Results 1 to 5 of 5

Thread: Investigating Malware in action

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Investigating Malware in action

    Have you ever wanted to _really_ know what is going on inside your computer? Ever wondered _exactly_ what that suspicious file will do to your computer when you click on it? Maybe you are suspicious about a particular web site and what it does when connected to. Or, maybe, you are doing a forensic investigation and want to watch what activity is taking place when the system is running. There are five tools, all available from www.sysinternals.com, that will allow you to do just this. SysInternals has versions for Win9X/ME and for NT based systems, (the Win9X versions do not have a Process Monitor. For the purpose of this tutorial I will be using the NT based versions.

    The Computer:-

    Windows 2000, SP4, fully patched. All uneccesary applications closed down to simplify the output.

    The Tools:-

    1. Regmon: Registry Monitor - Monitors all access to the computer's registry. (NOTE:- This has a handy "Log Boot" feature to help you track down registry changes by spyware at start-up which may help give you a clue as to how the spyware is working and thus give you an opportunity to defeat it).

    2. TDIMon: Transport Driver Interface Monitor - Monitors all TCP and UDP connections to and from the computer.

    3. FileMon: File Monitor - Monitors all file system activity.

    4. NTPMon: NT Process Monitor - Monitors all process activity.

    5. Autoruns: Lists all the automatically starting services and applications and the locations from which they are initiated.

    Pre-Preparation:-

    Login an as an administrator of the machine since these tools require administrative access. Back up the registry in case the program removes registry entries. Start Regmon and Filemon and filter out the above four applications activity to simplify the output. This filtering will be saved for the next time you start these two apps. Have your suspicious file in place ready to activate or the web site bookmarked and ready to be connected to. For the sake of simplicity have the computer set with everything already running because these tools have voluminous output so the more you can avoid capturing the better. If you are about to test a suspicious file or a web site use Autoruns to take a "snapshot" of the current start-up items on the computer and save the output to a safe place, (floppy, key fob or network drive and disconnect or write protect). Prior to saving Autoruns' output you need to use the file-view menu and select the following items:-

    1. Show AppInit DLL's
    2. Show Explorer Addons
    3. Show Services
    4. Show Winlogon Notifications
    5. Show Winsock Providers
    6. Verify Code Signatures
    7. Include Empty Locations
    8. Refresh (to refresh the information).

    Then save the data.

    Start the four applications and, again, for the sake of simplicity, stop captures and set yourself up to activate the item to be tested. The application I will use for this tutorial is an anonymizer called Tor, (http://tor.eff.org/cvs/tor/doc/tor-doc-win32.html), because I know it will install itself, create an autostart and contact the internet. This should show us good activity on all the tools making it a good demonstration.

    Start the capture or clear any existing items in the tools and click on the suspect item and follow the prompts if any until completion, (in this case I told it to make Tor run at startup). As soon as the installer completes running and Tor runs itself I stopped the capture on all four applications and saved the data to files in a protected location. In reality you should probably leave them running for a few minutes before stopping the capture in case anything important occurs on a delayed schedule, (like after a download has completed there may be a further installation, reconnection to the internet etc.).

    The Analysis:-

    We'll start with the easy one first since it contains the least data. You will notice that some of the file sizes are quite large and is an interesting view into the complexity of your computer. (Filemon.log - 410kb, Process.prc - 2kb, Regmon.log - 1028kb, TDImon.log - 13kb).

    Process.prc

    325 0 explorer.exe Process Create tor-0.0.9.5-win 6.546750
    326 0 tor-0.0.9.5-win Thread Create TID: 336 0.000000
    327 0 explorer.exe Thread Delete TID: 284 1.703092
    328 0 tor-0.0.9.5-win Thread Create TID: 284 1.265601
    329 0 tor-0.0.9.5-win Thread Create TID: 324 0.140622
    330 0 tor-0.0.9.5-win Thread Create TID: 1332 0.015625
    331 0 System Thread Create TID: 876 0.000000
    332 0 System Thread Create TID: 428 0.000000
    333 0 WINLOGON.EXE Thread Create TID: 748 0.000000
    334 0 WINLOGON.EXE Thread Delete TID: 748 1.109353
    335 0 System Thread Delete TID: 428 0.015625
    336 0 System Thread Delete TID: 876 0.000000
    337 0 tor-0.0.9.5-win Process Create tor.exe 1.859339
    338 0 tor.exe Thread Create TID: 876 0.000000
    339 0 tor-0.0.9.5-win Thread Delete TID: 284 0.015625
    340 0 tor-0.0.9.5-win Thread Delete TID: 324 0.062499
    341 0 tor-0.0.9.5-win Thread Delete TID: 1332 0.000000
    342 0 tor-0.0.9.5-win Thread Delete TID: 336 0.000000
    343 0 explorer.exe Process Delete tor-0.0.9.5-win 0.000000
    344 0 tor.exe Thread Create TID: 336 0.171872
    345 0 tor.exe Thread Create TID: 324 0.000000
    346 0 SERVICES.EXE Thread Create TID: 1332 0.078123
    347 0 tor.exe Thread Create TID: 284 0.749986

    As can be seen, the act of clicking the executable causes explorer.exe to spawn a process for it, (tor-0.0.9.5-win.exe), in #325. The executable then creates 4 threads within that process in #326/8/9 and 330. The next important entries begin at #337 where the installer starts the application itself, (process create). Now Tor.exe is running the installer closes it's threads it started, (thread delete #339-342), and, as it closes itself, explorer.exe kills the process, (process delete #343). Now Tor is running it creates it's own threads in #338, 344, 345 and 347 while services.exe registers the process in 346.

    From the output of this tool you can see what exactly happens in terms of running programs and threads when the installer executes. The programs the installer runs may be hidden from your view but this output shows you they are there. More importantly, some applications hide threads in another program's process. The output here would show you Thread ID's, (TID's), being started and a program such as ProcExp, (Process Explorer by Sysinternals), would let you track the threads down by TID and see which processes are being subverted.

    Filemon.log

    This log gives a feel for how complex the filesystem is, how much "work" goes on within it. The actual output has been edited to only leave the Tor Installer's activity because it shows what files have been written, (altered or added). See FileMonClean.log in the Zip file.

    Early in the log you can see the installer thread started by explorer.exe in #325 above reading itself in chunks of 512 bytes into memory:-

    157 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 0 Length: 512
    158 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 512 Length: 512
    159 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 1024 Length: 512

    Then it checks for the existence of a folder that _should_exist and does hence the success:-

    257 10:27:18 AM tor-0.0.9.5-win:1008 QUERY INFORMATION C:\DOCUME~1\TIGER\LOCALS~1\Temp SUCCESS Attributes: DA

    Next it creates a temporary file in that folder, closes it, recreates it to ensure it can overwrite it, reads data from the installer and writes it to the file. These are the temporary files the installer will use to install the required files later:-

    258 10:27:18 AM tor-0.0.9.5-win:1008 CREATE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Options: Create Access: All
    259 10:27:18 AM tor-0.0.9.5-win:1008 CLOSE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS
    260 10:27:18 AM tor-0.0.9.5-win:1008 CREATE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Options: OverwriteIf Access: All
    261 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 36380 Length: 16384
    262 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 0 Length: 32768
    263 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 32768 Length: 32768
    264 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 65536 Length: 3793
    265 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 0 Length: 4
    266 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 4 Length: 15160

    You will also notice in all the text that installer generates also indicates that the installer references various system DLL's as it goes. As long as these aren't Write or delete attempts then no harm is done to them.

    After creating several temporary files and folders the installer moves on with it's job:-

    805 10:27:21 AM tor-0.0.9.5-win:1008 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Program Files
    806 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\ SUCCESS
    807 10:27:21 AM tor-0.0.9.5-win:1008 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
    808 10:27:21 AM tor-0.0.9.5-win:1008 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: Tor
    809 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\Program Files\ SUCCESS
    810 10:27:21 AM tor-0.0.9.5-win:1008 CREATE C:\Program Files\Tor SUCCESS Options: Create Directory Access: All
    811 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\Program Files\Tor SUCCESS
    812 10:27:21 AM tor-0.0.9.5-win:1008 OPEN C:\Program Files\Tor SUCCESS Options: Open Directory Access: Traverse

    Here it opens and closes each folder in the structure till it gets to program files, then it tests to see if there is a Tor folder already there, (#808). Since there isn't it creates one, (#809).

    Then it creates Tor.exe itself in the new folder and after some "messing around" it begins writing to it:-

    818 10:27:21 AM tor-0.0.9.5-win:1008 CREATE C:\Program Files\Tor\tor.exe SUCCESS Options: Create Access: All
    ......
    874 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 0 Length: 16384
    875 10:27:21 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 80305 Length: 16384
    876 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 16384 Length: 16384
    877 10:27:21 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 96689 Length: 16384
    878 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 32768 Length: 16384

    A quick search for the word "create" will provide you with a list of every file the installer created. See FilemonCreated.Log in the zip file.

    This is where it creates it's autostart entry which it writes to later:-

    1569 10:27:22 AM tor-0.0.9.5-win:1008 CREATE C:\Documents and Settings\TIGER\Start Menu\Programs\Tor SUCCESS Options: Create Directory Access: All

    After that there is a lot or writing the files themselves, checking them, gathering information about the system, housekeeping and cleaning up.

    Now we know every file and folder that was opened, created, written or deleted on the system. Handy information if we need to do a manual removal.

    Regmon.log

    It's actually fascinating to see how much information and the way the installer locates it in the registry, (mostly by trial and error). See regmonclean.log in the zip file.

    You will see hundreds of entries like this:-

    1 37.48215737 tor-0.0.9.5-win:652 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Key: 0xE27AE4E0
    2 37.48219005 tor-0.0.9.5-win:652 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer NOTFOUND
    3 37.48222609 tor-0.0.9.5-win:652 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Key: 0xE27AE4E

    as the installer finds certain information about the system. Here and there amongst all these entries you will find entries such as:-

    25 37.61170344 tor-0.0.9.5-win:652 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Key: 0xE2AD3440

    where the installer creates keys it will need in the future. Thus a search for all "CreateKey" entries will show you the keys that the installer created. Furthermore you should search for "Setvalue" which will indicate that a value was either created or changed within the registry;_

    26 37.61172747 tor-0.0.9.5-win:652 SetValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData SUCCESS "C:\Documents and Settings\TIGER\Application Data"

    It would, of course, be prudent to search for "DeleteKey" in case your chosen malware deletes keys that may be of use. This is why we backed up the registry. We can import the backup and fix these deleted keys without knowing their contents - It also makes it quicker to retore the original state rather then doing it all manually.

    [/b]TDIMon.log[/b]

    See tdimonclean.log in the zip file.

    In this file you can see the now started process, (Tor.exe), setting itself up to talk to the address 127.0.0.1, (this computer). This is because the program actually requires to connect to Privoxy, (a local proxy), before it can function properly.

    2 2.21473400 tor.exe:428 82C0E2A8 IRP_MJ_CREATE TCP:127.0.0.1:9050 SUCCESS Address Open
    3 2.21479993 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Error Event
    4 2.21481501 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Disconnect Event
    5 2.21482535 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Receive Event
    6 2.21483541 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Expedited Receive Event
    7 2.21484574 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Chained Receive Event
    8 2.21485664 tor.exe:428 82C0E2A8 TDI_QUERY_INFORMATION TCP:127.0.0.1:9050 SUCCESS Query Address
    9 2.21489631 tor.exe:428 FB37EE88 IRP_MJ_CREATE TCP:Connection obj SUCCESS Context:0x811511A8
    10 2.21491586 tor.exe:428 FB37EE88 TDI_ASSOCIATE_ADDRESS TCP:Connection obj SUCCESS TCP:127.0.0.1:9050

    Once it has set up it's communication with Privoxy it then tries to connect to the outside world through SSL and finds a connection:-

    78 3.03891584 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Error Event
    79 3.03893204 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Disconnect Event
    80 3.03894210 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Receive Event
    81 3.03895188 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Expedited Receive Event
    82 3.03896166 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Chained Receive Event
    83 3.03897199 tor.exe:428 FA08E708 TDI_QUERY_INFORMATION TCP:0.0.0.0:4067 SUCCESS Query Address
    84 3.03901641 tor.exe:428 FA08E368 IRP_MJ_CREATE TCP:Connection obj SUCCESS Context:0xFA1A2DA8
    85 3.03903513 tor.exe:428 FA08E368 TDI_ASSOCIATE_ADDRESS TCP:Connection obj SUCCESS TCP:0.0.0.0:4067
    86 3.03905105 tor.exe:428 FA08E368 TDI_CONNECT TCP:0.0.0.0:4067 62.116.124.106:443 SUCCESS
    87 3.23438314 tor.exe:428 FA08E368 TDI_SEND TCP:0.0.0.0:4067 62.116.124.106:443 SUCCESS Length:49
    88 3.43803109 tor.exe:428 FA08E708 TDI_EVENT_CHAINED_RECEIVE TCP:0.0.0.0:4067 62.116.124.106:443 PENDING Length:1398 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
    89 3.46378855 tor.exe:428 FA08E368 TDI_SEND TCP:0.0.0.0:4067 62.116.124.106:443 SUCCESS-100 Length:1262
    90 3.71987529 tor.exe:428 FB043B68 IRP_MJ_CREATE TCP:0.0.0.0:0 SUCCESS Address Open

    This connection is where the application connects to the master server to determine the currently available proxies that can be used in the chain. It receives a list of them and then makes an initial connection on port 9301, (it's standard first port of choice but they will vary after this initial connection), to 128.39.141.245. with the successful completion of this connection the Tor window indicates:-

    "[notice] circuit_send_next_onion_skin(): Tor has successfully opened a circuit. Looks like it's working."

    Now, just for confirmation of your finding you can use autoruns again and compare it to your first run to see the differences.

    So, now we have all the information we require to determine exactly what a piece of potentially malicious code did to our computer. With this information we could manually reverse the effects and return our computer back to the state it was in. Had the program downloaded additional code and executed it we would have been able to see where it got the code from, what changes that code made to the system and what files it created, changed or destroyed.

    We also just took a quick look at how incredibly complex our computers are today.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    Can we force people to read it when they say 'why is my computer slow' and 'how come it takes so long to fix, I thought you guys knew what you were doing'
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Can we force people to read it when they say 'why is my computer slow' and 'how come it takes so long to fix, I thought you guys knew what you were doing'

    I thought we just told those people to format? or was I misinforming them? lol
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    You mean after you go through their computer to look for AUP violations?
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  5. #5
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662

    Re: Investigating Malware in action

    You must spread your AntiPoints around before giving it to Tiger Shark again.
    Boo on that. Nice tut, TigerShark.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •