Upload
nathan-chan
View
223
Download
4
Embed Size (px)
DESCRIPTION
Introduction To Malware Analysis With Procmon and Other Tools Written by Nathan Chan
Citation preview
Page 2
Table Of Contents:
Introduction………………………………………………………………………………………………………………………………3
Scope…………………………………………………………………………………………………………………………………………3
Limitations…………………………………………………………………………………………………………………………….….3
About Malware…………………………………………………………………………………………………………………………4
Tools Preparation………………………………………………………………………………………………………………………4
The Setup…………………………………………………………………………………………………………………………………..4
Forensic Analysis Process………………………………………………………………………………………………………….7
Running The Malware: Conduit Toolbar……………………………………………………………………………………7
Procmon Analysis…………………………………………………………………………………………………………………...12
Regshot Analysis……………………………………………………………………………………………………………………..15
Malware Removal Forensics……………………………………………………………………………………………………17
Malware Bytes Analysis…………………………………………………………………………………………………………..17
AdwCleaner Analysis……………………………………………………………………………………………………………….21
Conclusion……………………………………………………………………………………………………………………………….23
Recommendations…………………………………………………………………………………………………………………..24
Appendix…………………………………………………………………………………………………………………………………24
Page 3
Introduction:
In today’s cyber world, malware has thickly infiltrated our computers with such types:
the typical computer virus, the crawling worm, the stealthy Trojan horse, the merciless
ransomware, the annoying spyware and adware, and the creepy scareware. The purpose of
this paper is to teach you how to analyze malware and clean it out (just like a virologist finding
the appropriate antidote for an epidemic). Some of the tools used in the process of artifact
analysis includes: Free Cloud VPN, VMWare Workstation 11, Regshot, and the featured
Microsoft SysInternal tool, Procmon. For the cleaning process, I will show you how to use
Malware Bytes and Adwcleaner to clean out the malware. Malware Bytes and Adwcleaner also
shows a different perspective of where truly the forensics artifacts lies, since it has a record of it
and cleans out the malware (including accurate information such as logs). The above tools will
teach you how to sleuth out the malware pragmatically and orderly. Like dissecting an object,
you must realize the complexity of the electronic virology and know it inside and out to be able
to analyze it completely.
Scope:
The primary scope of this project is that this report will be used as a practical guide for
dissecting malware with VMWare Workstation 11 as the sandbox (something used to contain
the electronic specimen without it infecting the outbound). The incentive of using VMWare
Workstation is that it can take snapshots of the virtualized operating system I am using like
Windows 7 Enterprise. If I make several mistakes in the process, I can revert back to the past
without having to format the whole VM again and start new. Thus, this will save a lot of work
and time. Forensically speaking, this project is a guide targeted to people specializing in the
area of cybercrime and to teach the average computer professional how to dissect a malware
piece using a SysInternal tool such as Process Monitor, Regshot, and clean it out using Malware
Bytes and AdwCleaner.
Limitations:
There are limitations for analyzing malware. Due to the anomalous and “trojanic”
malware, such as Conduit Toolbar, I am unable to list out every registry key’s function, since it is
only verified by the source code and the intelligence of the malware author. But, I will provide
the main registry keys that were effected during the installation of the malware, and provide
information about which files were created and closed by the program as recorded by
Procmon. I will also do a comparative analysis of which registry records were added by using
the intelligence object, Regshot.
Page 4
About Malware:
Malware are often identified as bad programs. The French word for bad is “mal”, and it
means harmful or malicious. So, what are we usually looking for in malware? We are usually
looking for processes that are suspicious. Sometimes, they even bear no icon, have no signed
certificates in the program that it is from a verified signer. These usually have a company or no
company name. It really depends on the company that made the malware. Sometimes, they
can even be legit malware, but, usually it bears the terms of agreement before you install the
program. It will have suggestive indications that they are spying on your computer. The
algorithmic process is usually extremely complex, so that it is hard for the average person trying
to clean the malware. It would take a heck of a time to detect without the proper tools.
Annoying malwares can do tasks like hijacking your browser’s homepage and add toolbars that
were not intended to be there without your permission. They usually also send your
information to a target host or server that mines your information in exchange for blackhat
money.
Tools Preparation:
To prepare for the big lab, we need to prepare the following tools. You can download
them at the following sites:
An evaluation version of Windows 7 Enterprise (90-day edition) -
http://www.microsoft.com/en-us/evalcenter/evaluate-windows-7-enterprise
VMWare Workstation 11: (the trial version will do) – http://www.vmware.com
Process Monitor - https://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx
7zip: for extracting the .7z file on Regshot - http://www.7-zip.org/
Regshot: for taking a before and after picture of the registry for comparison -
http://sourceforge.net/projects/regshot/
Malware Bytes: for cleaning out the malware and getting a forensic log of the artifacts -
https://www.malwarebytes.org/
AdwCleaner: for cleaning the hijacked home page and web browser forensics -
https://toolslib.net/downloads/viewdownload/1-adwcleaner/
The Setup:
The first step to your success in figuring out malware analysis is to download the following tools
mentioned above. You will get a better grasp of it once I teach you how to use the tools.
Before we get into the VMWare process, we need to set up a VPN called Free Cloud VPN to
masquerade your IP address. For this example, I will use Windows 8 to demonstrate. First, click
on your Network icon on the bottom-right hand corner of your taskbar.
Page 5
FIGURE A: CLICK ON CONNECTION SETTINGS 1
Then, click on View Connection Settings.
FIGURE B: CLICK ON CONNECTION SETTINGS 2
Click on Add a VPN Connection.
Page 6
FIGURE C: CONFIGURE THE VPN SETTINGS USING FREECLOUDVPN.COM
Under your VPN connections, change it to these settings:
VPN Type: PPTP VPN VPN Encryption: Enabled (Auto)
US VPN Hostname: us.freecloudvpn.com US VPN Username: freecloudvpn.com US VPN Password: 2724
For the VMWare Workstation, make sure that you have a snapshot saved after you have
downloaded all the programs. You can name it ‘VMTools Installed Before Infection’. Just in
case you may run into trouble in the future, taking snapshots along the way is the way to go.
Another important fact with VMWare Workstation is that you want to isolate your sandbox to a
different gateway before the analysis. Under the VM menu, click on Settings. Then, click on
Network. Click on NAT (Network Address Translation) under Network Adapter.
For this research, I have chosen a non-lethal malware that is adware-based. It is not a worm
malware, which the main objective is to spread through your computer and network finding
places to hide and exploiting vulnerabilities to travel in your network. It is basically spyware.
Spyware usually contain trojans, so that it can send information from your computer to a
remote host. You can download the malware or potentially unwanted program by doing a
simple search on Google namely Conduit Toolbar.
Page 7
Many people complain about Conduit Toolbar, because it saps up a lot of memory in their CPU
usage; therefore, they may take a lot of time for them to fire up their applications or load a
certain process on their computer. Conduit Toolbar is categorized as grayware, or non-
malicious spyware.
Before we begin, it is necessary to run and start the artifacts monitoring using: Procmon, and
Regshot analysis in the background.
For Regshot, we will take our very first snapshot before the malware infection starts. Please
open Regshot.
1. Click on 1st Shot.
2. Make sure you have the right Output path.
FIGURE 1: FIRST CAPTURE WITH REGSHOT
Please have Regshot open till we finish the total analysis of the spyware.
A download site for downloading the malware is: http://conduit.ourtoolbar.com/. Once it is
downloaded on your computer perhaps in your Documents/Downloads folder, you can proceed
to executing it. Note, that this malware is infamous for creating a toolbar in your browser and
hijacking your homepage for advertising uses. Please rename the conduit file, tb_Conduit.exe
to conduitMalware.exe for examination and educational purposes.
Forensic Analysis Process:
A. Running The Malware – Conduit Toolbar
Page 8
When you are ready, you can run the malware, Conduit Toolbar. Double-click on the binary file,
to execute it. It will go through the installation process.
FIGURE 2: CONDUIT TOOLBAR INSTALLATION SCREEN 1
When you are prompted, check the part where it states, “Set my default search and homepage
to Trovi Search” and “I allow my current home page and default search settings to be stored for
easy reverting later”. These are to be checked, because the average user that is forced to
install malicious programs like a program that features the Conduit spyware, will most likely
click on these checkbox options. Note that this is considered, “legit” or “legal” spyware
(grayware), because it has a policy below stating that “this toolbar may contain apps that
access, collect and use your personal data, including your IP address and the address and
content of web pages you visit”. They are not obvious text, because the average user will
usually skip over them. But, it is a critical piece of information for us to understand why this is
“legal” spyware (grayware) after all.
So, click Agree and Install to proceed to the next step. Since, we are only analyzing the
spyware toolbar and hijacking of the homepage, we will need to worry about next few offers,
which offers ScreenGlaze, a smart search-powered screen saver.
Page 9
FIGURE 3: CONDUIT TOOLBAR - SKIP ALL
When you are ready, click on Skip All.
FIGURE 4: CONDUIT TOOLBAR – INSTALLATION COMPLETE
Page 10
The installation should be complete, thereafter. You can click on Finish, and the process will
stop.
FIGURE 5: CONDUIT TOOLBAR PROMPTS INSTALLATION ON FIREFOX
Next, your default browser, or in my case, Firefox, will pop-up. After that, check the box, Allow
this installation and then click on Continue.
Page 11
FIGURE 6: CONDUIT TOOLBAR AND HOMEPAGE HIJACKING PRE-STAGE
From this point on, Firefox will install the Conduit toolbar (malware). After that, you should
click Finish to see that the Conduit Toolbar will have hijacked your homepage.
FIGURE 7: CONDUIT TOOLBAR INSTALLATION FINISHES
So, from this point on, you can restart Firefox.
Page 12
FIGURE 8: CONDUIT TOOLBAR INSTALLATION FINISHES
You will see that your homepage is temporary hijacked by the adware, Conduit. This should be
all that the malware intends to do. Other than that, it trojanizes your system and spies on it
every once in a while, but the effects are unnoticeable. Your system should slow down a lot by
this point.
B. Procmon Analysis
In Procmon, we will monitor the process of the ConduitToolbar by Process Name, as it applies
to the most relevant pieces that we are analyzing.
Also, for operation, we need to monitor it by CreateFile, and CloseFile to see what moves it
intends to do to spawn files and close files. Sometimes, it also propagates by creating new
malware specimens for example in the C:/TEMP folder, where it is not obvious and hard to
unravel and clean up. It is always unpredictable of what problematic software will do to your
computer. We will not analyze the registry part of it yet, as it will come later in our Regshot
forensic analysis process.
Page 13
FIGURE 9: ANALYSIS OF PROCMON CREATING FILES
When we filter wsmallstub.exe, which is the malware specimen we are analyzing, we can see
that it creates the following files and more shown on the screen such as:
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64log.dll
C:\Users\Nathan\AppData\Local\Temp\RarSFX0
C:\Windows\SysWOW64\sechost.dll
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\version.DLL
C:\Windows\SysWOW64\version.dll
C:\Windows\SysWOW64\apphelp.dll
C:\Windows\AppPatch\sysmain.sdb
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\wsmallstub.exe
C:\Users\Nathan\AppData\Local\Temp\RarSFX0
Page 14
C:\Windows\AppPatch\AcLayers.dll
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\WINSPOOL.DRV
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\MPR.dll
C:\Windows\SysWOW64\imm32.dll
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\icon.ico
C:\Windows\SysWOW64\uxtheme.dll
C:\Windows\SysWOW64\msxml3.dll
C:\Windows\SysWOW64\en-US\KernelBase.dll.mui
C:\Windows\SysWOW64\msxml3r.dll
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\stub_settings.xml
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\Secur32.dll
C:\Windows\Globalization\Sorting\SortDefault.nls
C:\Users\Nathan\AppData\Local\Microsoft\Windows\Temporary Internet Files
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\api-ms-win-downlevel-advapi32-l2-1-0.dll
C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
C:\Windows\winsxs\x86_microsoft.windows.common-
controls_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5
C:\Windows\SysWOW64\winhttp.dll
C:\Windows\SysWOW64\webio.dll
C:\Windows\SysWOW64\mswsock.dll
C:\Windows\SysWOW64\wship6.dll
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\IPHLPAPI.DLL
C:\Users\Nathan\AppData\Local\Temp\RarSFX0\WINNSI.DLL
C:\Windows\SysWOW64\winnsi.dll
After creating the files, it will close each file after the process is done.
Page 15
FIGURE 10: ANALYSIS OF PROCMON CLOSING FILES
C. Regshot Analysis
Page 16
FIGURE 11: SECOND CAPTURE WITH REGSHOT
We will take another snapshot after the execution of the malware.
1. Please press 2nd shot when you’re ready.
2. Please locate your output path name as well by pressing on …
Upon analysis, we figure out that 51 keys have been added.
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar
These registry entries perhaps create the Smartbar adware. Again, it is undetectable by the average user, because the average user doesn’t know how to go into registry and view the changes.
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\AppPaths
This registry entry defines the path of where the Smartbar adware is located.
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\FF
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\UninstallerData
This registry entry probably gets written over and deleted when the Smartbar (Conduit) adware is uninstalled. But, we can’t guarantee deletion unless we have Malware Bytes and Adwcleaner.
Page 17
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\UninstallerData\CT408137
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\AppDataLow\Software\Smartbar\UninstallerData\CT408137\FF
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig
This registry and the ones below this entry modify the Internet Explorer process.
\PropertyStore\42008bfa_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig
\PropertyStore\a723b4e6_0
HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig
\PropertyStore\a723b4e6_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}
These entries only are part of the 51 keys that have been added. The list is too large to list; that is the limitation, since a spyware is very lengthy and can propagate itself.
Malware Removal Forensics:
Conclusively, the easiest way to get a clean forensic examination of which files were effected
during the stay of the malware is to obtain the results from a malware scanner such as Malware
Bytes and Adwcleaner.
A. Malware Bytes Analysis
To tell, finally, which malware or trojans were packed inside the Conduit, we can tell by doing a
full scan.
First, make sure that it is fully updated by starting the program and allowing it to update.
Page 18
FIGURE 12: UPDATING MALWARE BYTES
Page 19
FIGURE 13: SCANNING WITH MALWARE BYTES
When you are ready for the scan, press Fix Now. It should take a while to scan, perhaps 15 to
20 minutes depending on how much RAM is allocated to your VMWare, the number of files on
your computer, and the processor speed.
FIGURE 14: CLICKING ON REVIEW DETECTED ITEMS
For a full forensics analysis of which files were identified as malware infections, you can click on
Review Detected Items.
After the scan, you should be able to copy the forensic analysis to a clipboard by clicking on
Copy to Clipboard.
Page 20
FIGURE 15: MALWARE ITEMS DETECTION
Then, after this, open up Notepad, and do a Ctrl + V or Edit >> Paste.
Page 21
FIGURE 16: MALWARE BYTES FORENSIC LOG
B. Adwcleaner Analysis
After this process of Malware Bytes Forensics, we are going to check Adwcleaner to remove
files from the registry that are malicious.
Page 22
FIGURE 17: SCAN WITH ADWCLEANER
Do press Scan when you are ready to do cleaning in the registry.
FIGURE 18: FIREFOX ARTIFACTS UNCOVERED WITH ADWCLEANER
Page 23
When you are done with the scan, it produces a logfile you can look at and save for forensics
evidence of which places in the browser and registry it has effected.
Let’s click on Logfile to generate a log of what we need to acquire as forensic artifacts and
evidence.
FIGURE 19: LONG LIST OF ARTIFACTS ACQUIRED BY ADWCLEANER
As you can see, it detected keys that were found in the registry that were malicious such as
HKCU\Software\Conduit and [x64] HKCU\Software\Conduit. There were also indications that
there were modifications within Firefox. This can be used also as forensic evidence as to what
changed as Firefox artifacts.
Conclusion:
Now, you may have a better grasp of how to analyze malware. Though there are a lot of
limitations such as anomalous code and tricky parts where it is undetectable by Procmon and
Regshot, we can see it is painstakingly great that there are anti-virus researchers and other
code researchers that have brought wonderful, amazing solutions to the table. Once there are
definitions of malware in the scanners, Malware Bytes and AdwCleaner, we can see that it is a
viable alternative to find forensic evidence through them including many great objects that we
Page 24
can bring in as artifacts for the “crime scene investigation”. We can also know that reverse
engineering may only get us so far, but may bring us into cryptic confusion, unless we have the
right malware definitions.
Recommendations:
After you have read this guide, I have many recommendations for you. To ensure that
your computer is safe and sound, it is good to regularly update your malware definitions to the
latest. And, if you have malware infections on your computer, it is good to run scans with it
with Malware Bytes. If you have a hijacked homepage or web browser in general (including
toolbars and nonsense that may pop up), it is good to free it up by running AdwCleaner, which
sole purpose is to bring the browser back to normal after a restart of your computer. So, don’t
forget that you do not have to always waste time to reformat your computer even if your disk
has been infected with hundreds or thousands of instances of malware. Your lucky bet may just
be the right software to clean out the malware.
Appendix:
APPPENDIX 1: THE MALWARE FORENSICS CYCLE
Malware Victimizes Sandbox (Virtualization
Machine)
Initial Forensic Analysis with Procmon and
Regshot
Complete Forensic Analysis with Malware Bytes and AdwCleaner.
Cleansing process.
Record logs
Report Writing and Research. If you want to continue with the
research, repeat cycle in safe sandbox.