Doing it yourself.
Two blogs in less than 48 hours? Whatever could be happening? No, this is not a reference to the issue documented in http://www.microsoft.com/technet/security/advisory/943521.mspx which is interesting but certainly not widely exploited in Europe. No, today I would like to relate what I did on Wednesday night.
I was helping a friend redecorate – our American cousins would call it home improvements but we would call it "Do It Yourself". Now, I am a firm believer in having the right tools so I stopped off on the way to get sandpaper, sugar soap, flexible sanding blocks, disposable gloves, the whole nine yards. I was sure that I was well equipped for the job at hand. This turned out not to be the case.
While I was sanding down the paintwork, I had an odd request from one of the two daughters. Could I remove IE from the home PC as it was popping up a lot of windows and they preferred Firefox in any case. Uh, pop-up ads? I went to have a look. Adware was opening a new "message from our sponsors" every 20 seconds or so. Not so good. The PC was also responding very slowly indeed and a quick check showed that an invisible instance of IE was using 1.5GB of memory – rather more than the system had.
I have removed malware from quite a few systems but I normally go armed with some very specific tools and all that I had here was a sanding block and rather slow access to the internet. So, I had to improvise and here are some of the things that I did – I relate them here in case you ever have the need to do the same.
The first thing that I did was check if there was an antivirus solution installed and whether it was current. The engine of the AV was older code but still valid (Sorry, Mr Lucas) and the signatures were current. It had blocked a Trojan the day before and didn’t seem disabled. The event logs showed that it had been removing threats on a fairly regular basis for a couple of years. The system was XP SP2 in an indifferent update state and had 4 users (father, mother, 2 daughters), all admins. A scan from the AV product (intentionally nameless, not OneCare) reported that all was well when manifestly it was nothing of the sort.
Terminating IE resulted in an immediate relaunch, apparently explicitly as it was not the default browser on that system. Hmm. Not a BHO then. A malicious Browser Helper Object can certainly do some interesting things to a loaded instance of IE but not launch a copy when there is no loaded copy of IE to host it. Clearly we were looking at another process. I started killing off processes trying to get down to a manageable list so that I could find the rogue and lo… I got to a state where there were a reasonable number of processes and they were all identifiable as harmless. So, either a legitimate process had been hijacked in some way (unlikely) or there was a hidden process – which strongly suggested a rootkit.
I downloaded Rootkit Revealler from Sysinternals (now a part of MS) and ran that. Sadly, it came back saying that all was well. The MS Malicious Software Removal Tool said that there was no malware on the box. All the while, some hidden process was kicking off instances of IE as if there were no tomorrow.
Since the automated approaches had failed, I decided to use a more manual approach and pulled down the whole SysInternals suite. I was mainly after Process Explorer and Autoruns but show me tools and I am like a big kid. I want them all!
So, I started with Autoruns. If you are not familiar with the tool, it looks for every way of starting a process when Windows starts, lists those applications and enables you to disable them – it also lists some inprocess components too which was useful. There were a couple of known Trojan droppers in the startup so I took them out. There were a lot of legitimate helper processes which seem very common on home machines. iTunes needs these and some other media player needs those and pretty soon it all looks very cluttered. Anyway, I disabled some of the more obviously malicious and rebooted. The system came back in very much the same state – with IE instances spawned over and over and many of the removed startup entries back. Interesting.
I started in with Process Explorer and there were multiple instances of Internet explorer. I terminated one and back it came – damn. Oh, hang on, the launching application flashed up for a moment. I checked and there was no sign of the launching process in the list and it disappeared as the launching process moments after the new instance of IE popped up. Interesting again. I tried a few more times and managed to get the path of the executable – which was off the "My documents" pseudo-folder in a directory with a random name that didn’t show up in explorer when browsing but would open if I gave explorer the full path. Time to dig deeper.
The executable was packed and there were no strings to mention when I opened it with notepad though process explorer was able to make more of the strings in memory of the process – quite handy when looking at malware. Yes, this used all the APIs that I would expect for what it was doing. Ok, now I had a file to look at and that was a good step forward. Now, because it was already pretty late in the day by then and I was representing a member of the public, I felt no shame at all in using www.virustotal.com which can be a very handy site indeed. You can upload a file and they will pass it against a bunch of anti-malware applications and give you the results. I sent the file to the site and that started to give me results in less than 30 seconds… you have to like that. 50% of the scanners came back with nothing detected and the remainder all came back with generic results basically saying that they thought that the file was bad but didn’t have a specific classification. This normally means that it is waiting in a queue for some human to look at. That is pretty common with new malware or new variants of old malware but unfortunately that meant that I had no specifics of how to remove the cursed thing.
Ok, back to basics. Delete the file. Nope. File is in use, can’t delete or rename. Right. The process is hidden by a rootkit but the cover is not perfect and although it doesn’t appear in the process list, I can get the process ID when it hands it to a new instance of IE as parent. Using that, I killed the process and went to delete the file. Again, it was locked. A bit more poking around with process explorer showed that another hidden process was respawning the first one.
I shifted my attention to this newly discovered process and found that I couldn’t delete it because the first process looked after it in the same way – a sort of mutual protection process. I might have been able to write an app to terminate both processes and delete the files but I didn’t have any development tools here – it was just a home PC. Anyway, it would have been a race condition with no synchronization.
Deleting the registry keys that started it on boot was pointless because they came right back – it turned out that it had a thread waiting on the key to restore it.
All in all, quite a clever defense. However, it always launched the user mode processes under the context of the logged on user so that the spawned IE instance would appear on the desktop which made sense. Because all the users were admins (like most home users) this is a good solution for malware. I managed to break it in a reversible way by dropping down to a command shell and using cacls to deny access to the launching user to IE. That caused the first user mode malware process to AV because it didn’t have any error checking and assumed that the API would succeed. The second process turned out to be very much the same and when I changed the rights on the first malware exe, it crashed. I could now pretty much break the user mode components at will.
The kernel mode process was a little tougher but the same basic approach worked and it failed to load on startup.
I would still strongly recommend rebuilding the system but I was unable to find any problems after the service was disabled. It is amazing what you can do with publicly available free tools.
The malware will be submitted to the companies that failed to recognize it – including Microsoft. It is just a shame that I didn’t get more sanding done but Do-It-Yourself malware removal is useful too. I have to thank Christie and Sherry for letting me get this new malware submitted.
Until next time!