Page 2

Table Of Contents:

Introduction………………………………………………………………………………………………………………………………3

Scope…………………………………………………………………………………………………………………………………………3

Limitations…………………………………………………………………………………………………………………………….….3

About Malware…………………………………………………………………………………………………………………………4

Tools Preparation………………………………………………………………………………………………………………………4

The Setup…………………………………………………………………………………………………………………………………..4

Forensic Analysis Process………………………………………………………………………………………………………….7

Running The Malware: Conduit Toolbar……………………………………………………………………………………7

Procmon Analysis…………………………………………………………………………………………………………………...12

Regshot Analysis……………………………………………………………………………………………………………………..15

Malware Removal Forensics……………………………………………………………………………………………………17

Malware Bytes Analysis…………………………………………………………………………………………………………..17

AdwCleaner Analysis……………………………………………………………………………………………………………….21

Conclusion……………………………………………………………………………………………………………………………….23

Recommendations…………………………………………………………………………………………………………………..24

Appendix…………………………………………………………………………………………………………………………………24

Page 3

Introduction:

In today’s cyber world, malware has thickly infiltrated our computers with such types:

the typical computer virus, the crawling worm, the stealthy Trojan horse, the merciless

ransomware, the annoying spyware and adware, and the creepy scareware. The purpose of

this paper is to teach you how to analyze malware and clean it out (just like a virologist finding

the appropriate antidote for an epidemic). Some of the tools used in the process of artifact

analysis includes: Free Cloud VPN, VMWare Workstation 11, Regshot, and the featured

Microsoft SysInternal tool, Procmon. For the cleaning process, I will show you how to use

Malware Bytes and Adwcleaner to clean out the malware. Malware Bytes and Adwcleaner also

shows a different perspective of where truly the forensics artifacts lies, since it has a record of it

and cleans out the malware (including accurate information such as logs). The above tools will

teach you how to sleuth out the malware pragmatically and orderly. Like dissecting an object,

you must realize the complexity of the electronic virology and know it inside and out to be able

to analyze it completely.

Scope:

The primary scope of this project is that this report will be used as a practical guide for

dissecting malware with VMWare Workstation 11 as the sandbox (something used to contain

the electronic specimen without it infecting the outbound). The incentive of using VMWare

Workstation is that it can take snapshots of the virtualized operating system I am using like

Windows 7 Enterprise. If I make several mistakes in the process, I can revert back to the past

without having to format the whole VM again and start new. Thus, this will save a lot of work

and time. Forensically speaking, this project is a guide targeted to people specializing in the

area of cybercrime and to teach the average computer professional how to dissect a malware

piece using a SysInternal tool such as Process Monitor, Regshot, and clean it out using Malware

Bytes and AdwCleaner.

Limitations:

There are limitations for analyzing malware. Due to the anomalous and “trojanic”

malware, such as Conduit Toolbar, I am unable to list out every registry key’s function, since it is

only verified by the source code and the intelligence of the malware author. But, I will provide

the main registry keys that were effected during the installation of the malware, and provide

information about which files were created and closed by the program as recorded by

Procmon. I will also do a comparative analysis of which registry records were added by using

the intelligence object, Regshot.

Page 4

About Malware:

Malware are often identified as bad programs. The French word for bad is “mal”, and it

means harmful or malicious. So, what are we usually looking for in malware? We are usually

looking for processes that are suspicious. Sometimes, they even bear no icon, have no signed

certificates in the program that it is from a verified signer. These usually have a company or no

company name. It really depends on the company that made the malware. Sometimes, they

can even be legit malware, but, usually it bears the terms of agreement before you install the

program. It will have suggestive indications that they are spying on your computer. The

algorithmic process is usually extremely complex, so that it is hard for the average person trying

to clean the malware. It would take a heck of a time to detect without the proper tools.

Annoying malwares can do tasks like hijacking your browser’s homepage and add toolbars that

were not intended to be there without your permission. They usually also send your

information to a target host or server that mines your information in exchange for blackhat

money.

Tools Preparation:

To prepare for the big lab, we need to prepare the following tools. You can download

them at the following sites:

An evaluation version of Windows 7 Enterprise (90-day edition) -

http://www.microsoft.com/en-us/evalcenter/evaluate-windows-7-enterprise

VMWare Workstation 11: (the trial version will do) – http://www.vmware.com

Process Monitor - https://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx

7zip: for extracting the .7z file on Regshot - http://www.7-zip.org/

Regshot: for taking a before and after picture of the registry for comparison -

http://sourceforge.net/projects/regshot/

Malware Bytes: for cleaning out the malware and getting a forensic log of the artifacts -

https://www.malwarebytes.org/

AdwCleaner: for cleaning the hijacked home page and web browser forensics -

https://toolslib.net/downloads/viewdownload/1-adwcleaner/

The Setup:

The first step to your success in figuring out malware analysis is to download the following tools

mentioned above. You will get a better grasp of it once I teach you how to use the tools.

Before we get into the VMWare process, we need to set up a VPN called Free Cloud VPN to

masquerade your IP address. For this example, I will use Windows 8 to demonstrate. First, click

on your Network icon on the bottom-right hand corner of your taskbar.

Page 5

FIGURE A: CLICK ON CONNECTION SETTINGS 1

Then, click on View Connection Settings.

FIGURE B: CLICK ON CONNECTION SETTINGS 2

Click on Add a VPN Connection.

Page 6

FIGURE C: CONFIGURE THE VPN SETTINGS USING FREECLOUDVPN.COM

Under your VPN connections, change it to these settings:

VPN Type: PPTP VPN VPN Encryption: Enabled (Auto)

US VPN Hostname: us.freecloudvpn.com US VPN Username: freecloudvpn.com US VPN Password: 2724

For the VMWare Workstation, make sure that you have a snapshot saved after you have

downloaded all the programs. You can name it ‘VMTools Installed Before Infection’. Just in

case you may run into trouble in the future, taking snapshots along the way is the way to go.

Another important fact with VMWare Workstation is that you want to isolate your sandbox to a

different gateway before the analysis. Under the VM menu, click on Settings. Then, click on

Network. Click on NAT (Network Address Translation) under Network Adapter.

For this research, I have chosen a non-lethal malware that is adware-based. It is not a worm

malware, which the main objective is to spread through your computer and network finding

places to hide and exploiting vulnerabilities to travel in your network. It is basically spyware.

Spyware usually contain trojans, so that it can send information from your computer to a

remote host. You can download the malware or potentially unwanted program by doing a

simple search on Google namely Conduit Toolbar.

Page 7

Many people complain about Conduit Toolbar, because it saps up a lot of memory in their CPU

usage; therefore, they may take a lot of time for them to fire up their applications or load a

certain process on their computer. Conduit Toolbar is categorized as grayware, or non-

malicious spyware.

Before we begin, it is necessary to run and start the artifacts monitoring using: Procmon, and

Regshot analysis in the background.

For Regshot, we will take our very first snapshot before the malware infection starts. Please

open Regshot.

1. Click on 1st Shot.

2. Make sure you have the right Output path.

FIGURE 1: FIRST CAPTURE WITH REGSHOT

Please have Regshot open till we finish the total analysis of the spyware.

A download site for downloading the malware is: http://conduit.ourtoolbar.com/. Once it is

downloaded on your computer perhaps in your Documents/Downloads folder, you can proceed

to executing it. Note, that this malware is infamous for creating a toolbar in your browser and

hijacking your homepage for advertising uses. Please rename the conduit file, tb_Conduit.exe

to conduitMalware.exe for examination and educational purposes.

Forensic Analysis Process:

A. Running The Malware – Conduit Toolbar

Page 8

When you are ready, you can run the malware, Conduit Toolbar. Double-click on the binary file,

to execute it. It will go through the installation process.

FIGURE 2: CONDUIT TOOLBAR INSTALLATION SCREEN 1

When you are prompted, check the part where it states, “Set my default search and homepage

to Trovi Search” and “I allow my current home page and default search settings to be stored for

easy reverting later”. These are to be checked, because the average user that is forced to

install malicious programs like a program that features the Conduit spyware, will most likely

click on these checkbox options. Note that this is considered, “legit” or “legal” spyware

(grayware), because it has a policy below stating that “this toolbar may contain apps that

access, collect and use your personal data, including your IP address and the address and

content of web pages you visit”. They are not obvious text, because the average user will

usually skip over them. But, it is a critical piece of information for us to understand why this is

“legal” spyware (grayware) after all.

So, click Agree and Install to proceed to the next step. Since, we are only analyzing the

spyware toolbar and hijacking of the homepage, we will need to worry about next few offers,

which offers ScreenGlaze, a smart search-powered screen saver.

Page 9

FIGURE 3: CONDUIT TOOLBAR - SKIP ALL

When you are ready, click on Skip All.

FIGURE 4: CONDUIT TOOLBAR – INSTALLATION COMPLETE

Page 10

The installation should be complete, thereafter. You can click on Finish, and the process will

stop.

FIGURE 5: CONDUIT TOOLBAR PROMPTS INSTALLATION ON FIREFOX

Next, your default browser, or in my case, Firefox, will pop-up. After that, check the box, Allow

this installation and then click on Continue.

Page 11

FIGURE 6: CONDUIT TOOLBAR AND HOMEPAGE HIJACKING PRE-STAGE

From this point on, Firefox will install the Conduit toolbar (malware). After that, you should

click Finish to see that the Conduit Toolbar will have hijacked your homepage.

FIGURE 7: CONDUIT TOOLBAR INSTALLATION FINISHES

So, from this point on, you can restart Firefox.

Page 12

FIGURE 8: CONDUIT TOOLBAR INSTALLATION FINISHES

You will see that your homepage is temporary hijacked by the adware, Conduit. This should be

all that the malware intends to do. Other than that, it trojanizes your system and spies on it

every once in a while, but the effects are unnoticeable. Your system should slow down a lot by

this point.

B. Procmon Analysis

In Procmon, we will monitor the process of the ConduitToolbar by Process Name, as it applies

to the most relevant pieces that we are analyzing.

Also, for operation, we need to monitor it by CreateFile, and CloseFile to see what moves it

intends to do to spawn files and close files. Sometimes, it also propagates by creating new

malware specimens for example in the C:/TEMP folder, where it is not obvious and hard to

unravel and clean up. It is always unpredictable of what problematic software will do to your

computer. We will not analyze the registry part of it yet, as it will come later in our Regshot

forensic analysis process.

Page 13

FIGURE 9: ANALYSIS OF PROCMON CREATING FILES

When we filter wsmallstub.exe, which is the malware specimen we are analyzing, we can see

that it creates the following files and more shown on the screen such as:

C:\Windows\System32\wow64.dll

C:\Windows\System32\wow64win.dll

C:\Windows\System32\wow64cpu.dll

C:\Windows\System32\wow64log.dll

C:\Users\Nathan\AppData\Local\Temp\RarSFX0

C:\Windows\SysWOW64\sechost.dll

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\version.DLL

C:\Windows\SysWOW64\version.dll

C:\Windows\SysWOW64\apphelp.dll

C:\Windows\AppPatch\sysmain.sdb

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\wsmallstub.exe

C:\Users\Nathan\AppData\Local\Temp\RarSFX0

Page 14

C:\Windows\AppPatch\AcLayers.dll

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\WINSPOOL.DRV

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\MPR.dll

C:\Windows\SysWOW64\imm32.dll

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\icon.ico

C:\Windows\SysWOW64\uxtheme.dll

C:\Windows\SysWOW64\msxml3.dll

C:\Windows\SysWOW64\en-US\KernelBase.dll.mui

C:\Windows\SysWOW64\msxml3r.dll

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\stub_settings.xml

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\Secur32.dll

C:\Windows\Globalization\Sorting\SortDefault.nls

C:\Users\Nathan\AppData\Local\Microsoft\Windows\Temporary Internet Files

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\api-ms-win-downlevel-advapi32-l2-1-0.dll

C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll

C:\Windows\winsxs\x86_microsoft.windows.common-

controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5

C:\Windows\SysWOW64\winhttp.dll

C:\Windows\SysWOW64\webio.dll

C:\Windows\SysWOW64\mswsock.dll

C:\Windows\SysWOW64\wship6.dll

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\IPHLPAPI.DLL

C:\Users\Nathan\AppData\Local\Temp\RarSFX0\WINNSI.DLL

C:\Windows\SysWOW64\winnsi.dll

After creating the files, it will close each file after the process is done.

Page 15

FIGURE 10: ANALYSIS OF PROCMON CLOSING FILES

C. Regshot Analysis

Page 16

FIGURE 11: SECOND CAPTURE WITH REGSHOT

We will take another snapshot after the execution of the malware.

1. Please press 2nd shot when you’re ready.

2. Please locate your output path name as well by pressing on …

Upon analysis, we figure out that 51 keys have been added.

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar

These registry entries perhaps create the Smartbar adware. Again, it is undetectable by the average user, because the average user doesn’t know how to go into registry and view the changes.

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\AppPaths

This registry entry defines the path of where the Smartbar adware is located.

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\FF

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\UninstallerData

This registry entry probably gets written over and deleted when the Smartbar (Conduit) adware is uninstalled. But, we can’t guarantee deletion unless we have Malware Bytes and Adwcleaner.

Page 17

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\UninstallerData\CT408137

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\UninstallerData\CT408137\FF

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig

This registry and the ones below this entry modify the Internet Explorer process.

\PropertyStore\42008bfa_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig

\PropertyStore\a723b4e6_0

HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig

\PropertyStore\a723b4e6_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}

These entries only are part of the 51 keys that have been added. The list is too large to list; that is the limitation, since a spyware is very lengthy and can propagate itself.

Malware Removal Forensics:

Conclusively, the easiest way to get a clean forensic examination of which files were effected

during the stay of the malware is to obtain the results from a malware scanner such as Malware

Bytes and Adwcleaner.

A. Malware Bytes Analysis

To tell, finally, which malware or trojans were packed inside the Conduit, we can tell by doing a

full scan.

First, make sure that it is fully updated by starting the program and allowing it to update.

Page 18

FIGURE 12: UPDATING MALWARE BYTES

Page 19

FIGURE 13: SCANNING WITH MALWARE BYTES

When you are ready for the scan, press Fix Now. It should take a while to scan, perhaps 15 to

20 minutes depending on how much RAM is allocated to your VMWare, the number of files on

your computer, and the processor speed.

FIGURE 14: CLICKING ON REVIEW DETECTED ITEMS

For a full forensics analysis of which files were identified as malware infections, you can click on

Review Detected Items.

After the scan, you should be able to copy the forensic analysis to a clipboard by clicking on

Copy to Clipboard.

Page 20

FIGURE 15: MALWARE ITEMS DETECTION

Then, after this, open up Notepad, and do a Ctrl + V or Edit >> Paste.

Page 21

FIGURE 16: MALWARE BYTES FORENSIC LOG

B. Adwcleaner Analysis

After this process of Malware Bytes Forensics, we are going to check Adwcleaner to remove

files from the registry that are malicious.

Page 22

FIGURE 17: SCAN WITH ADWCLEANER

Do press Scan when you are ready to do cleaning in the registry.

FIGURE 18: FIREFOX ARTIFACTS UNCOVERED WITH ADWCLEANER

Page 23

When you are done with the scan, it produces a logfile you can look at and save for forensics

evidence of which places in the browser and registry it has effected.

Let’s click on Logfile to generate a log of what we need to acquire as forensic artifacts and

evidence.

FIGURE 19: LONG LIST OF ARTIFACTS ACQUIRED BY ADWCLEANER

As you can see, it detected keys that were found in the registry that were malicious such as

HKCU\Software\Conduit and [x64] HKCU\Software\Conduit. There were also indications that

there were modifications within Firefox. This can be used also as forensic evidence as to what

changed as Firefox artifacts.

Conclusion:

Now, you may have a better grasp of how to analyze malware. Though there are a lot of

limitations such as anomalous code and tricky parts where it is undetectable by Procmon and

Regshot, we can see it is painstakingly great that there are anti-virus researchers and other

code researchers that have brought wonderful, amazing solutions to the table. Once there are

definitions of malware in the scanners, Malware Bytes and AdwCleaner, we can see that it is a

viable alternative to find forensic evidence through them including many great objects that we

Page 24

can bring in as artifacts for the “crime scene investigation”. We can also know that reverse

engineering may only get us so far, but may bring us into cryptic confusion, unless we have the

right malware definitions.

Recommendations:

After you have read this guide, I have many recommendations for you. To ensure that

your computer is safe and sound, it is good to regularly update your malware definitions to the

latest. And, if you have malware infections on your computer, it is good to run scans with it

with Malware Bytes. If you have a hijacked homepage or web browser in general (including

toolbars and nonsense that may pop up), it is good to free it up by running AdwCleaner, which

sole purpose is to bring the browser back to normal after a restart of your computer. So, don’t

forget that you do not have to always waste time to reformat your computer even if your disk

has been infected with hundreds or thousands of instances of malware. Your lucky bet may just

be the right software to clean out the malware.

Appendix:

APPPENDIX 1: THE MALWARE FORENSICS CYCLE

Malware Victimizes Sandbox (Virtualization

Machine)

Initial Forensic Analysis with Procmon and

Regshot

Complete Forensic Analysis with Malware Bytes and AdwCleaner.

Cleansing process.

Record logs

Report Writing and Research. If you want to continue with the

research, repeat cycle in safe sandbox.