understanding malware: spyware, viruses and rootkits steve lamb it pro evangelist for security...
TRANSCRIPT
Understanding Malware:Spyware, Viruses and Rootkits
Steve Lamb
IT Pro Evangelist for Security Technologies
http://blogs.technet.com/steve_lamb
Copyright © 2005 Mark RussinovichCopyright © 2005 Mark Russinovich
Scope
What this talk covers:
–Types of malware
–How malware propagates and works
–How to detect and prevent malware
What it doesn’t:
–Phishing
–Product reviews and comparisons
–General security information
–How to write malware
Agenda
The Malware problem
Spyware, adware and trojans
Viruses
Rootkits
Running as non-admin
Conclusion
Is Anyone After You?
Know Your Adversary
Spyware is Rampant
We’ve all cleaned malware off the computers of family and friends
EarthLink found an average of 28 spyware programs on their customer systems
Spyware is cause of 2 of every 5 home user and 1 out of every 4 corporate customer service calls
The Growing Threat1
11Symantec March 2005 Internet Security Threat Report Symantec March 2005 Internet Security Threat Report
1403 new vulnerabilities discovered in Q304/Q105
– 13% increase over previous 6 months
– 97% rated as moderately or highly severe
– 80% remotely exploitable
– 70% “easy” to exploit
7630 new worms and viruses discovered in 2H04
– 64% increase over previous 6 months
54% of malware created in 2H04 exposes confidential information
– Up from 44% in the previous 6 months
There’s a Sense of Complacency
Many users expect to get spyware and adware as part of freeware
Lots of unpatched systems
–The top five reported exploited corporate computer vulnerabilities have had patches available for months
–According to CERT, 95% of security breaches use known vulnerabilities
–As of March 2005 less than ¼ of corporate Windows XP users had applied SP2
Interferes with productivity
Causes a constant support burden
Opens the door to financial and corporate data theft
It’s a matter of time before there’s a major terrorist incident in cyberspace
Understanding malware is the key to fighting itUnderstanding malware is the key to fighting it
Fighting Malware: A Top Priority
Agenda
The Malware problem
Spyware, adware and trojans
Viruses
Rootkits
Running as non-admin
Conclusion
Definitions
Adware:
– Software that delivers ads through banners and popups
Spyware:
– Gathers information without consent
– Sends the information to 3rd parties without notification
– Changes behavior, look, or feel without consent
– Spyware is often combined with adware
Trojan:
– Malware disguised as harmless software
How It Gets Delivered
By e-mail invitation or attractive attachment
– Fake Microsoft security bulletins
– See http://www.microsoft.com/security/incident/authenticate_mail.mspx
– Pictures
Piggy-backed on software installs
Drive-by downloads
– Users get tricked by misleading Active X certificates
– IE in Windows XP SP2 has clearer notifications
Popups and other tricks
– Lots of third-party popup blockers
– IE in Windows XP SP2 has a blocker
– Banners and “pop-overs” can still trick users
How It Gets Delivered (cont’d)
Preventing Spyware, Adware and Trojans
Disable all active content in IE
–This can prevent certain sites from working
– For example, Windowsupdate.com
Always click close window button (‘X’) in popup window to close
Only download from reputable sites that certify software as being virus free
Use antispyware
Antispyware
Antispyware utilities, like antivirus, both scan for and block spyware
Scanning relies on:
–A spyware signature database
–File scanning
–A remediation database
– It’s an after-the-fact solution
Spyware blocking relies on detecting spyware installation when it happens
Inside Spyware Blocking
Microsoft Antispyware (MSAS) includes “real-time protection”:
MSAS scans spyware startup points in the file system and registry every 10 seconds
MSAS Real-Time Protection
MSAS Blocking
When it sees a new entry it pops up a notification window
Choosing “block”results in MSAS deleting the new entry
Manual Cleaning
You should know how to identify potential malware and clean it
– AS only addresses known spyware
– AS can be attacked directly by spyware
– A system might not have AS
Tools for cleaning and investigating what’s running and what’s configured to run (all from www.sysinternals.com)
– Autoruns
– Process Explorer
– Sigcheck
Investigating Autostarts
Windows XP Msconfig (Start->Run->Msconfig) falls short when it comes to identifying autostarting applications
– It knows about few locations
– It provides little information
Autoruns
Shows every place in the system that can be configured to run something at boot & logon
– Services
– Tasks
– Explorer and IE addins (toolbars, browser helper objects, …)
Shows full path and version information of startup image
Easy Web search
Easy to focus on non-Microsoft code (Hide Signed Microsoft Entries)
Can also show empty locations
– Informational only
Includes command-line version
– Easy to script
– Collect profile of systems in network
Autoruns (cont’d)
Investigating Processes
Task Manager provides little information about images that are running
Process Explorer
Allows deep exploration of processes– Process tree
– Command-line
– Full path
– Version information
– Strings
– Code signing verification
– Loaded DLLs
– Window finder
– Easy Web search
Suspicious processes:– No description or company name
– Live in Windows directory
– No icon
– Strange URLs in the strings
Includes process comment support for baselining
Process Explorer (cont’d)
Cleaning
Identify malware processes with Process Explorer
–Suspend and then kill them
Identify malware autostarts with Autoruns
–Remove them
Delete malware files and directories from disk
Cleaning a Malware Infestation with…
• Microsoft antispyware
• Autoruns
• Process Explorer
Code Signing
All (well, most) Microsoft code is digitally signed
– Hash of file is signed with Microsoft’s private key
– Signature is checked by decrypting signed hash with the public key
Autoruns and Process Explorer both check signatures
Use Sigcheck to scan executable images for signatures
– Scan your entire system (at least \Windows)
– Investigate all unsigned images
– Maybe check signed image signers as well…
sigcheck -e -u -s c:\sigcheck -e -u -s c:\
Sigcheck
Command to display information on unsigned executable images:
The Malware problem
Spyware, adware and trojans
Viruses
Rootkits
Running as non-admin
Conclusion
Agenda
Definitions
Virus
– Recursively replicates itself
Worm
– Virus that replicates on the network, usually automatically (mass mailer worms are an exception)
– I’ll use “virus” to refer to both viruses and worms
Exploit
– Code that targets one or more security vulnerabilities to gain access to a system
Payload
– Virus body
Zero-Day attack
– Virus that exploits undisclosed vulnerability
Antivirus
Scans files for viruses
Scanning relies on:
–A spyware signature database
–File scanning
– Include virtual machine technology to unpack/unencrypt virus code
–A remediation database
– Either quarantine or clean viruses
– It’s an after-the-fact solution
On-access scanning detects viruses in newly created files
ApplicationApplication
Antivirus Antivirus Filter driverFilter driver
AntivirusAntivirusServiceService
File SystemFile SystemDriverDriver
signaturesignaturedatabasedatabase
kernelkernelmodemode
userusermodemode
Inside On-Access Scanning
1. AV filter intercepts application file open
2. Stops the I/O and lets service scan the file
3. If the file contains a virus that can’t be cleaned AV quarantines and blocks open
Preventing Viruses
AV is dependent on signatures
–Small outbreak might never get signature
–Window of exposure between virus outbreak and signature update
Alternate prevention mechanisms are mandatory
–Firewalls and intrusion prevention
–Restrictions on what code executes
–Buffer overflow prevention
Major Virus Outbreaks
Melissa – March 1999
– First major Windows network worm
– Spread as mass mailer that infected Word documents with a macro virus
Code Red – July 2001
– Exploited IIS buffer overflow vulnerability
– Infected 250,000 systems in 9 hours
– Planned DoS of www.whitehouse.gov
Nimda – September 2001
– 12 different propagation mechanisms
– Fastest and most effective worm to date
Major Virus Outbreaks (cont’d)
Slapper – September 2002
– Injects through Apache SSL buffer overflow
– Builds peer-to-peer network for massive DoS attack
SQL Slammer – January 2003
– Exploits SQL Server buffer overflow
– Causes network flood
Blaster – August 2003
– Exploits DCOM RPC buffer overflow
– Executes DoS on Windowsupdate.com
Zotob – August 2005
– Exploits the following Microsoft Windows vulnerabilities:
– Plug and Play Buffer Overflow, Message Queuing Remote Buffer Overflow, Workstation Service Remote Buffer Overflow, ASN.1 Library Bit String Processing Variant Heap Corruption
Function 1
Function 2
BufferHigherHigher
AddressesAddresses
Return AddressReturn Address(Function 1)(Function 1)
Stack ofStack ofFunction 2Function 2
VirusVirusDataData
CCooddee
Function 1
Function 2
Virus
Buffer Overflow
The common theme of almost all major virus outbreaks is buffer overflow
Buffer Overflow Protection
Visual Studio .NET includes /GS flag
– Inserts “canary” on stack that is checked on each function exit for integrity
– Requires code recompilation
– All OS code is compiled with this flag
Windows XP SP2 and Windows Server 2003 SP1 support Data Execution Prevention (DEP)
– Prevents code from executing in a memory page not specifically marked as executable
– Stops exploits that rely on getting code executed
Data Execution Prevention
Relies on hardware ability to mark pages as non executable
– AMD calls it NX (“No Execute”)
– Intel calls it XD (“Execute Disable”)
Processor support:
– Intel Itanium had this in 2001, but Windows didn’t support it until now
– AMD64 was the next to support it
– Then, AMD added Sempron (32-bit processor with NX support)
– Intel added it first with their 64-bit extension chips (Xeon/Pentium 4s with EM64T)
– More recently, Intel added it to their 32-bit processor line (anything ending in “J”)
Attempts to execute code in a page marked no execute result in:
– User mode: access violation exception
– Kernel mode: ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY bugcheck (blue screen)
Memory that needs to be executable must be marked as such using page protection bits
Data Execution Prevention (cont’d)
DEP is off for user applications on Windows XP, but on for Server 2003
Can be configured under performance options
Even on processors without hardware DEP, some limited protection implemented for exception handlers
DEP on 32-bit Windows
DEP on 64-bit Windows
Always applied to all 64-bit processes and device drivers
–Protects user and kernel stacks, paged pool, session pool
32-bit processes depend on configuration settings
Agenda
The Malware problem
Spyware, adware and trojans
Viruses
Rootkits
Running as non-admin
Conclusion
The Evolution of Malware
Malware, including spyware, adware and viruses want to be hard to detect and/or hard to remove
Rootkits are a fast evolving technology to achieve these goals
– Cloaking technology applied to malware
– Not malware by itself
– Example rootkit-based viruses: W32.Maslan.A@mm, W32.Opasa@mm
Rootkit history
– Appeared as stealth viruses
– One of the first known PC viruses, Brain, was stealth
– First “rootkit” appeared on SunOS in 1994
– Replacement of core system utilities (ls, ps, etc.) to hide malware processes
Cloaking
Modern rootkits can cloak:
– Processes
– Services
– TCP/IP ports
– Files
– Registry keys
– User accounts
Several major rootkit technologies
– User-mode API filtering
– Kernel-mode API filtering
– Kernel-mode data structure manipulation
– Process hijacking
Visit www.rootkit.com for rootkit tools and information
Attack user-mode system query APIs
Con: can be bypassed by going directly to kernel-mode APIs
Pro: can infect unprivileged user accounts
Examples: HackerDefender, Afx
Taskmgr.exeTaskmgr.exe Ntdll.dllNtdll.dll
Explorer.exe, Explorer.exe, Malware.exeMalware.exe, Winlogon.exe, Winlogon.exe
RootkitRootkit
Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe
user modeuser mode
kernel modekernel mode
User-Mode API Filtering
Attack kernel-mode system query APIs
Cons:
– Requires admin privilege to install
– Difficult to write
Pro: very thorough cloak
Example: NT Rootkit
Taskmgr.exeTaskmgr.exe Ntdll.dllNtdll.dll
user modeuser mode
kernel modekernel mode
RootkitRootkit
Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe
Explorer.exe,Explorer.exe,Winlogon.exeWinlogon.exe
Explorer.exe, Explorer.exe, Malware.exe,Malware.exe, Winlogon.exeWinlogon.exe
Kernel-Mode API Filtering
Also called Direct Kernel Object Manipulation
Attacks active process data structure
– Query API doesn’t see the process
– Kernel still schedules process’ threads
Cons:
– Requires admin privilege to install
– Can cause crashes
– Detection already developed
Pro: more advanced variations possible
Example: FU
Explorer.exeExplorer.exe Malware.exeMalware.exe Winlogon.exeWinlogon.exeActiveActive
ProcessesProcesses
Kernel-Mode Data Structure Manipulation
Hide inside a legitimate process
Con: doesn’t survive reboot
Pro: extremely hard to detect
Example: Code Red
Explorer.exeExplorer.exe
MalwareMalware
Process Hijacking
Detecting Rootkits
All cloaks have holes
–Leave some APIs unfiltered
–Have detectable side effects
–Can’t cloak when OS is offline
Rootkit detection attacks holes
–Cat-and-mouse game
–Several examples
– Microsoft Research Strider/Ghostbuster
– RKDetect
– Sysinternals RootkitRevealer
– F-Secure BlackLight
Perform a directory listing online and compare with secure alternate OS boot (see http://research.microsoft.com/rootkit/ )
–Offline OS is Windows PE, ERD Commander, BartPE
dir /s /ah * > dirscan.txt
windiff dirscanon.txt dirscanoff.txt
This won’t detect non-persistent rootkits that save to disk during shutdown
Simple Rootkit Detection
RootkitRevealerRootkitRevealer
RootkitRootkit
Windows APIWindows API
Raw file system, Raw file system, Raw Registry hiveRaw Registry hive
Filtered Windows API Filtered Windows API omits malware files and keysomits malware files and keys
Malware files and keys Malware files and keys are visible in raw scanare visible in raw scan
RootkitRevealer
RootkitRevealer (RKR) runs online
RKR tries to bypass rootkit to uncover cloaked objects
– All detectors listed do the same
– RKR scans HKLM\Software, HKLM\System and the file system
– Performs Windows API scan and compares with raw data structure scan
Demo
HackerDefender– HackerDefender before and after view of file system
– Detecting HackerDefender with RootkitRevealer
RootkitRevealer Limitations
Rootkits have already attacked RKR directly by not cloaking when scanned
–RKR is given true system view
–Windows API scan looks like raw scan
SysInternals have modified RKR to be a harder to detect by rootkits
–RKR is adopting rootkit techniques itself
–Rootkit authors will continue to find ways around RKR’s cloak
– It’s a game nobody can win
Unless you have specific uninstall instructions from an authoritative source:
Don’t rely on “rename” functionality offered by some rootkit detectors
– It might not have detected all a rootkit’s components
–The rename might not be effective
Reformat the system and reinstall Windows!Reformat the system and reinstall Windows!
Dealing with Rootkits
The Malware problem
Spyware, adware and trojans
Viruses
Rootkits
Running as non-admin
Conclusion
Agenda
Running as Non-Admin
Benefits of running as non-admin (also called limited user):
– System files and settings can’t be compromised
– System-level security (like AV) can’t be disabled
– Kernel-mode rootkits won’t install
– User-mode rootkits will only cloak malware in the account in which they are installed
– Can’t install keystroke loggers
– System can be reliably scanned and cleaned from an admin account
– Much more…
Warning: the Power Users group is effectively an administrator
How to Run as Non-Admin
Cons of running as non-admin
– Many system tasks require admin privilege or membership
– Some legacy and line-of-business apps require admin privilege or membership
Aaron Margosis’ web log presents ways to deal with admin-only applications
– http://blogs.msdn.com/aaron%5Fmargosis
Two tools facilitate non-admin:
– RunAs
– Allows you to run a single app in an admin account
– Apps won’t have access to network resources
– Apps won’t have access to your profile
– MakeMeAdmin
– Aaron’s tool
– Temporarily adds your account to the Administrators group
– Overcomes RunAs limitations
Agenda
The Malware problem
Spyware, adware and trojans
Viruses
Rootkits
Running as non-admin
Conclusion
Defense-in-Depth
Fighting malware is a battle that’s just heating up
To deal effectively with malware you need to employ defense-in-depth:
–External firewalls
–Firewalled internal zones
–Antivirus and antispyware
–Patch management
–No execute-supported hardware
–Accounts that run as limited user
Your Feedbackis Important!
Please Fill Out your evaluation forms for this Session
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Thanks to Mark Russinovich (Thanks to Mark Russinovich (Chief Software ArchitectChief Software Architect
Winternals SoftwareWinternals [email protected]) who wrote this presentation for TechEd ) who wrote this presentation for TechEd
EMEA 2005EMEA 2005