Understanding Malware:Spyware, Viruses and Rootkits

Steve Lamb

IT Pro Evangelist for Security Technologies

stephlam@microsoft.com

http://blogs.technet.com/steve_lamb

Copyright © 2005 Mark RussinovichCopyright © 2005 Mark Russinovich

Scope

What this talk covers:

–Types of malware

–How malware propagates and works

–How to detect and prevent malware

What it doesn’t:

–Phishing

–Product reviews and comparisons

–General security information

–How to write malware

Agenda

The Malware problem

Spyware, adware and trojans

Viruses

Rootkits

Running as non-admin

Conclusion

Is Anyone After You?

Know Your Adversary

Spyware is Rampant

We’ve all cleaned malware off the computers of family and friends

EarthLink found an average of 28 spyware programs on their customer systems

Spyware is cause of 2 of every 5 home user and 1 out of every 4 corporate customer service calls

The Growing Threat1

11Symantec March 2005 Internet Security Threat Report Symantec March 2005 Internet Security Threat Report

1403 new vulnerabilities discovered in Q304/Q105

– 13% increase over previous 6 months

– 97% rated as moderately or highly severe

– 80% remotely exploitable

– 70% “easy” to exploit

7630 new worms and viruses discovered in 2H04

– 64% increase over previous 6 months

54% of malware created in 2H04 exposes confidential information

– Up from 44% in the previous 6 months

There’s a Sense of Complacency

Many users expect to get spyware and adware as part of freeware

Lots of unpatched systems

–The top five reported exploited corporate computer vulnerabilities have had patches available for months

–According to CERT, 95% of security breaches use known vulnerabilities

–As of March 2005 less than ¼ of corporate Windows XP users had applied SP2

Interferes with productivity

Causes a constant support burden

Opens the door to financial and corporate data theft

It’s a matter of time before there’s a major terrorist incident in cyberspace

Understanding malware is the key to fighting itUnderstanding malware is the key to fighting it

Fighting Malware: A Top Priority

Agenda

The Malware problem

Spyware, adware and trojans

Viruses

Rootkits

Running as non-admin

Conclusion

Definitions

Adware:

– Software that delivers ads through banners and popups

Spyware:

– Gathers information without consent

– Sends the information to 3rd parties without notification

– Changes behavior, look, or feel without consent

– Spyware is often combined with adware

Trojan:

– Malware disguised as harmless software

How It Gets Delivered

By e-mail invitation or attractive attachment

– Fake Microsoft security bulletins

– See http://www.microsoft.com/security/incident/authenticate_mail.mspx

– Pictures

Piggy-backed on software installs

Drive-by downloads

– Users get tricked by misleading Active X certificates

– IE in Windows XP SP2 has clearer notifications

Popups and other tricks

– Lots of third-party popup blockers

– IE in Windows XP SP2 has a blocker

– Banners and “pop-overs” can still trick users

How It Gets Delivered (cont’d)

Preventing Spyware, Adware and Trojans

Disable all active content in IE

–This can prevent certain sites from working

– For example, Windowsupdate.com

Always click close window button (‘X’) in popup window to close

Only download from reputable sites that certify software as being virus free

Use antispyware

Antispyware

Antispyware utilities, like antivirus, both scan for and block spyware

Scanning relies on:

–A spyware signature database

–File scanning

–A remediation database

– It’s an after-the-fact solution

Spyware blocking relies on detecting spyware installation when it happens

Inside Spyware Blocking

Microsoft Antispyware (MSAS) includes “real-time protection”:

MSAS scans spyware startup points in the file system and registry every 10 seconds

MSAS Real-Time Protection

MSAS Blocking

When it sees a new entry it pops up a notification window

Choosing “block”results in MSAS deleting the new entry

Manual Cleaning

You should know how to identify potential malware and clean it

– AS only addresses known spyware

– AS can be attacked directly by spyware

– A system might not have AS

Tools for cleaning and investigating what’s running and what’s configured to run (all from www.sysinternals.com)

– Autoruns

– Process Explorer

– Sigcheck

Investigating Autostarts

Windows XP Msconfig (Start->Run->Msconfig) falls short when it comes to identifying autostarting applications

– It knows about few locations

– It provides little information

Autoruns

Shows every place in the system that can be configured to run something at boot & logon

– Services

– Tasks

– Explorer and IE addins (toolbars, browser helper objects, …)

Shows full path and version information of startup image

Easy Web search

Easy to focus on non-Microsoft code (Hide Signed Microsoft Entries)

Can also show empty locations

– Informational only

Includes command-line version

– Easy to script

– Collect profile of systems in network

Autoruns (cont’d)

Investigating Processes

Task Manager provides little information about images that are running

Process Explorer

Allows deep exploration of processes– Process tree

– Command-line

– Full path

– Version information

– Strings

– Code signing verification

– Loaded DLLs

– Window finder

– Easy Web search

Suspicious processes:– No description or company name

– Live in Windows directory

– No icon

– Strange URLs in the strings

Includes process comment support for baselining

Process Explorer (cont’d)

Cleaning

Identify malware processes with Process Explorer

–Suspend and then kill them

Identify malware autostarts with Autoruns

–Remove them

Delete malware files and directories from disk

Cleaning a Malware Infestation with…

• Microsoft antispyware

• Autoruns

• Process Explorer

Code Signing

All (well, most) Microsoft code is digitally signed

– Hash of file is signed with Microsoft’s private key

– Signature is checked by decrypting signed hash with the public key

Autoruns and Process Explorer both check signatures

Use Sigcheck to scan executable images for signatures

– Scan your entire system (at least \Windows)

– Investigate all unsigned images

– Maybe check signed image signers as well…

sigcheck -e -u -s c:\sigcheck -e -u -s c:\

Sigcheck

Command to display information on unsigned executable images:

The Malware problem

Spyware, adware and trojans

Viruses

Rootkits

Running as non-admin

Conclusion

Agenda

Definitions

Virus

– Recursively replicates itself

Worm

– Virus that replicates on the network, usually automatically (mass mailer worms are an exception)

– I’ll use “virus” to refer to both viruses and worms

Exploit

– Code that targets one or more security vulnerabilities to gain access to a system

Payload

– Virus body

Zero-Day attack

– Virus that exploits undisclosed vulnerability

Antivirus

Scans files for viruses

Scanning relies on:

–A spyware signature database

–File scanning

– Include virtual machine technology to unpack/unencrypt virus code

–A remediation database

– Either quarantine or clean viruses

– It’s an after-the-fact solution

On-access scanning detects viruses in newly created files

ApplicationApplication

Antivirus Antivirus Filter driverFilter driver

AntivirusAntivirusServiceService

File SystemFile SystemDriverDriver

signaturesignaturedatabasedatabase

kernelkernelmodemode

userusermodemode

Inside On-Access Scanning

1. AV filter intercepts application file open

2. Stops the I/O and lets service scan the file

3. If the file contains a virus that can’t be cleaned AV quarantines and blocks open

Preventing Viruses

AV is dependent on signatures

–Small outbreak might never get signature

–Window of exposure between virus outbreak and signature update

Alternate prevention mechanisms are mandatory

–Firewalls and intrusion prevention

–Restrictions on what code executes

–Buffer overflow prevention

Major Virus Outbreaks

Melissa – March 1999

– First major Windows network worm

– Spread as mass mailer that infected Word documents with a macro virus

Code Red – July 2001

– Exploited IIS buffer overflow vulnerability

– Infected 250,000 systems in 9 hours

– Planned DoS of www.whitehouse.gov

Nimda – September 2001

– 12 different propagation mechanisms

– Fastest and most effective worm to date

Major Virus Outbreaks (cont’d)

Slapper – September 2002

– Injects through Apache SSL buffer overflow

– Builds peer-to-peer network for massive DoS attack

SQL Slammer – January 2003

– Exploits SQL Server buffer overflow

– Causes network flood

Blaster – August 2003

– Exploits DCOM RPC buffer overflow

– Executes DoS on Windowsupdate.com

Zotob – August 2005

– Exploits the following Microsoft Windows vulnerabilities:

– Plug and Play Buffer Overflow, Message Queuing Remote Buffer Overflow, Workstation Service Remote Buffer Overflow, ASN.1 Library Bit String Processing Variant Heap Corruption

Function 1

Function 2

BufferHigherHigher

AddressesAddresses

Return AddressReturn Address(Function 1)(Function 1)

Stack ofStack ofFunction 2Function 2

VirusVirusDataData

CCooddee

Function 1

Function 2

Virus

Buffer Overflow

The common theme of almost all major virus outbreaks is buffer overflow

Buffer Overflow Protection

Visual Studio .NET includes /GS flag

– Inserts “canary” on stack that is checked on each function exit for integrity

– Requires code recompilation

– All OS code is compiled with this flag

Windows XP SP2 and Windows Server 2003 SP1 support Data Execution Prevention (DEP)

– Prevents code from executing in a memory page not specifically marked as executable

– Stops exploits that rely on getting code executed

Data Execution Prevention

Relies on hardware ability to mark pages as non executable

– AMD calls it NX (“No Execute”)

– Intel calls it XD (“Execute Disable”)

Processor support:

– Intel Itanium had this in 2001, but Windows didn’t support it until now

– AMD64 was the next to support it

– Then, AMD added Sempron (32-bit processor with NX support)

– Intel added it first with their 64-bit extension chips (Xeon/Pentium 4s with EM64T)

– More recently, Intel added it to their 32-bit processor line (anything ending in “J”)

Attempts to execute code in a page marked no execute result in:

– User mode: access violation exception

– Kernel mode: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY bugcheck (blue screen)

Memory that needs to be executable must be marked as such using page protection bits

Data Execution Prevention (cont’d)

DEP is off for user applications on Windows XP, but on for Server 2003

Can be configured under performance options

Even on processors without hardware DEP, some limited protection implemented for exception handlers

DEP on 32-bit Windows

DEP on 64-bit Windows

Always applied to all 64-bit processes and device drivers

–Protects user and kernel stacks, paged pool, session pool

32-bit processes depend on configuration settings

Agenda

The Malware problem

Spyware, adware and trojans

Viruses

Rootkits

Running as non-admin

Conclusion

The Evolution of Malware

Malware, including spyware, adware and viruses want to be hard to detect and/or hard to remove

Rootkits are a fast evolving technology to achieve these goals

– Cloaking technology applied to malware

– Not malware by itself

– Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm

Rootkit history

– Appeared as stealth viruses

– One of the first known PC viruses, Brain, was stealth

– First “rootkit” appeared on SunOS in 1994

– Replacement of core system utilities (ls, ps, etc.) to hide malware processes

Cloaking

Modern rootkits can cloak:

– Processes

– Services

– TCP/IP ports

– Files

– Registry keys

– User accounts

Several major rootkit technologies

– User-mode API filtering

– Kernel-mode API filtering

– Kernel-mode data structure manipulation

– Process hijacking

Visit www.rootkit.com for rootkit tools and information

Attack user-mode system query APIs

Con: can be bypassed by going directly to kernel-mode APIs

Pro: can infect unprivileged user accounts

Examples: HackerDefender, Afx

Taskmgr.exeTaskmgr.exe Ntdll.dllNtdll.dll

Explorer.exe, Explorer.exe, Malware.exeMalware.exe, Winlogon.exe, Winlogon.exe

RootkitRootkit

Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe

user modeuser mode

kernel modekernel mode

User-Mode API Filtering

Attack kernel-mode system query APIs

Cons:

– Requires admin privilege to install

– Difficult to write

Pro: very thorough cloak

Example: NT Rootkit

Taskmgr.exeTaskmgr.exe Ntdll.dllNtdll.dll

user modeuser mode

kernel modekernel mode

RootkitRootkit

Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe

Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe

Explorer.exe, Explorer.exe, Malware.exe,Malware.exe, Winlogon.exeWinlogon.exe

Kernel-Mode API Filtering

Also called Direct Kernel Object Manipulation

Attacks active process data structure

– Query API doesn’t see the process

– Kernel still schedules process’ threads

Cons:

– Requires admin privilege to install

– Can cause crashes

– Detection already developed

Pro: more advanced variations possible

Example: FU

Explorer.exeExplorer.exe Malware.exeMalware.exe Winlogon.exeWinlogon.exeActiveActive

ProcessesProcesses

Kernel-Mode Data Structure Manipulation

Hide inside a legitimate process

Con: doesn’t survive reboot

Pro: extremely hard to detect

Example: Code Red

Explorer.exeExplorer.exe

MalwareMalware

Process Hijacking

Detecting Rootkits

All cloaks have holes

–Leave some APIs unfiltered

–Have detectable side effects

–Can’t cloak when OS is offline

Rootkit detection attacks holes

–Cat-and-mouse game

–Several examples

– Microsoft Research Strider/Ghostbuster

– RKDetect

– Sysinternals RootkitRevealer

– F-Secure BlackLight

Perform a directory listing online and compare with secure alternate OS boot (see http://research.microsoft.com/rootkit/ )

–Offline OS is Windows PE, ERD Commander, BartPE

dir /s /ah * > dirscan.txt

windiff dirscanon.txt dirscanoff.txt

This won’t detect non-persistent rootkits that save to disk during shutdown

Simple Rootkit Detection

RootkitRevealerRootkitRevealer

RootkitRootkit

Windows APIWindows API

Raw file system, Raw file system, Raw Registry hiveRaw Registry hive

Filtered Windows API Filtered Windows API omits malware files and keysomits malware files and keys

Malware files and keys Malware files and keys are visible in raw scanare visible in raw scan

RootkitRevealer

RootkitRevealer (RKR) runs online

RKR tries to bypass rootkit to uncover cloaked objects

– All detectors listed do the same

– RKR scans HKLM\Software, HKLM\System and the file system

– Performs Windows API scan and compares with raw data structure scan

Demo

HackerDefender– HackerDefender before and after view of file system

– Detecting HackerDefender with RootkitRevealer

RootkitRevealer Limitations

Rootkits have already attacked RKR directly by not cloaking when scanned

–RKR is given true system view

–Windows API scan looks like raw scan

SysInternals have modified RKR to be a harder to detect by rootkits

–RKR is adopting rootkit techniques itself

–Rootkit authors will continue to find ways around RKR’s cloak

– It’s a game nobody can win

Unless you have specific uninstall instructions from an authoritative source:

Don’t rely on “rename” functionality offered by some rootkit detectors

– It might not have detected all a rootkit’s components

–The rename might not be effective

Reformat the system and reinstall Windows!Reformat the system and reinstall Windows!

Dealing with Rootkits

The Malware problem

Spyware, adware and trojans

Viruses

Rootkits

Running as non-admin

Conclusion

Agenda

Running as Non-Admin

Benefits of running as non-admin (also called limited user):

– System files and settings can’t be compromised

– System-level security (like AV) can’t be disabled

– Kernel-mode rootkits won’t install

– User-mode rootkits will only cloak malware in the account in which they are installed

– Can’t install keystroke loggers

– System can be reliably scanned and cleaned from an admin account

– Much more…

Warning: the Power Users group is effectively an administrator

How to Run as Non-Admin

Cons of running as non-admin

– Many system tasks require admin privilege or membership

– Some legacy and line-of-business apps require admin privilege or membership

Aaron Margosis’ web log presents ways to deal with admin-only applications

– http://blogs.msdn.com/aaron%5Fmargosis

Two tools facilitate non-admin:

– RunAs

– Allows you to run a single app in an admin account

– Apps won’t have access to network resources

– Apps won’t have access to your profile

– MakeMeAdmin

– Aaron’s tool

– Temporarily adds your account to the Administrators group

– Overcomes RunAs limitations

Agenda

The Malware problem

Spyware, adware and trojans

Viruses

Rootkits

Running as non-admin

Conclusion

Defense-in-Depth

Fighting malware is a battle that’s just heating up

To deal effectively with malware you need to employ defense-in-depth:

–External firewalls

–Firewalled internal zones

–Antivirus and antispyware

–Patch management

–No execute-supported hardware

–Accounts that run as limited user

Your Feedbackis Important!

Please Fill Out your evaluation forms for this Session

© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Thanks to Mark Russinovich (Thanks to Mark Russinovich (Chief Software ArchitectChief Software Architect

Winternals SoftwareWinternals Softwaremark@sysinternals.com) who wrote this presentation for TechEd ) who wrote this presentation for TechEd

EMEA 2005EMEA 2005