How to tell if an unknown file is a legitimate or a malware file

This article is intended mainly for HJT helpers and trainees. Prior knowledge and expertise of the windows OS is required. None of the steps below are 100% accurate. You will need to use multiple steps in this guide order to be able to end up with a confident conclusion.

Step 1. there are 4 rules of thumb in which you can immediately know within seconds that the unknown file is a malware file:

1) The name of the file or folder is randomly generated or makes absolutely no sense. These type of files would typically display zero results in search engines.

Ex: c:\p0sdn8flqy.exe

2) The malware uses a name that is similar to the name of a legitimate file (commonly windows file) within the same folder.

Ex: legitimate = c:\windows\system32\lsass.exe

malware = C"\windows\system32\lsasss.exe

3) The malware uses the exact name of a legitimate file, commonly a windows file but in another folder.

Ex: legitimate = C:\windows\explorer.exe

malware = c:\windows\system32\explorer.exe

4) The malware uses a name that are commonly only used by malware. Ex. startup file names with controversial words somewhere within its name, the names of celebrities, the use of non-alphanumeric characters, or white spaces.

Ex: c:\windows\system32\crack.dll

Step 2.

Virmansec Event Success!

Elhamdulilah, the presentation I gave on conficker at the Microsoft Innovation Center, Riyadh was a success.

The presentation can be downloaded from here:
http://staff.kfupm.edu.sa/coe/shafei/downadup.zip

The powerpoint slides is mostly pictures and it may not be of much benefit to those who havent attended. However, a lot of the technical information has already been mentioned here this blog. The presentation style was inspired by the best presentation gurus such as:
- bio/intro and overall structure as by Garr Reynolds
- slides and graphics as by Dick Hardt and Seth Godin
- speaking freely as by Guy Kawasaki
- walking freely as by Steve Riley

Running the powerpoint will be a bit heavy on a windows OS. had to optimize my operating system in order for it to run smoothly on a projector with completely no lag. This is what I have done to have a lag-free presentation:
1. Disabled all real-time protection tools including firewall. (assuming you are not connected to the internet)
2. Disabled automatic updates
3. Disabled Task Scheduler via services mmc
4. Disabled screensaver, and all power saving options.
5. Disabled wireless connection and all related processes. (left bluetooth on for my bluetooth mouse/pointer)
6. Disabled all unneccessary processes. In my task manager I had a total of 28 processes left running on an XP machine. I preferred not to disable other OS processes because I had to run a demo on the same machine.

Conficker Presentation at Riyadh

God willing, I will be doing a presentation at the Microsoft Innovation Center on fighting the Conficker worm. This a highly technical presentation mainly targeted towards enterprise environments. The presentation includes live demos on infected machines. Microsoft Corporation (MSFT), Virmansec and R-Tech will be sponsoring the event.
The presentation covers all possible techniques in detecting and removing conficker for enterprises.

Attendance and registration is for free. Snacks and refreshments are also for free. If you are in Riyadh, please take the time to read and register for the event here:
http://www.eventbrite.com/event/472252520

Advanced knowledge about windows NT operating systems and active directory is a must.

Server 2008 RMS Installation Problem

I spent a few days trying to implement a simulation environment to test windows Rights Management Services and some third-party plugins on a server 2008 native. Every time I attempt to install RMS 2008 I was confronted with the following error message:

Error: Attempt to configure Active Directory Rights Management Server failed. An error was encountered while trying to provision AD RMS. Remove and re-install AD RMS to attempt provisioning again.

Despite uninstall/reinstalling the RMS service several times and verifying all the pre-requisites the error message still popped-up. I have followed every single line mentioned in the microsoft guide but yet the error re-appeared. There were absolutely no log files or events to explain the acause of the error. Also I couldnt find any solution on the internet that worked.
Almost giving up, my partner and I resorted to an unexpected solution..... changing the AD domain name.
RMS 2008 seemed to distaste single lettered domain names such as A.com and B.com that we initially tried to use. This was a bit strange since RMS 2003 worked fine using these same test domain names.

So after the changing the domain name to demo.com seemed to work with us in getting rid of the mysterious error message.

With courtesy of Samer Alotaiby.

3,200 Reported Account Hijacking on Facebook,Twitter

If you're on Facebook, Twitter or any other social networking site, you could be the next victim.
That's because more cyberthieves are targeting increasingly popular social networking sites that provide a gold mine of personal information, according to the FBI. Since 2006, nearly 3,200 account hijacking cases have been reported to the Internet Crime Complaint Center, a partnership between the FBI, the National White Collar Crime Center and the Bureau of Justice Assistance

Continue reading:
http://edition.cnn.com/2009/CRIME/10/19/social.networking.crimes/index.html?iref=mpstoryview

From the article:

How to protect yourself against social media scams:
- Change your passwords frequently
- Adjust Web site privacy settings
- Be selective when adding friends
- Limit access to your profile to contacts you trust
- Disable options such as photo sharing
- Be careful what you click on
- Familiarize yourself with the security and privacy settings
- Learn how to report a compromised account
- Use security software that updates automatically

(Information provided by FBI and Internet security experts)

New Variant of Total Security Locks up Applications on Infected PC's

A new variant of scareware has been detected that not only inundates
users with exhortations to purchase phony antivirus software called
"Total Security 2009," but that also locks users out of nearly all
applications until they purchase the disreputable product. Once their
PCs are infected with the malware, the only program users can open is
Internet Explorer, so they can navigate to the site and make a purchase.

More:
http://blogs.usatoday.com/technologylive/2009/10/new-twist-on-scareware-locks-up-your-pc.html
http://www.pcworld.com/article/173765/a_rogue_demands_a_ransom.html

Removing Conficker/Downadup from Your Network Using Active Directory

A couple of security companies have provided some neat freeware tools for network administrators to cleanup the downadup worm within their business networks. Some examples of these tools are:
1. Kaspersky Administration kit
2. Bitdefender Network Removal Tool
3. Sophos Conficker Network Cleanup Tool

These tools provide an automated deployment and disinfection for multiple computers at once.

However, I was called to an enterprise client who was suffering from a Downadup outbreak last May. The client had approximately 4000 computers across 6-8 domains. There was one problem though; since the network tools were not provided by the antivirus vendor they had installed, the client was not comfortable to install any third-party software on their servers. Luckily, they were ok with using the tiny, fast and silent Kaspersky kk.exe program. Now, I had to figure out to run this tool across all the infected machines for each domain. This is how I did it:

Investigating New Trends of Rogue Antiviruses - Part 2

Besides the randomly named sites that host the rogue antivirus pages, I have also noticed a huge amount of legitimate sites that have been compromised to direct traffic to the rogue antivirus domains.

Each compromised website contains a folder with a 5 lettered randomly generated name. The folder also contains another randomly generated folder of the same length that contains hundreds of computer generated infected php web pages.

Examples of the folders found on compromised legitimate sites that I have discovered via google are:
http://kingofthecageskennels.com/hoabe/sueno/
http://trd3tv.net/qiqut/aejpc/
http://markingsstudio.com/ppplc/iyiux/
http://internationalharpmuseum.org/keaeb/qrdaw/
http://romania-ti.com/steuf/sgqrm/
http://bizbuilderswa.org/pmrum/bpakx/
http://mrantasi.com/ljglc/mjqrl/
http://amerilao.org/grano/kpsxm/
http://appliancerepair.tv/bseul/ewsyo/s
http://susancastor.org/czpmf/dihbl/
http://deartes.net/qesbr/sieme/
http://ffseguros.net/zwwzo/ommil/
http://eventsregister.net/cbuga/dykdb/
http://giaitri8x.net/bdrmh/bhusp/
http://alu-vene.com/eiika/zeypc/
http://streetmedia.us/iktdl/ytzcq/
http://butteredhost.com/iwyiw/xdbhc/
http://leadershipsummit.net/tyird/yeirh/
http://vogelrentalproperties.ca/iljqu/daogi/
http://punk-designs.com/uaiyx/tkuif/
http://guard-door.info/fqrna/nyhlh/
http://mortgagecapitalrealty.com/cyzle/ubpnr/
http://endoscopyspecialists.com/kescd/drwiy/
http://californiahistoricalsociety.org/ieeci/skelr
http://uriellaw.com/ilrxb/dxixr
http://elrealsabordecuba.com/lyxei/uolqe/
http://karpovthewreckedtrain.com/epjfw/htgbs/
http://moto-osat.com/npkcg/zuzfj
http://swanjoy.com/ewyqi/fopzi/
http://stevericks.net/yuyrz/tbrdw/
http://costumeoriental.com/lwicu/nghep/
http://kfgroup.net/nbfep/biqni/
http://otroma.com/omhig/flwbi
http://bilikbahasa.com/nsege/olgyf/
http://catasticbritz.com/imgjx/ekquz
http://tomspencerbassin.com/pcuwz/sbous
http://puijonsrknuoret.net/exhcy/sirfa/
http://caflasvegas.org/zeaen/ifpkl/
http://energizardelvalle.com/xisfe/esixm/

Examples of infected php pages taken from one of the above sites:
http://kingofthecageskennels.com/hoabe/sueno/survivors.php
http://trd3tv.net/qiqut/aejpc/pomegranate.php

The list of compromised sites continue to grow every hour.

Investigating New Trends of Rogue Antiviruses - Part 1

After being intrigued by the fact that my user name being used as keywords for developing malicious pages, I started investigating further the rogue antivirus pages the past two weeks whenever I had some free time.

I currently found so far the following main webpages where a lot of infected web pages direct their traffic to:
hxxp://fast-virus-scan7.com
hxxp://myzonesecure.com
hxxp://winfixscanner1.com
hxxp://7removespyware.com
hxxp://onlinesearch-protect.net
hxxp://compurerthreats2.com
hxxp://mytotalscanner.com
hxxp://mytotalscanner17.com
hxxp://mytotalscanner17.com/scan2/video2.php?pid=111
hxxp://protectyourpc-now1.com/pr.cgi?id=2739
hxxp://best-scanpc.net/disk/?code=934
hxxp://check-threats-online.com

The following domains which are likely bot generated sites that redirects traffic to the above malware sites:
jntscxwv.cc
hibqeidh.cc
gmfcmdt.cc
ppsjucknp.cc
cqmilpkl.cc
fymhizm.cc
ockdtsahp.cc
srpantlq.cc

New Smitfraud Variant

I was searching my username today on google and I found a malicious site that uses my username as keywords. The malicious pages includes the following urls:
hxxp://q84.isutv.com/wap715-abuibrahim12.html
hxxp://ps51.isutv.com/wap565-abuibrahim12.html
hxxp://ps51.isutv.com/wap84-cherrytoons.html
hxxp://q84.isutv.com/wap363-query-letter.html
hxxp://ps51.isutv.com/wap780-whippedwomen.html
hxxp://ps51.isutv.com/wap293-dr-emma-starr.html
hxxp://q84.isutv.com/wap561-bnz.html
hxxp://q84.isutv.com/wap895-dmaiv.html
hxxp://q84.isutv.com/wap632-unesco.html

Each of the pages would redirect you tothe following rogue antivirus pages:
hxxp://best-virus-scanner4.com/scan1/?pid=111&engine=pHT3zjjyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMIEMPAZO
hxxp://fast-virus-scan9.com/scan1/?pid=111&engine=pHT22jzyMjE2Mi4xMzEuMjQmdGltZT0xMjUuMkEMPAlO

The web page displays a classic fake explorer page giving an impression that your hard-disk partitions are being scanned and malware was found in the computer.
Clicking anywhere around the page, will prompt you download a new trojan named Antivirus_111.exe which at the time I write this blog entry has no detections by any antivirus.

The file when uploaded on VirusTotal, produced the following results:

Which is the best antivirus out there?

I have been asked this question almost everyday by friends, family, colleagues, businesses and a lot of people I bump to. As a security expert, I find this question is not that easy to answer. In my opinion there is no best antivirus software. Each has its own advantages and disadvantages. Also, I tend not to rely on the various antivirus ratings/comparisons performed by third-party organisations and those found on the internet. Though they do repesent accurate results depending on what testbenches they use, but they do not represent an accurate picture of the overall performance/quality of an antivirus software.

There is so much involved in evaluating an ativirus such as:
1. Detection rates (which most antivirus ratings tend to focus on). For better accuracy, detection rates should depend on the latest or existing malware out there on the internet. It would be pointless to evaluate the detection rate of an antivirus and compare it others using extinct malware samples such as apropos rootkit or even worse using vius samples from the DOS era.
2. Removal capabilities of active malware => an antivirus with a high detection rate does not necessarily mean that it is capable of removing the infection after it detects it. An antivirus would render useless if it is unable to clean or remove a virus it detects. I have seen this quite often with highly rated antiviruses.
3. False positive considerations
4. Memory and CPU resources and Scan times. People will refrain installing an antivirus if it will hog down thier systems regardless on how much you swear this is the best protection.
5. Rootkit, ADS, MBR detection+removal
6. Cleaning malware registry keys. A couple of antiviruses just remove virus files and leaves all associated registry items intact.
7. For businesses: integration with exchange, SAP, sharepoint, file servers, etc. and whatever is required to meet business needs.
8. Dealing with patched system files and file infectors.
9. How quick an antivirus responds to new threats and zero-day malware.
10. Customer experience with thier support system for either businesses or home (Not that important but worth mentioning).
11. Robustness => ideally a malware should not cripple or disable the antivirus or tamper with any of its files.

As a result, you will find the results from one antivirus ratings to another varies at a huge proportions. The top 10 in one rating could be among the last 10 in another rating. For example, NOD32 is rated 3rd best antivirus according to av-comparatives.org. But according, to mtc.sri.com, NOD32 was ranked last from among 30 antiviruses. In AV-test it is ranked 15th.

The Best Freeware Tools to Detect and Remove the Conficker/Downadup/Kido worm

In my previous post I have talked about how to manually clean and remove the downadup worm. I wrote that article back in March, 2009 when new variants of downadup started to appear in which antivirus venders haven't yet developed definitions for. However, since mid-April I havent personally encountered any new or unique variants of downadup. I started to do a quick evaluation of almost all the conflicker removal tools listed here:
http://isc.sans.org/diary.html?storyid=5860
The tests were made on infected live machines and networks. The results I have found are:

The best downadup detection tool:

Mcafee Conficker Detection Tool: http://www.mcafee.com/us/enterprise/confickertest.html
This program ROCKS! The only two products from Mcafee that I would recommend every enterprise to have: Secureweb and Mcafee Conficker Detection Tool.
The detection tool requires no installation, very easy to use and extremely fast. I have been using this tool since April after Mcafee fixed a bug in it. Every business that I have recommended the tool to them have highly praised it and love it so much.

The best downadup removal tool:

I have found that the kaspersky Kido Killer is the best so far. It requires no installation and no reboot for removal. It is very fast and effective. It has worked with different variants that I have come across offline. Sadly, when I tested the Bitdefender Conflicker removal tool (which I thought was good) on some machines, it did not succesfully remove one of the variants although it did detect it.

KK.exe has some neat command line that not only removes the infection, it can also restore the windows services that were disabled (does not restore windefender and security center though), restores the display of hidden system files, disables autorun, restore safeboot keys and many more.

I commonly use the following command line:
kk.exe -j -a -x -l report.txt

Windefender and the windows Security center can then be restored by the following command lines:
sc config wscsvc start= auto
sc config winDefend start= auto
sc start wscsvc
sc start WinDefend

The worst tool I came across was Symantec Downadup removal tool. It took over 6 hours scanning and since I am impatient I gave up and had to abort it. I could not tell if it actually does detect or remove the worm.

How to Manually Remove the Downadup/Conficker/Kido Worm

1. The quickest way to know if a Win 2k, 2k3, XP, Vista or 2k8 machine is infected regardless of the conflicker variant (even if it was a user-mode rookit - such rootikit only hides the dll file and its service key) , is by running this command-line:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v netsvcs
I use a batch file to do this. Based on the results, you can then detemine the randomly generated name of the windows service of the infection. e.g. abcde. It is usually found at the end of the list. If there is no randomly named service listed then most likely conficker is not there.

Another quick way to determine if conficker exist, is by running gmer. The results of the quick scan that gmer runs when starting would show that C:\windows\system32\svchost.exe is hidden and highlighted in red. But at the end, you will need to know the service name associated with conficker by going through the netsvcs list.

2. End process of the svchost.exe associated with netsvc, by using tasklist /svc and taskkill pid

3. Browse to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\abcde
You may not view the contents of the key since the permissions were removed by the infection.
right-click the abcde key > permission > add > everyone > select full control > ok > F5 to refresh > go to the parameters key and take not the path of the dll
e.g. c:\windows\system32\wxyz.dll

4. Use fixpolicies.exe to reset policies that were added by the worm, such as disabling viewing system files.

5. Look for the dll file located at C:\windows\system32\
right-click the dll file > properties > uncheck read-only > ok > then delete the file. If the file cannot be deleted try stopping the service first.
In case you cannot find the file, you will need to use gmer and browse for the file from the files tab. Then use the delete button on the right.

6. Use the following command-line to delete the service:
sc delete abcde

7. Reboot the computer

8. You can create a batch file to restore the following windows services:

sc config wscsvc start= auto
sc config winDefend start= auto
sc config wuauserv start= auto
sc config BITS start= auto
sc config ERSvc start= auto
sc config WerSvc start= auto
sc start wscsvc
sc start WinDefend
sc start wuauserv
sc start BITS
sc start ERSvc
sc start WerSvc

9. Finally, make sure the machines has the latest recommended updates from microsoft:
http://windowsupdate.microsoft.com
The most important is that kb958644 is installed.

A. Elshafei

Detecting and Removing Rootkits in a Nutshell

** FOR HJT HELPERS

Categorizing the rootkit detection and removal method is solely based on my personal opinion. I will appreciate any feedback or reports of inaccuracies, fallacies, found in this article:

abuibrahim0 AT gmail DOT com

Important Guidelines Before Removing a Rootkit if a rootkit is found on a machine:

1. Backup all important data, emails, documents, etc.

Þ this is just for safety measures. Removing a rootkit can cause system instability and a antirootkit software may sometimes remove a system file along with the rootkit. This step is particular important when using automatic tools for rooktit detections and removal.

2. Disconnect from the internet

3. Close down All Scheduling/Updating + Running Background tasks etc.

4. Disable real-time monitoring programs

5. When scanning for a rootkit, do not use the computer at all

6. Use 2 or more rootkit scanners

Þ Never rely on the results of one anti-rootkit software. Rootkits uses different technologies for hiding and no single anti-rootkit can find all rookit techniques.

Methods of Detecting and Removing Rootkits:

1. Automatic Detection and Removal

2. Semi-automatic Detection and Removal

3. Manual Detection and Removal

4. Advanced Detection and Removal

1) Automatic Detection and Removal:

Tools that automates the process of detecting a rootkit and removes them. Minimal skills are required to uses these tools.

Examples:

1. F-secure online scan: http://support.f-secure.com/enu/home/ols.shtml

2. AVG antirootkit

3. Trend-micro Rootkit Buster

4. Panda Antirootkit

5. Avira Antirootkit

6. Mcafee Rootkit Detective

7. Sophos Antirootkit

Disadvantage of using these Automated tools:

1. Highly unstable software. Have used it once at the rootkit revelations forum and it destroyed windows beyond repair

2. Highly unpredicatable -> they sometimes report that they remove a rootkit and they actually did nothing

3. Highly unreliable -> cannot find rootkits that use newer techniques.

The automatic tools are good though if you are removing the most popular or classic rootkits such as pe386.

2) Semi-automatic Detection and Removal:

- For more experienced users

- You will need to distinguish rootkits from false positives

- Such tools will highlight entries that are predicted to be rootkits. For example Icesword and GMER will highlight services and processes that are rootkits. RKunhooker will tag what are hidden.

Examples:

1. GMER

2. Icesword

3. Rootkit Unhooker

4. Darkspy

5. SVV

6. VICE

7. RootRepeal

Detection and Removal are split into two ways:

1. Rookits that use drivers (more common):

- Two important indicators are: hidden service, and rootkit files.

Rootkit files can be found at processes list (ex. Icesword), SSDT list (ex Icesword), rootkit file scan (ex. GMER), rootkit file browsing (ex. Darkspy) or from the service image path in the registry.

- Rootkit Removal steps:

Step1: Stop or Disable Service

Step2: End executable process(s)

Step3: Delete service and related files

2. Rootkits that use inline hooking or DLL hooking such as Vanquish (less common):

- One important indicator: presence of a dll file

The dll file can be found by two ways: "Code Hook" scan using RKunhooker (recommended), the other way is doing a full file scan using GMER or any other anti-rootkit tool

Note: GMER and Icesword do not automatically find these kind of rookits. Only when a full file scan is performed or rootkit file browsing, some hidden files may appear.

Also

- Removal steps:

Step1: perform "Code Hook" scan using RKunhooker

Step2: highlight all entries related to culprit dll file and click 'unhook selected'

Step3: End executable related process(s) if applicable (ex. vanquish.exe)

Step4: Delete dll and related files

3) Manual Detection and Removal:

¨ Manual Detection Tools:

1. RootkitRevealer

2. Rootkit Hook Analyzer

3. Sysprot

For how to know if there is a rootkit present in the rootkitrevealer results:

http://abuibrahim12.blogspot.com/2009/07/does-my-rootkitrevealer-log-show.html

To know how to intepret rootkitrevealer logs:

http://forum.sysinternals.com/forum_posts.asp?TID=2408&PN=1

¨ Manual Removal Methods:

1. Manually deleting files in safe mode

» given that the rootkit does not use SafeBoot keys to be hidden in safe mode as well

2. DOS commands

» may or may not work. HackerDefender can be completely deactivated and cleaned up using this method

such as:

Sc stop RKservice

Sc delete RKservice

Net stop RKservice

REG DELETE RKregpath

3. Manual Removal Tools

Example:

- Delete on reboot using killbox

- Avenger

- Combofix

In combofix the rootkit:: directive is not always needed. I found that file::, driver:: and killall:: are enough with most rootkits I have encountered.

4) Advanced Detection and Removal:

1. Slaving hard-drive to another computer and perform a normal anti-virus scan

2. Using a Bootable CD-ROM such as BartPE and UBCD4Win

3. Offline file comparisons: http://abuibrahim12.blogspot.com/2009/07/detecting-rootkits-in-windows.html

MBR Rootkits:

- Detection: see http://www2.gmer.net/mbr/

as you can observe the presence of the phrase: "\Device\Harddisk0\DR0" any where in a GMER log is an indication of an MBR rootkit regardless of its variant. However, you may need to verify first that changes done to MBR is not perfomed by a legitimate application such as acronis.

- Removal:

1. Windows Recovery Console:

Windows XP/2k: fixmbr

Windows Vista: bootrec.exe /fixmbr

2. Stealth MBR rootkit detector 0.2.2 by Gmer:

http://www2.gmer.net/mbr/mbr.exe

3. ESET Mebroot Remover:

http://www.eset.cz/download/emebremover

Recommended readings:

http://www.securityfocus.com/infocus/1850

http://safecomputing.umn.edu/guides/scan_unhackme.html

http://www.5starsupport.com/tutorial/rootkits.htm

http://www.microsoft.com/technet/sysinternals/utilities/rootkitrevealer.html

A. Elshafei