence key to it.

What does TR/Dldr.FraudLoad.fmb do?

The purpose of this trojan is to download malicious payload and is believe to belong to a class of software called Scareware to allow it to gain a foothold of the machine. It monitors if the machine is connected to the Internet and if not it becomes dormant. Hence I exploited this behavior to study this program and to defeat it. This is a record of its evil doings:
  • Downloads the payload, called windows_update[1].exe into the temporary internet file directory. The numeral inside the bracket may be different.
  • It creates a copy of itself in the %Temp% directory with a file name of this format [0-9][0-9][0-9]\.exe, e.g. 126.exe, and these numbers are randomly generated.
  • It then launches this program, say the 126.exe, to begin the attack.
  • The program then checks to see if system set up is in progress by examining the HKLM\System\SystemSetipInProgress registry value.
  • It also seems to have scan of which IE patches have been applied.
  • It also check for the presence of other fake anti-Virus programs such as AntiVirusXP, RealAV, AVR.
  • It also disable the ability for the user to launch the Task Manager from the task bar by setting this HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr=1. Hence to study this trojan you have to launch the TaskManager before connecting the machine to the Internet.
  • It creates the following named values NoSetActiveDesktop, NoChangingWallpaper, NoActiveDesktopChange intending on controlling the desktop in this registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.
  • It copies itself as winupdate.exe to C:\Windows\System32. I have managed to disrupt this trojan's progress by using a custom built program that hold a file of this name opened with deny share access attribute before the machine is connected to the Internet and maintaining that hold during the attack. It failed to copy the attacking code to this directory.
  • It then creates the following registry entry intended on launching this malicious code when the machine is restarted: HKLM\Software\Microsoft\Windows\CurrentVersion\Run!WinUpdate.exe=C:\Windows\System32\WinUpdate.exe.
  • The program with the 3-digit name, like 126.exe, then launches winupdate.exe and drops out of the scene. The Trojan do not attempt to delete the instance of this file with a 3-digit name in the %Temp% directory, not very smart.
  • Winupdate.exe then register the malicious COM component called C:\Windows\System32\WinHelper.dll by calling Regsvr32 /s.
  • It also looks for C:\Windows\System32\AdvancedVirusRemover\PAVRM.EXE, a well known fake anti-virus program that is in fact a virus.
  • Winupdate.exe, then launches fake warning of malicious code detected and advising user to press the balloon to download protection code, which is nothing more than a ploy.
  • It also attempts to shut down CMD instances but failed to take care of Command.com instance, which I exploited this mistake to regain control.
  • It also attempts to block launching of other GUI applications until this winupdate.exe is terminated.
  • It also then creates a file with 2-digit name, like 41.exe, of 0 byte in C:\Windows\System32 whose purpose remains unknown.
  • Winupdate.exe remains running to disrupt the desktop and one can only regain control of it by terminating this process. PsKill is the ideal tool to do this.

Are these two Trojans related?

On the infected machine, AVG8 did not seem to offer any protection at all. There are even signs that they subverted Spybot Search & Destroy because their scanning and TeaTimer.exe offering only token protection. My observations of the operations of these Trojan were made while they were in operations showing little effect in detecting these key files containing malicious code.

I suspect these trojans are either related or utilizing one single malicious process to attack the machine. They seemed to be using C:\Recycler\<SID>\WmiPrvse.exe as a main source of maintaining control and attack. Because it is controlled and held opened by Explorer.exe it cannot be terminated easily.

The way I eliminated this process is to use DOS command chaining technique as follows:
pushd C:\Recycler\<SID> & j:\PsKill Explorer & del /A:S wmiprvse.exe
where <SID> represents the SID of the user. This sequence of commands does the following:
  • Change the directory to where wmiprvse.exe is located
  • Terminate the Explorer process that is holding onto the wmiprvse.exe process
  • Delete the malicious code which is marked as a system file called WmiPrvse.exe.
Bear in mind that when I submitted these command, the process WinUpdate.exe was not running and it was not connected to the Internet.

Once this malicious code is removed and terminated, the system becomes normal and reinstallation of AV is possible allowing them to do the job to get rid of files such as WinHelper.dll and other relatively less stubborn malware lurking around.

Dangerous & foolish not using LUA

My experience in this involvement further vindicates my view that people not using LUA is really asking for trouble. It also reinforces my view that it is dangerous leaving Autorun enabled.

Sure one can rely on Anti-Virus to protect oneself but can it be all that effective? What about the window of opportunity available to exploit code that is not yet protected by Anti-Virus when your machine's operating system's security defense shield is turned off?

As reported above, all those exploits they used are so simply and effectively blocked by not running in administrator's account. That's the defense shield, if allowed to operate, will block the above exploit without even the aid of anti-virus program.

Sure, it can still disable the task manager from being invoked but it could not succeed in planting anything more malicious in system folders and registry keys. All it can do is to inconvenient you that dirty deed could easily be removed.

It is impossible to determine if the ACLs of the system files and registry areas have been tempered with prior to the infection or as a result of the attack. A detail scan using AccessChk of the vital areas show that it is impossible to switch the just rescued machine to operate effectively in LUA mode without a full reinstallation. That part of security appears to have been irreversibly damaged.

No comments:

Blog Archive