Understanding Malware: Spyware, Viruses and Rootkits Steve Lamb IT Pro Evangelist for Security Technologies Copyright © 2005 Mark Russinovich
Scope What this talk covers: – Types of malware – How malware propagates and works – How to detect and prevent malware What it doesn’t: – Phishing – Product reviews and comparisons – General security information – How to write malware
Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion
Is Anyone After You?
Know Your Adversary
Spyware is Rampant We’ve all cleaned malware off the computers of family and friends EarthLink found an average of 28 spyware programs on their customer systems Spyware is cause of 2 of every 5 home user and 1 out of every 4 corporate customer service calls
The Growing Threat 1 1 Symantec March 2005 Internet Security Threat Report 1403 new vulnerabilities discovered in Q304/Q105 – 13% increase over previous 6 months – 97% rated as moderately or highly severe – 80% remotely exploitable – 70% “easy” to exploit 7630 new worms and viruses discovered in 2H04 – 64% increase over previous 6 months 54% of malware created in 2H04 exposes confidential information – Up from 44% in the previous 6 months
There’s a Sense of Complacency Many users expect to get spyware and adware as part of freeware Lots of unpatched systems – The top five reported exploited corporate computer vulnerabilities have had patches available for months – According to CERT, 95% of security breaches use known vulnerabilities – As of March 2005 less than ¼ of corporate Windows XP users had applied SP2
Interferes with productivity Causes a constant support burden Opens the door to financial and corporate data theft It’s a matter of time before there’s a major terrorist incident in cyberspace Understanding malware is the key to fighting it Fighting Malware: A Top Priority
Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion
Definitions Adware: – Software that delivers ads through banners and popups Spyware: – Gathers information without consent – Sends the information to 3rd parties without notification – Changes behavior, look, or feel without consent – Spyware is often combined with adware Trojan: – Malware disguised as harmless software
How It Gets Delivered By invitation or attractive attachment – Fake Microsoft security bulletins – See – Pictures Piggy-backed on software installs
Drive-by downloads – Users get tricked by misleading Active X certificates – IE in Windows XP SP2 has clearer notifications Popups and other tricks – Lots of third-party popup blockers – IE in Windows XP SP2 has a blocker – Banners and “pop-overs” can still trick users How It Gets Delivered (cont’d)
Preventing Spyware, Adware and Trojans Disable all active content in IE – This can prevent certain sites from working – For example, Windowsupdate.com Always click close window button (‘X’) in popup window to close Only download from reputable sites that certify software as being virus free Use antispyware
Antispyware Antispyware utilities, like antivirus, both scan for and block spyware Scanning relies on: – A spyware signature database – File scanning – A remediation database – It’s an after-the-fact solution Spyware blocking relies on detecting spyware installation when it happens
Inside Spyware Blocking Microsoft Antispyware (MSAS) includes “real-time protection”:
MSAS scans spyware startup points in the file system and registry every 10 seconds MSAS Real-Time Protection
MSAS Blocking When it sees a new entry it pops up a notification window Choosing “block” results in MSAS deleting the new entry
Manual Cleaning You should know how to identify potential malware and clean it – AS only addresses known spyware – AS can be attacked directly by spyware – A system might not have AS Tools for cleaning and investigating what’s running and what’s configured to run (all from – Autoruns – Process Explorer – Sigcheck
Investigating Autostarts Windows XP Msconfig (Start->Run->Msconfig) falls short when it comes to identifying autostarting applications – It knows about few locations – It provides little information
Autoruns Shows every place in the system that can be configured to run something at boot & logon – Services – Tasks – Explorer and IE addins (toolbars, browser helper objects, …) Shows full path and version information of startup image Easy Web search Easy to focus on non-Microsoft code (Hide Signed Microsoft Entries) Can also show empty locations – Informational only Includes command-line version – Easy to script – Collect profile of systems in network
Autoruns (cont’d)
Investigating Processes Task Manager provides little information about images that are running
Process Explorer Allows deep exploration of processes – Process tree – Command-line – Full path – Version information – Strings – Code signing verification – Loaded DLLs – Window finder – Easy Web search Suspicious processes: – No description or company name – Live in Windows directory – No icon – Strange URLs in the strings Includes process comment support for baselining
Process Explorer (cont’d)
Cleaning Identify malware processes with Process Explorer – Suspend and then kill them Identify malware autostarts with Autoruns – Remove them Delete malware files and directories from disk
Cleaning a Malware Infestation with… Microsoft antispyware Autoruns Process Explorer
Code Signing All (well, most) Microsoft code is digitally signed – Hash of file is signed with Microsoft’s private key – Signature is checked by decrypting signed hash with the public key Autoruns and Process Explorer both check signatures Use Sigcheck to scan executable images for signatures – Scan your entire system (at least \Windows) – Investigate all unsigned images – Maybe check signed image signers as well…
sigcheck -e -u -s c:\ Sigcheck Command to display information on unsigned executable images:
The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion Agenda
Definitions Virus – Recursively replicates itself Worm – Virus that replicates on the network, usually automatically (mass mailer worms are an exception) – I’ll use “virus” to refer to both viruses and worms Exploit – Code that targets one or more security vulnerabilities to gain access to a system Payload – Virus body Zero-Day attack – Virus that exploits undisclosed vulnerability
Antivirus Scans files for viruses Scanning relies on: – A spyware signature database – File scanning – Include virtual machine technology to unpack/unencrypt virus code – A remediation database – Either quarantine or clean viruses – It’s an after-the-fact solution On-access scanning detects viruses in newly created files
Application Antivirus Filter driver AntivirusService File System Driver signaturedatabase kernelmode usermode Inside On-Access Scanning 1. AV filter intercepts application file open 2. Stops the I/O and lets service scan the file 3. If the file contains a virus that can’t be cleaned AV quarantines and blocks open
Preventing Viruses AV is dependent on signatures – Small outbreak might never get signature – Window of exposure between virus outbreak and signature update Alternate prevention mechanisms are mandatory – Firewalls and intrusion prevention – Restrictions on what code executes – Buffer overflow prevention
Major Virus Outbreaks Melissa – March 1999 – First major Windows network worm – Spread as mass mailer that infected Word documents with a macro virus Code Red – July 2001 – Exploited IIS buffer overflow vulnerability – Infected 250,000 systems in 9 hours – Planned DoS of Nimda – September 2001 – 12 different propagation mechanisms – Fastest and most effective worm to date
Major Virus Outbreaks (cont’d) Slapper – September 2002 – Injects through Apache SSL buffer overflow – Builds peer-to-peer network for massive DoS attack SQL Slammer – January 2003 – Exploits SQL Server buffer overflow – Causes network flood Blaster – August 2003 – Exploits DCOM RPC buffer overflow – Executes DoS on Windowsupdate.com Zotob – August 2005 – Exploits the following Microsoft Windows vulnerabilities: – Plug and Play Buffer Overflow, Message Queuing Remote Buffer Overflow, Workstation Service Remote Buffer Overflow, ASN.1 Library Bit String Processing Variant Heap Corruption
Function 1 Function 2 BufferBuffer Higher Addresses Return Address (Function 1) Stack of Function 2 Virus Data CodeCodeCodeCode Function 1 Function 2 Virus Buffer Overflow The common theme of almost all major virus outbreaks is buffer overflow
Buffer Overflow Protection Visual Studio.NET includes /GS flag – Inserts “canary” on stack that is checked on each function exit for integrity – Requires code recompilation – All OS code is compiled with this flag Windows XP SP2 and Windows Server 2003 SP1 support Data Execution Prevention (DEP) – Prevents code from executing in a memory page not specifically marked as executable – Stops exploits that rely on getting code executed
Data Execution Prevention Relies on hardware ability to mark pages as non executable – AMD calls it NX (“No Execute”) – Intel calls it XD (“Execute Disable”) Processor support: – Intel Itanium had this in 2001, but Windows didn’t support it until now – AMD64 was the next to support it – Then, AMD added Sempron (32-bit processor with NX support) – Intel added it first with their 64-bit extension chips (Xeon/Pentium 4s with EM64T) – More recently, Intel added it to their 32-bit processor line (anything ending in “J”)
Attempts to execute code in a page marked no execute result in: – User mode: access violation exception – Kernel mode: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY bugcheck (blue screen) Memory that needs to be executable must be marked as such using page protection bits Data Execution Prevention (cont’d)
DEP is off for user applications on Windows XP, but on for Server 2003 Can be configured under performance options Even on processors without hardware DEP, some limited protection implemented for exception handlers DEP on 32-bit Windows
DEP on 64-bit Windows Always applied to all 64-bit processes and device drivers – Protects user and kernel stacks, paged pool, session pool 32-bit processes depend on configuration settings
Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion
The Evolution of Malware Malware, including spyware, adware and viruses want to be hard to detect and/or hard to remove Rootkits are a fast evolving technology to achieve these goals – Cloaking technology applied to malware – Not malware by itself – Example rootkit-based viruses: Rootkit history – Appeared as stealth viruses – One of the first known PC viruses, Brain, was stealth – First “rootkit” appeared on SunOS in 1994 – Replacement of core system utilities (ls, ps, etc.) to hide malware processes
Cloaking Modern rootkits can cloak: – Processes – Services – TCP/IP ports – Files – Registry keys – User accounts Several major rootkit technologies – User-mode API filtering – Kernel-mode API filtering – Kernel-mode data structure manipulation – Process hijacking Visit for rootkit tools and informationwww.rootkit.com
Attack user-mode system query APIs Con: can be bypassed by going directly to kernel-mode APIs Pro: can infect unprivileged user accounts Examples: HackerDefender, Afx Taskmgr.exe Ntdll.dll Explorer.exe, Malware.exe, Winlogon.exe Rootkit Explorer.exe, Winlogon.exe user mode kernel mode User-Mode API Filtering
Attack kernel-mode system query APIs Cons: – Requires admin privilege to install – Difficult to write Pro: very thorough cloak Example: NT Rootkit Taskmgr.exe Ntdll.dll user mode kernel mode Rootkit Explorer.exe, Winlogon.exe Explorer.exe, Malware.exe, Winlogon.exe Kernel-Mode API Filtering
Also called Direct Kernel Object Manipulation Attacks active process data structure – Query API doesn’t see the process – Kernel still schedules process’ threads Cons: – Requires admin privilege to install – Can cause crashes – Detection already developed Pro: more advanced variations possible Example: FU Explorer.exeMalware.exeWinlogon.exe Active Processes Kernel-Mode Data Structure Manipulation
Hide inside a legitimate process Con: doesn’t survive reboot Pro: extremely hard to detect Example: Code Red Explorer.exe Malware Process Hijacking
Detecting Rootkits All cloaks have holes – Leave some APIs unfiltered – Have detectable side effects – Can’t cloak when OS is offline Rootkit detection attacks holes – Cat-and-mouse game – Several examples – Microsoft Research Strider/Ghostbuster – RKDetect – Sysinternals RootkitRevealer – F-Secure BlackLight
Perform a directory listing online and compare with secure alternate OS boot (see ) – Offline OS is Windows PE, ERD Commander, BartPE dir /s /ah * > dirscan.txt windiff dirscanon.txt dirscanoff.txt This won’t detect non-persistent rootkits that save to disk during shutdown Simple Rootkit Detection
RootkitRevealer Rootkit Windows API Raw file system, Raw Registry hive Filtered Windows API omits malware files and keys Malware files and keys are visible in raw scan RootkitRevealer RootkitRevealer (RKR) runs online RKR tries to bypass rootkit to uncover cloaked objects – All detectors listed do the same – RKR scans HKLM\Software, HKLM\System and the file system – Performs Windows API scan and compares with raw data structure scan
Demo HackerDefender – HackerDefender before and after view of file system – Detecting HackerDefender with RootkitRevealer
RootkitRevealer Limitations Rootkits have already attacked RKR directly by not cloaking when scanned – RKR is given true system view – Windows API scan looks like raw scan SysInternals have modified RKR to be a harder to detect by rootkits – RKR is adopting rootkit techniques itself – Rootkit authors will continue to find ways around RKR’s cloak – It’s a game nobody can win
Unless you have specific uninstall instructions from an authoritative source: Don’t rely on “rename” functionality offered by some rootkit detectors – It might not have detected all a rootkit’s components – The rename might not be effective Reformat the system and reinstall Windows! Dealing with Rootkits
The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion Agenda
Running as Non-Admin Benefits of running as non-admin (also called limited user): – System files and settings can’t be compromised – System-level security (like AV) can’t be disabled – Kernel-mode rootkits won’t install – User-mode rootkits will only cloak malware in the account in which they are installed – Can’t install keystroke loggers – System can be reliably scanned and cleaned from an admin account – Much more… Warning: the Power Users group is effectively an administrator
How to Run as Non-Admin Cons of running as non-admin – Many system tasks require admin privilege or membership – Some legacy and line-of-business apps require admin privilege or membership Aaron Margosis’ web log presents ways to deal with admin-only applications – Two tools facilitate non-admin: – RunAs – Allows you to run a single app in an admin account – Apps won’t have access to network resources – Apps won’t have access to your profile – MakeMeAdmin – Aaron’s tool – Temporarily adds your account to the Administrators group – Overcomes RunAs limitations
Agenda The Malware problem Spyware, adware and trojans Viruses Rootkits Running as non-admin Conclusion
Defense-in-Depth Fighting malware is a battle that’s just heating up To deal effectively with malware you need to employ defense-in-depth: – External firewalls – Firewalled internal zones – Antivirus and antispyware – Patch management – No execute-supported hardware – Accounts that run as limited user
Your Feedback is Important! Please Fill Out your evaluation forms for this Session
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary. Thanks to Mark Russinovich ( Chief Software Architect Winternals Software who wrote this presentation for TechEd EMEA 2005