978-1-4244-2328-6/08/$25.00 © 2008 IEEE

Malware Self Protection Mechanism

Capt (R) Syed Nasir Alsagoff Computer Science Lecturer

Faculty of Science and Defence Technology National Defence University of Malaysia

syednasir@upnm.edu.my

Abstract

Any software that can disrupt the operation of the PC such as virus, worm or spyware can be defined as a malware. With the advent of the Internet and removable drives, the spread of malware is fast and unstoppable. Even with the use of the latest and updated antimalware software, there are some cases where the malware cannot be automatically removed as Malware Writers are constantly trying to defeat and hinder all the latest antimalware with Malware Self Protection Mechanism. There are various methods of manually removing the malware to cope with the problem. Malware Writers have to also design the Malware Self Protection Mechanism for Manual Malware Remover. This paper will explain the various methods of malware self protection mechanism 1. Introduction 1.1 What is malware?

Malware, or Malicious Software, refer to various types of software that can damage or disrupt your computer [3]. It is usually installed without user knowledge or approval. 1.2 Various types of malware [1].

• A Virus malware is an application that spreads and replicates by injecting its code into other files on a computer. It is also called a file infector malware. A few years ago, virus was the dominant malware but it has since been overtaken by the worm. The virus has since made a comeback. The manual method of malware removal here will not work on the virus malware.

• A Worm malware is like a virus but does

not infect other files in order to replicate and spread itself to other computers. It is self contained and uses the network and Internet to spread itself.

• A Macro malware is merely a script that

embeds itself in macro enabled files such as Microsoft Word or Microsoft Excel. Once the file is opened by the application, the script is executed. This type of malware is extremely rare.

• A Trojan horse malware is simply a

program that appears harmless and Once executed performs a task other than expected. The two important types are:

o Backdoor Trojan: The Trojan opens

some type of alternate entry into your computer and allows for the intruder to take control of your computer for malicious purposes.

o Keylogger Trojan: This Trojan monitors keystrokes you make and records them and send the recording to the intruder. The keylogger Trojan is usually used for information stealing.

• An Adware malware is an application that

displays ads. It will either do this by displaying popup ads, inserting ads into web pages that shouldn't have them, add search bars to your web browser or even to your operating system, or other similar annoying behaviours such as displaying pornographic ads.

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

• A Spyware malware is an application that passively monitors your computer usage and then reports it back to the company that designed it. It will normally monitor such things as web viewing habits, what type of programs you have installed, what games you play most often, your favourite choice in music, etc.

• A Rootkit malware [2] is a malware that

runs hidden on your computer. A Rootkit is the set of software tools intended to conceal running processes, files or system data. By hiding itself, the malware can maintain access to a system whilst avoiding detection.

• A Rogue antimalware is a malware that looks and act like regular antimalware. These products do not provide reliable antimalware protection or may be prone to many false positives. It also uses unfair, deceptive, high pressure sales tactics to get non-IT literate buyers to purchase certain products.

1.3 Problems with antimalware

All the current antimalware software uses a blacklist approach of combating malware. This means the antimalware will have a database of “bad” files and processes. This database file is also known as the signature file of the antimalware. The antimalware will not detect any new malware if the signature file has not been updated. The weakness is that the signature file must always be updated as every day thousands of new malware appears. In addition to that, an Internet connection is also necessary for the update process to occur. Even with an Internet connection present, the size of the signature file is quite large. It will take some time for the signature file to be updated and during that time, the malware will still be fully functional and spreading malevolence as is the nature of malicious software [10]. 2. Malware

There are several reasons why Malware Writers write malwares [1].

• Fascination with technology • Graffiti • Revenge • Ideology • Malware battles • Warfare and espionage • Fame

• Commercial sabotage • Extortion • Commercial gain

The most common reasons why Malware Writers

write are fame, commercial sabotage, extortion and commercial gain. It is for these four reasons, Malware Writers design and develop Malware Self Protection Mechanism into their creation. 2.1 Why is malware self protection mechanism necessary for malware writers?

A Malware Writer will want for his or her creation to maintain its presence in the host PC for as long as possible. There are several reasons depending on the types of malware:

• In the case of worms and viruses, it can spread to more host PCs.

• In the case of adware and spyware, it can monitor the host PC longer.

• In the case of Trojan horses, it can maintain control of the host PC longer.

By spreading to more host PCs, Malware Writers

can gain more fame and notoriety for his or her exploits.

By maintaining its presence on the host PC, adware, spyware and Trojan horses will result in more financial gain for the Malware Writers. More and more Malware Writers are being paid for their creations by companies looking to either spam (either to or from), extort, spy or display ads on users’ PCs [5]. The more PCs that are infected, the more the Malware Writers get paid.

As mentioned above, Malware Writers will want their creation to maintain its presence in the host PC as long as possible. Malware Self Protection Mechanism will:

• prevent examination of the inner working of the malware by anti malware software researcher;

• prevent detection and removal by antimalware software;

• prevent manual detection and removal by the user.

• Entice the user of the PC to execute the malware file.

Here the Malware Writer will have to take into

consideration four types of users when trying to develop the Malware Self Protection Mechanism.

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

• Antimalware Software Researcher • Normal users • Expert users • Expert users skilled in the art of manually

removing malware (Manual Malware Remover)

The most important users to take into consideration

are the Antimalware Software Researcher and Manual Malware Remover.

The first type of user is the Antimalware Software Researcher. In her article, “The evolution of self-defense technologies in malware”, Alisa Shevchenko gave a good insight on how Malware Writers has evolved over the years to defeat the latest antimalware solutions and the Antimalware Software Researchers. 2.2. Malware self protection mechanism (against antimalware software researcher)

In [8], Shevchenko mentioned 4 functions of the Malware Self Protection Mechanism.

Malware Self-Protection Mechanism will:

• hinder detection of a virus using signature-

based methods; • hinder analysis of the code by Antimalware

Software Researcher; • hinder detection of a malicious program in

the system; • hinder the functionality of security software

such as antivirus programs and firewalls.

Figure 1 below show several methods and techniques of Malware Self Protection Mechanism.

Figure 1. Malware Self Protection Scatter Plot[8]

2.3. Antimalware software researcher

An Antimalware Software Researcher will get the sample malware through several methods:

• Honeypots are unsecured and unpatched systems design to attract malware attacks and infections [6].

• Internet gateways designed to filter and capture malwares.

• Captured by antimalware software as suspicious files.

• Sent in by other users [7].

Once the Antimalware Software Researcher gets the suspicious file, he or she will need to study it. The reasons are as follows:

• To ensure that the file is not a duplicate of an existing malware in the database.

• To check if the file is an updated version of an older malware i.e. same malware but in different form.

• To reverse engineer the file i.e. to check on its inner working, how it infects the host and how it spreads.

• To identify any significant identification mark of the malware that can be used in the signature file of the antimalware.

As antimalware research is a cat and mouse game

between the Antimalware Software Researcher and Malware Writers, the tools and techniques of the Antimalware Software Researcher are closely guarded secrets.

There are two methods which are most likely used by the Antimalware Software Researcher to examine the malware:

• By making a comparison of a clean host of the before and after state of an infection. From here, the antimalware research can gain some insights of the nature of the malware. The things to look for are [9]: o Files added and deleted o Files changed o Registry settings added and deleted o Processes running added and deleted o Network traffic activities

• From the list of files added or changed, the

antimalware can reverse engineer the malware [9].

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

In order to examine the malware, the Antimalware Software Researcher will have to reverse engineer the file. Here, the Antimalware Software Researcher will have to blindly reverse engineer the malware as the purpose and functionality of the malware is still unknown [9]. 2.4. Defeating the antimalware software researcher.

There are several methods of defeating the Antimalware Software Researcher. There are [8]:

• Polymorphism – This means that the malware can change its form while at the same time retaining its original ability. This is to avoid detection by the antimalware software and also to hinder the ability of the Antimalware Software Researcher to generate the signature of the malware.

• Obfuscation/Encryption/Packing - The body of the malware is encrypted or scrambled to deter analysis by the Antimalware Software Researcher. Packing here means to compress the executable to make the file size smaller. One side effect to packing the file is that the content will also be scrambled.

• Stealth/Rootkit – As mentioned in 1.2 above, rootkit or stealth malware is integrated with the operating system allowing for it to hide its presence.

Figure 2. Comparison of normal BOOT.INI against a packed (zip) BOOT.INI file

Once the Antimalware Software Researcher has

conducted the proper analysis on the malware and if it is not a duplicate of a previous malware, the signature of the antimalware can be updated to include the signature of the latest malware. The antimalware will also need to be tested to ensure that the antimalware works to counter the malware with the latest signature file [7].

To make matters worse, the Antimalware Software Researcher might not be working on just one malware as each day hundreds and even thousands of malware programmes are released to the wild.

2.5. Manual removal of malware.

As mentioned above in 1.3, current antimalware solution is not 100% effective. The time taken from the conception of the malware to the time the signature file is released to the public might be days. During that time, depending on the type of malware propagation, the spread is still ongoing and once the malware has infected a host, the Self Protection Mechanism of the malware will try to prevent its removal.

In [8], Shevchenko mentioned the ways that Malware Writers try to hinder and defeat Antimalware Software Researcher and antimalware software.

Because of the delay in getting the signature of the antimalware out, antimalware protection is not 100% effective. To cope against this problem, there are more and more expert users who take matters into their own hand and try to remove the malware themselves.

Because of that, many methods of manual removal of malware are available [10] and Malware Writers have to cater to users who can manually remove malware.

Indeed as evidenced by the complexity and high number of Malware Self Protection Mechanism against Manual Malware Remover below, Malware Writers are taking the threat of Manual Malware Remover very seriously. 2.6. Difference between an antimalware software researcher and manual malware remover

A Manual Malware Remover does not need to know what type or even the name of the malware that has infected the system. The Manual Malware Remover only needs to [10]:

• Step 1 - Terminate malware process - This first step is important as if the malware is not running, it is rendered harmless. If the malware is still running, the Malware Self Protection Mechanism is still active protecting the malware. If Step 1 is not successfully done, Step 2 and 3 below cannot occur.

• Step 2 - Remove malware startup - In order for the malware to run, there must be some point where it is started. The malware will latch on to the Windows OS startup point to

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

start itself when the computer is booted. Removing the startup point will render the malware harmless when the computer is booted.

• Step 3 - Remove malware files – The malware process must first be terminated before the malware files can be removed.

2.7. Malware self protection mechanism (against manual malware remover)

The malware needs to be running for it to be harmful to the host. The Malware Writer will need to cater to the 3 steps in 2.6 above to design and develop the Malware Self Protection Mechanism. If the malware is running, it can prevent the 3 steps above from ever happening. The malware itself will be responsible for its own safety and protection. 2.8 Malware self protection mechanism (step 1 – terminate malware process)

• Terminate Any Antimalware [4]. The malware will also actively seek out and terminate any known antimalware process such as Norton Antivirus or Kaperspy to prevent from it being detected and removed.

• Disguised Executable. The Manual Malware Remover will miss locating the malware due to the disguised executable. o The malware will use legitimate

sounding names such as securityupdate.exe or serverstart.exe.

o It might also use a name that is slightly different from a real legitimate file e.g. svchost.exe (real) to scvhost.exe (false).

o It may also use a name that is the same as a legitimate file but in a wrong folder e.g. svchost.exe (real) is in <windows folder>\system32 while svchost.exe (false) is running in <windows folder>\system.

• Protected Processes. There are processes that

are protected by the OS. The OS will not let the process be “easily” terminated as terminating the process might affect the system. If one tries to stop a protected process using the Windows Task Manager, the following message in Figure 3 will be shown. These are examples of protected process:

o System services o Application started using the

WINLOGON.EXE process o Windows critical processes o Dynamic-link library (DLL) process -

DLL process are not seen by the Windows Task Manager

o Driver processes [4] – The driver processes are not seen by the Windows Task Manager

Figure 3. Protected System Processes • Windows Task Manager Security Flaw. Due

to a security design flaw in the Windows Task Manager [10], there are a number of executable processes that could not be terminated. These filenames are hard-coded into Windows Task Manager itself, and are names that many malwares use to run their processes. Some protected processes are CSRSS.EXE, LSASS.EXE, MSTASK.EXE, SMSS.EXE, and SPOOLSV.EXE. As mentioned before, the protected processes must be running so that the OS can function properly. The malware cannot replace the protected processes but will load the same sounding processes from a different location on the hard disk.

• Disable Task Manager. The malware can just

make a simple change to the registry to disable the Windows Task Manager.

• Disable Renaming of the Malware. If the malware cannot be terminated, one method that can be used to stop it from starting is to rename the malware executable i.e. from

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

scvhost.exe to scvhost.vir. Hopefully, using this method, the malware will not be able to start itself upon Windows restart. The malware will detect the renaming process and rename itself back.

• Malware Support File. More than one malware can be running at the same time self supporting each other. It means that if one malware process is terminated, the others supporting malware process can restart it. This is important as usually the Manual Malware Remover can only terminate one malware process at one time.

2.9. Malware self protection mechanism (step 2 –remove malware startup)

• Disguised Startup Point. This method works the same way as the Disguised Executable mechanism in 2.8 above. The Manual Malware Remover will miss locating the malware startup due to the disguised startup.

• Multiple Startup Point. There are more than 40 various startup points in the Windows OS [10]. The Malware Writer can create multiple startup points of the malware. If one or more startup points are removed, the other undetected startup points can continue starting the malware. If the malware is started, it can then recreate all the original startup points.

• Startup Point Protection. If the malware startup point is removed and if the malware process is still not terminated, the Malware Self Protection Mechanism will recreate the malware startup point immediately.

• Disable Registry Editor. The malware can

just make a simple change to the registry to disable the Windows Registry Editor. The Windows Registry Editor can be used to remove the malware startup. Figure 4 shows a disabled Windows Registry Editor.

Figure 4. Disabled Registry Editor

• Disable Various Malware Startup Remover Utility. As mention in [10], some of the popular malware startup remover utility is AUTORUNS AND HIJACKTHIS. The malware will detect the utility and terminate the application. One method to overcome this is to rename the utility to something else such as AR.EXE for AUTORUNS or HJT.EXE for HIJACKTHIS. This method might only work if the malware scan the names of the running processes. The renaming method will not work if the malware scans for the title of the application’s window like in Figure 5. For this reason it is important that Step 1 of terminating the malware process be done first and completed successfully.

Figure 5. HIJACKTHIS Window 2.10. Malware self protection mechanism (step 3 –remove malware file)

• Disguised Executable. This method works the same way as the Disguised Executable mechanism in 2.8 above. The Manual Malware Remover will miss removing the file.

• User Enticement. The extension of any file must be determined to ensure that it is safe. One method of getting the user to execute the file is to make the file look like a non executable file. Windows Explorer will hide known files extension such as EXE and DOC. When the user sees the file name below, he or she will think that is just a JPG or PDF file and execute the file. An example is renaming malware with the following name:

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

o bestpicture.jpg.exe o awesomegirl.pdf.exe

Another trick of the Malware Writer is for the malware to spawn itself as the name of a folder on the host and using the folder icon as its own icon. It will then hide the original folder. When the user tries to open the folder, he or she will inadvertently execute the malware. Figure 6 shows a malware disguised as a folder. (Hint the ATI folder is a disguised malware)

Figure 6. Malware Disguised as a Folder

• Hidden, Read-Only and System File. One of the Malware Self Protection Mechanism methods is to change its attributes to those with hidden, read-only and system features. Files with hidden and system attribute will not show up on Windows Explorer while the attempt to manually delete files with system attribute will be deterred by the automatic warning message generated by Windows OS. Files will read-only attribute will not be allowed to be deleted by Windows OS. There is also no option to display system files in Windows Explorer. In cases like this, the attributes of the files can be manually removed using the command prompt. At the folder where the file is located (assuming the user knows where the file is and what the file name is), type: o Attrib –s –h -r filename

o The “-s” will remove the system attribute

of the file while the “-h” and “-r” will remove the hidden and read only attribute of the file.

• Disable option to display hidden file in

Windows Explorer. Another method of Malware Self Protection Mechanism is to

disable the ability of Windows Explorer to display hidden files. If the malware process is active, it will automatically reset the registry setting to display hidden files and folders.

• Protected Executable. If malware is still running, it cannot be deleted as part of the Windows OS protection. To overcome this, the malware can be renamed assuming that the malware does not have any rename protection. This is the same concept as the malware rename protection in 2.8. Also, if any of the malware support file is running, it might not allow the deletion of the malware file even if the main malware process has been terminated.

3. Conclusion

Lastly, in conclusion, as long as users are using the PC, the cat and mouse game between Malware Writers, Antimalware Software Researcher and Manual Malware Remover will continue on. As time goes on, more and more expert financially motivated Malware Writers will appear designing and developing more complex and well protected malware. To overcome this, the Antimalware Software Researcher and Manual Malware Writer will need to be alert and keep their skills and knowledge up to par with the other side. Hopefully, when the time comes, the “good guys” will be up to the task. 4. References [1] Aycock, John., Computer Viruses and Malware, Springer, New York, 2006, pp. 11-18. [2] S. Sparks and J. Butler, "Shadow Walker - Raising The Bar For Rootkit Detection," DefCon 13, July 29-31, 2005, http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf [3] Tittel , Ed, PC Magazine Fighting Spyware, Viruses, and Malware, Wiley Publishing, Inc., Indianapolis, 2005, pp. 9, 26 ,45-57. [4] Szor, Peter, The Art Of Computer Virus Research And Defense, Addison Wesley Professional, Maryland, 2005, ch 5.7,6.2-6.3. [5] Piccard, Paul and Faircloth Jeremy, Combating Spyware in the Enterprise, Syngress, July 1 2006, pp 42, 202-222,213. [6] Overton, Martin, Worm Charming: Taking SMB Lure to The Next Level, Proceedings of the 13th International Virus Bulletin Conference

978-1-4244-2328-6/08/$25.00 © 2008 IEEE

[7] P. Ferrie and F. Perriot, Detecting complex viruses, SecurityFocus, 6 December 2004. [8] Shevchenko, Alisa, The evolution of self-defense technologies in malware, VirusList, 28 Jun 2007. [9] Skoudis, Ed, and Zeltser, Lenny, Malware: Fighting Malicious Code, Prentice Hall PTR, 28 Nov 2003, Chapter 11. [10] Alsagoff, Syed Nasir, Removal Of Malware Without The Use Of Antimalware Software, PECAMP 08, 18 Mac 2008.