Malware that wants to stay - Some passive protection tricks

Hello again

I wanted to talk about some of the things that malware does to make itself hard to remove. Most Trojans are designed to work on an average XP workstation and make assumptions based on that – which typically breaks servers in rather nasty ways.

I was recently looking at a Russian written malware implemented in VB6 – a curious choice and the developer had an odd style to his coding. It didn’t use a kernel mode rootkit which is the more common approach but relied on registry settings to do the dirty work. You might want to check these if you find yourself cleaning up a box:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

  DisableSR = 0x00000001

If it is a 1, you can’t do a system restore. Simple enough to fix if you can edit the registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

  DisableTaskMgr = 0x00000001

  DisableRegistryTools = 0x00000002

Except that you can’t because he disabled the registry tools and task manager. Well, task manager is no great loss. Process explorer from http://technet.microsoft.com/en-us/sysinternals/default.aspx will do the job at least as well. Disabling the registry tools is more of a problem unless you are on a network and able to remotely edit.

[HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC]

  RestrictToPermittedSnapins = 0x00000001

This was used to make MMC effectively useless. By default, no snap-ins (things like perfmon or event viewer or SQL management or whatever) are in the permitted list.

Disabling CMD.EXE is a pain when trying to remove malware so he setting the following registry key  

 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System]

  DisableCMD = 0x00000001

That is especially problematical for some tools that rely on batch files and some security tools do since old school can sometimes be the only way of doing something.

In this case, a few minutes work with WinPE was enough to rain on his parade but a bit of remote registry manipulation would have done the job just as well.

Hope that this helps someone

Signing off

Mark