Operating System Recovery by Anti Virus software AVAR November 2005 Alex Polischuk Senior Research...

Operating System Recovery by Anti Virus software

AVAR November 2005

Alex PolischukSenior Research Engineer

Arkady Kovtun Research Engineer

[email protected]@ca.com

© 2005 Computer Associates International, Inc. (CA). All trademarks, trade names, services marks and logos referenced herein belong to their respective companies.

Agenda

- Introducing concept of system infection

- Difference between system infection and file infection

- Examples of system infection

- Recovering the system

- System infection signs - System cure

- eTrust Standalone Cleaning Utilities

- Automatic system cure

- System cure quality testing

- Q&A


Introducing concept of system infection

- Virus era is over, malware era begins……


Difference between system infection and file infection

Prevalence Table - July 2005Virus Bulletin magazine

Malware that infects the system rather than files is now dominant: more and more different kinds of malware use system infection methods instead of file infections or use them both.

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

Win32/Sober Win32/Mytob Win32/Netsky All others

Virus table


Examples of system infection Description of Win32/Protoride.S!WormType: Worm Category: Win32

Win32/Protoride.S!Worm is memory-resident worm (written in Microsoft Visual C++) that spreads via network shares and acts as an IRC-controlled backdoor that allows unauthorized access to a victim's machine. It has been distributed as a 59,392-byte, UPX-packed Win32.executable. Many strings within the file are in Spanish.

Method of Infection When executed, Protoride.S attempts to copy itself as WINMNGR.EXE to the following directories (should they exist on an affected machine): \Documents and Settings\All Users\Start Menu\Programs\StartUp\\WINDOWS\Start Menu\Programs\StartUp\\WIN98\Start Menu\Programs\StartUp\\WINME\Start Menu\Programs\StartUp\\WIN95\Start Menu\Programs\StartUp\\WINDOWS.000\StartMenu\Programs\StartUp\\Documents and Settings\All Users\Menu Iniciar\Programas\Iniciar\\WINDOWS\Menu Iniciar\Programas\Iniciar\


Examples of system infectionCopies itself to the %Windows% directory as winmngr.exe and modifies theregistry to ensure that this copy is run at each Windows start:HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Taskbar Manager = Windows%\wintasks.exe"

Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying theoperating system. The default installation location for the Windows directory for Windows 2000 and NTis C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

The worm also creates a mutex: in order to ensure that only one copyof the worm runs at a time.

Method of Distribution Via Network SharesThe worm attempts to copy itself to unprotected network shares. If the share is protected by a username and password, the worm attempts toconnect using username and password that belongs to current user.

Win32/Protoride.S!Worm


Examples of system infection

Additional InformationThe executable WINMNGR.EXE, contains the following file

properties:Comments: Creado Orgullosamente en Argentina - Made In

ArgentinaCompanyName: BeyonD aDvanceD TechNoloGiesFileDescription: ProtoType v2.3.0 build 500FileVersion: 2, 3, 0, 0InternalName: Pty2RideLegalCopyright: Copyright BeyonD TechNoloGieS 2003LegalTrademarks: BeyonD enGineOriginalFilename: Rd2.exe

Win32/Protoride.S!Worm


Examples of system infectionDescription of Win32.DlToon!TrojanType: Trojan Category: Win32 Win32.DlToon is an increasingly large family of functionally-similar downloadingtrojans. The main purpose of the DlToon trojans is for advertising, and generatingmore hits on particular pornographic and search web sites. In the process, they often modify user settings, like the IE start page, without theuser's permission. They are often installed through exploiting security vulnerabilities inInternet Explorer.

For example, Win32/DlToon.F!Trojan Method of Installation:DlToon generally consists of three files:loader.exeiedll.exeDNSErr.dll

Win32.DlToon!Trojan



The installation is circular - loader.exe downloads and runs iedll.exe, and iedll.exe in turn downloads the latest loader.exe. Iedll.exe also downloadsDNSErr.dll, and stores it in the Windows directory.

From reports from the wild, it appears that these components of DlToon are oftenupdated or modified by the trojan's writer.

This circular downloading process ensures that the trojan writer's latest variant is always installed on compromised machines, as these trojans are always checking forand downloading the latest versions of themselves.

Win32.DlToon!Trojan


Examples of system infectionPayload

Changes System SettingsThe trojan tries to to connect to a particular URL via HTTP and receives instructions to create links in the user's Internet Explorer favorites directory:

For example: in "C:\Documents and Settings\Administrator\Favorites" the following links may be added: 1. ~ Fully categories porn database. Enjoy! 2. ~ New Porn Pics everyday 3. ~ Series Hardcore Pic Sets and Movies

The trojan may modify the following registry entries in order to change the user's default Internet Explorer homepage and/or default start page, by associating them with the URL that the trojan's writer wishes the user to visit:

Win32.DlToon!Trojan


Examples of system infectionHKCU\Software\Microsoft\Internet Explorer\Main\Search BarHKCU\Software\Microsoft\Internet Explorer\Main\Search PageHKCU\Software\Microsoft\Internet Explorer\Main\Start Page HKCU\Software\Microsoft\Internet Explorer\SearchURL

DlToon.F then adds the following values to the registry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\loader = current date for instance "17.11.03"HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\loader2 = "1" HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\loaderGuid = "c8b96a3d-adb5-4db0-a20f-6ecc399c4298"

DlToon.F also modifies the Hosts file (on XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at (%Windows%\hosts).

Win32.DlToon!Trojan



Description of Win32/Fantador.E!TrojanType: Trojan Category: Win32

Win32/Fantador.E!Trojan is a backdoor trojan that allows unauthorized access to an affected machine.

Win32/Fantador.E!Trojan

When executed, Fantador.E creates the following files in the %System% directory:SPORDER.DLL - this file is clean and not detected by CA Antivirus solutions WINMEDL.DLL - this is a clean text file that contains the encrypted string: "uygurman.vicp.net" and is not detected by CA Antivirus solutions SynUSB.dll WinSSi.exe



Note: '%System%' is a variable location.

The backdoor determines the location of the current System folder by querying the operating system.

The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

The trojan modifies the registry to run each time Windows starts:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SynUSB Manager = "rundll32.exe SynUSB.dll,RunDll32"

The backdoor tries to connect to the domain: "uygurman.vicp.net" and waits for commands from its controller.

Win32/Fantador.E!Trojan


Examples of system infectionDescription of Win32/Elkong.D!TrojanType: Trojan Category: Win32

Win32.Elkong.D is a keylogging trojan.Method of Installation When executed, Elkong.D copies itself to the %Windows% directory using the same filename that it was originally executed from, and modifies the registry to ensure that this copy is run at each Windows start:HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OLE = %Windows%\<Trojan file name>

Note: '%Windows%' is a variable location. The trojan determines the location of the current Windows folder by querying the operating system.

The default installation location for the Windows directory Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.Elkong.D also drops a DLL to the %Windows% directory as HookerDLL.DLL.

Win32/Elkong.D!Trojan


Examples of system infectionWin32/Elkong.D!Trojan

PayloadKeylogs/Steals Sensitive InformationThe Keylogger waits specifically for windows that contain any of the following strings in the title bar before recording the user's input to the file Windows%\kgn.txt. 1MDC 1mdc Access Bank bank Bank of Montreal bank of montreal Bank West bankwest BankWest bendigo Bendigo BMO bmo cibc Citibank commbank Commonwealth



Elkong.D e-mails the collected keystrokes contained in this file to a particular e-mail address using its own SMTP engine.Note: This e-mail is not normally displayed to users. Text below the dotted line is displayed for example only.

Win32/Elkong.D!Trojan


Recovering the system


-This is impossible to show them all, so we’ll show only a few examples:

System infection signs


System infection signs File system:File can be copied / created / downloaded to any folder. But most common folders will be are in the path.

Registry:RUN KEY:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Run Once, Run Services)

SERVICE KEYHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services

HKEY_LOCAL_MACHINE could be replaced by HKEY_CURRENT_USER for currently login user.

Default value of file execution in registry, for example:“HKCR\exefile\shell\open\command\(Default)” should be "%1" %*Modify this default value of the command associated with "exefile" will run malware file each time any executable will be called:HKEY_CLASSES_ROOT \exefile\shell\open\command\(Default) = "<filename>"%1" %*"Same technique used by malware with various file types in registry, for example:HKEY_CLASSES_ROOT\VBSFile\Shell\Open\CommandHKEY_CLASSES_ROOT\txtfile\shell\open\commandSame for HTML files Etc.


System infection signs file system and registry:


System infection signs System files:

Autoexec.batConfig.sysWin.iniSystem.ini

When Atak.I is executed, it copies itself to "%System%\dec25.exe" and edits win.ini to ensure that it runs at each Windows start:[windows]run = %System%\dec25.exe


System infection signs Hosts file:The HOSTS file usually found in %Windows%\hosts or %System%\drivers\etc\hosts folder of Windows.

It maybe modified by malware in order to block access to various sites, computer security sites etc. This way the affected machine will not be able to update its anti virus or view security related site for information.For instance some of latest Win32/Agobot.Worm variants add the following lines to the hosts file:127.0.0.1 www.ca.com127.0.0.1 ca.com127.0.0.1 mast.mcafee.com127.0.0.1 my-etrust.com127.0.0.1 www.my-etrust.comThese lines will cause the domains www.ca.com, ca.com, etc. to resolve to the local host, effectively denying access.


System infection signs, system files:


System infection signs Internet Explorer Startpage:Startpage is a large family of trojans that are used to change a user's Internet Explorer homepage and default search page. Generally, these trojans accomplish this by making changes to the registry and the hosts file. These trojans have been seen in the wild and used by businesses with unethical marketing practices in order to increase the flow of traffic to their web sites. These trojans often set the following registry entries to point to a site of the trojan writer's choice, redirecting the user every time the default search or homepage is accessed. HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer Values:SearchSearchAssistantCustomizeSearchHKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main Values:Search PageDefault_Search_URLHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer Values:SearchSearchURLHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search ValuesSearchAssistantCustomizeSearch


System infection signs HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Values:Search PageDefault_Search_URLSearch BarDefault_Page_URLStart PageAdditional Instructions for Recovering from a Startpage Infection

Some recent variants of Win32.Startpage exist as a DLL, possibly called "ctrlpan.dll" or "MSCONFD.DLL". This DLL will be loaded through one of the following registry values:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Control = "rundll32.exe %System%\ctrlpan.dll,Restore ControlPanel"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "ctrlpan.dll"The actual DLL file name may vary. Startpage changes a user's default Internet Explorer homepage and/or default search page by making changes to the registry. While CA Antivirus solutions will remove a Startpage infection, they will not restore a user's individual Internet Explorer settings to their pre-infection state (as Internet Explorer settings may vary from user to user). To run any DLL file on Windows restart, the malware may change the following registry value:HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" "DLLName" value = "virus.dll"

Internet Explorer Startpage:


System infection signs Additional Instructions for Recovering from a Startpage Infection

Some recent variants of Win32.Startpage exist as a DLL, possibly called "ctrlpan.dll" or "MSCONFD.DLL". This DLL will be loaded through one of the following registry values:HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Control = "rundll32.exe System%\ctrlpan.dll,Restore ControlPanel"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = "ctrlpan.dll"

The actual DLL file name may vary.Startpage changes a user's default Internet Explorer homepage and/or default search page by making changes to the registry. While CA Antivirus solutions will remove a Startpage infection, they will not restore a user's individual Internet Explorer settings to their pre-infection state (as Internet Explorer settings may vary from user to user).To run any DLL file on Windows restart, the malware may change the following registry value:HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify" "DLLName" value = "virus.dll"


- The System Cure was designed to enable complete cure for the infected system, by restoring all of the affected objects. It can perform different tasks depending on the OS.

- The infection signs described in previous paragraph will be removed. Specific routines will be provided in Anti Virus update in order to kill malicious processes, delete infected files, remove or change registry values etc.

- For all file manipulation actions, it may happen that the file is being used by the system, and therefore cannot be accessed (deleted, renamed). In such a case a system restart is requited. When windows restart, the file manipulation will complete.

- It is not always possible to recover the malware-violated system, for instance AV product can’t restore deleted files if these files were completely deleted.

- But, Anti Virus must do its best to rescue the system, it must restore all system settings at least to sensible default values.

- First and most important rule should be same as first rule of medicine: Anti Virus must not harm the system.

- Fortunately, malware detection not always means that the system is infected – the file can be there, but nobody executed it.

- We need to be sure that the system is infected – this is a must and this is why:- Curing a clean system is not only a lost of time and resources, it could also harm the system

causing lost of data.- At the other hand, what will happen if we remove the file on infected system (simple delete)?- All the changes of the system will still remain, some of them will be harmless without the file and

some will still perform their malicious tasks.

System cure


Function MalwareSystemCure (){

Terminate infected running processes;

If (file infector)Cure infected viral files;

else Delete this file;

Restore files modified by Malware;

Run SystemCure on files dropped (downloaded) by Malware;

Delete files dropped (downloaded) by Malware; /*if don’t need SC */

Terminate Services;

Remove Registry Entries;}

System cure


eTrust Standalone Cleaning Utilities - The CA Security Advisory Team provides a range of standalone cleaning utilities

and useful tools for the most widespread and dangerous viruses.

- Generally, if you're using the current engine and signatures for eTrust InoculateIT 6.0, eTrust Antivirus 6.0, eTrust Antivirus 7.0, Vet, or EZ Antivirus, and have enabled the System Cure/Clean feature, you will not need these tools or utilities.

- CA Antivirus solutions are a complete package, and contain advanced technology that provides you with all the virus protection you'll ever need, including the ability to clean up if things go awry.

- These tools and utilities may be especially useful for those who either do not use CA Antivirus solutions, or who may be using products based on older technology that does not support system cleaning.


eTrust Standalone Cleaning Utilities

Utilities usually for cleaning a local machine of specific Malware and its variants.

They usually scan all drives on the local machine and removes registry keys added by malware.

A reboot and a rescan with the utility may be necessary to completely clean an infected system.

You’re always welcome to download and use these utilities:

http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?CID=40387


Automatic system cure

- We notice that virus writers often use same techniques to violate the system. Most malware modifies the registry in order to run every time the Windows starts.

- We use automatic system cure also called by us as generic system cure.

- Generic system cure needs no special routine (written by researcher) on specific peace of malware, it automatically will executed on scanner detection (if Anti Virus configured to cure malware).

- First generic system cure will test the system according to known infection signs (some of them are described above) then it will remove them and delete the file.


Automatic system cure Function AutomaticSystemCure ()

{

Terminate process and delete/cure the file;

If (system infected)

{

Cure the system; /* cure known infected places */

/* infected - according to known infection signs */

}

}


System cure quality testing

- Needless to say that quality testing is always very important. It becomes vital changing the system configuration.

- To help with this “holy” task, we created various tools of integrity checking and monitoring the system.

- Created by our researchers together with QA people, those tools should consider any change of the system and after system cure finish its work - the system should return to the stage that it was just before the infection. As we already know, this is not always possible, so our automatic tools are created to decide when ever system was modified to reasonable default values.


Q & A

Alex Polischuk – Senior Research Engineer, Computer Associates – [email protected] Kovtun – Research Engineer, Computer Associates – [email protected]

Date post:	11-Jan-2016
Category:	Documents
Upload:	carmella-harper
View:	215 times
Download:	1 times