Didier Stevens

Saturday 12 August 2006

Cleaning up after an infection, and then?

Filed under: Malware — Didier Stevens @ 15:08

Your Windows PC is infected with a new virus. I mean, really infected, the virus was executed and installed itself permanently. You update your antivirus product (AV) and start a scan. It detects the virus and cleans your machine: it kills the process, it deletes the files and removes the startup registry keys (like the Run keys). But is your PC really cleaned? Is everything the virus did undone? Who knows?

Malware can carry a very destructive payload that no AV can undo.

Take the W32/Bagle.fb virus. It deletes the SafeBoot key, only a couple of assembly lines are needed to wipe your Safe Mode configuration:

PUSH raehtvlv.00415AE8    ;  ASCII "SYSTEMCurrentControlSetControlSafeBoot"   
PUSH 80000002   
CALL raehtvlv.00409024    ;  JMP to shlwapi.SHDeleteKeyA

But this is not easy to correct. No AV product will do this for you. It will delete the files (this bagle doesn’t only install itself, but also a rootkit, m_hook.sys, to hide itself) and remove the startup entries from the registry, but it will not reconstruct your SafeBoot key.

This Bagle also disables an enormous amount of security related Windows services, like the AV your running. It uses this subroutine to disable a service:

00404583  /$ 55             PUSH EBP   
00404584  |. 8BEC           MOV EBP,ESP   
00404586  |. 81C4 4CFFFFFF  ADD ESP,-0B4   
0040458C  |. C785 4CFFFFFF >MOV DWORD PTR SS:[EBP-B4],94   
00404596  |. 8D85 4CFFFFFF  LEA EAX,DWORD PTR SS:[EBP-B4]   
0040459C  |. 50             PUSH EAX   
0040459D  |. E8 7A490000    CALL raehtvlv.00408F1C      ;  JMP to kernel32.GetVersionExA   
004045A2  |. 83BD 50FFFFFF >CMP DWORD PTR SS:[EBP-B0],5   
004045A9  |. 72 62          JB SHORT raehtvlv.0040460D   
004045AB  |. 68 3F000F00    PUSH 0F003F   
004045B0  |. 6A 00          PUSH 0   
004045B2  |. 6A 00          PUSH 0   
004045B4  |. FF15 5DF64100  CALL DWORD PTR DS:[41F65D]  ;  advapi32.OpenSCManagerA   
004045BA  |. 8945 FC        MOV DWORD PTR SS:[EBP-4],EAX   
004045BD  |. 0BC0           OR EAX,EAX   
004045BF  |. 75 04          JNZ SHORT raehtvlv.004045C5   
004045C1  |. C9             LEAVE   
004045C2  |. C2 0400        RETN 4   
004045C5  |> 6A 22          PUSH 22   
004045C7  |. FF75 08        PUSH DWORD PTR SS:[EBP+8]   
004045CA  |. FF75 FC        PUSH DWORD PTR SS:[EBP-4]   
004045CD  |. FF15 61F64100  CALL DWORD PTR DS:[41F661]  ;  advapi32.OpenServiceA   
004045D3  |. 0BC0           OR EAX,EAX   
004045D5  |. 74 2D          JE SHORT raehtvlv.00404604   
004045D7  |. 50             PUSH EAX   
004045D8  |. 8D55 E0        LEA EDX,DWORD PTR SS:[EBP-20]   
004045DB  |. 52             PUSH EDX   
004045DC  |. 6A 01          PUSH 1   
004045DE  |. 50             PUSH EAX   
004045DF  |. FF15 65F64100  CALL DWORD PTR DS:[41F665]  ;  advapi32.ControlService   
004045E5  |. 8B1424         MOV EDX,DWORD PTR SS:[ESP]   
004045E8  |. B9 07000000    MOV ECX,7   
004045ED  |> 6A 00          /PUSH 0   
004045EF  |.^E2 FC          LOOPD SHORT raehtvlv.004045ED   
004045F1  |. 6A FF          PUSH -1   
004045F3  |. 6A 04          PUSH 4   
004045F5  |. 6A FF          PUSH -1   
004045F7  |. 52             PUSH EDX   
004045F8  |. FF15 69F64100  CALL DWORD PTR DS:[41F669]   ;  advapi32.ChangeServiceConfigA   
004045FE  |. FF15 6DF64100  CALL DWORD PTR DS:[41F66D]   ;  advapi32.CloseServiceHandle   
00404604  |> FF75 FC        PUSH DWORD PTR SS:[EBP-4]   
00404607  |. FF15 6DF64100  CALL DWORD PTR DS:[41F66D]   ;  advapi32.CloseServiceHandle   
0040460D  |> C9             LEAVE   
0040460E  . C2 0400        RETN 4

In a nutshell:
1. this subroutine is called with the name of the service to disable on the stack
2. it checks if it’s running on Windows XP, and returns if not
3. it opens the service manager, and returns if this fails
4. it opens the service to disable, and returns if the service doesn’t exist
5. it disables the services (sets the start parameter to disabled)
6. it closes the service
7. it closes the service manager

This subroutine is called for each entry in a long table of security products:

Ahnlab task Scheduler
AntiVir Service

BTW, wuauserv is the Windows Update service.

As a developer, I’m not impressed with the quality of this code:

  • testing for Windows XP: do this only once, no for each service
  • the service manager: open the service manager, process all the services, and then close the service manager. Opening and closing the service manager for each service is too much overhead.

And if I were a malware developer, my routine would be more destructive. The ChangeServiceConfig system call is called with mostly null arguments:

hService = 0015D840
BinaryPathName = NULL
LoadOrderGroup = NULL
pTagId = NULL
pDependencies = NULL
ServiceStartName = NULL
Password = NULL
DisplayName = NULL

This means that those parameters remain unchanged. Take the BinaryPathName argument, it sets the service parameter that points to the executable and often contains command line arguments. Without this information, the service manager doesn’t know which program to start. Setting BinaryPathName to a string, e.g. “wiped”, will overwrite this information and you’ll have a very hard time correcting this…

By now you should be convinced that this Bagle is nasty, that it could easily be made nastier, and that your AV will not restore your OS to its former glory and that you’ll have a hard time fixing everything. And this is “just” a mass mailer virus. Spyware is notoriously harder to clean.
Removing the infection is one step, and your AV should do this, but restoring your computing environment is another essential step, and your AV doesn’t help you with this.

That’s why I advise to rebuild an infected machine: format the disks and reinstall the OS, the applications and the data.

But I only advise this in case of a “real” infection (the malware was executed) and when it ran with local admin privileges.

If you’re sure the malware wasn’t executed (e.g. it was in a ZIP file and the AV detected and deleted the ZIP file when it was downloaded), there’s no damage done.
If it was executed with the authority of a normal user (not a power user or local admin), it will be easier to clean up, because it cannot modify the OS or the security products (privilege escalation aside and provided your security products are protected). Scanning the user’s profile and data, and checking the user’s startup entries is enough to remove the infection, and the computing environment doesn’t need restoring.

But if the malware ran with local admin privileges, all bets are off. It can do anything to your system, you can never be 100% sure what it did. Do you trust the malware descriptions of your AV product for 100%? Do they list everything in detail? If they omit something, you will not know about it and cannot fix it. For example, not all AV vendors did mention the deletion of the SafeBoot key for this Bagle virus.
And if the infection was a downloader (a program that downloads several other malwares from the Internet and installs them), not even the AV company can tell you what the malware did. Because nobody can tell you what was downloaded and executed. Even if you obtain the URL, download the malware and analyze it, you cannot be sure you downloaded the same malware.

Reinstalling a machine can be costly, especially if you’re not organized and prepared for it. You can decide that reinstalling is more costly than cleaning, and accept the risk of using a corrupted machine. It all depends on the risks you’re running, i.e. what you use your computer for.

Let’s assume you can wipe out the infection completely. Then you still need to ask yourself if your OS and security applications have not been tampered with and if you’re willing to trust them.
Consider this:

  • Rootkit techniques to subvert your OS become more prevalent in malware.
  • Tampering with security applications is still limited to disabling/crippling them, but I’m sure these attacks will become more complex. For example, I was able to “patch” my AV. It’s completely functional, but it doesn’t alert anymore when a virus is detected. And if I can do it, …

I’m prepared for an infection:

  • First of all, I don’t trust unknown programs and attachments
  • I use an antivirus and a Host Intrusion Prevention System
  • I use a normal user account
  • My data has its own directory and is encrypted (Truecrypt)
  • I make regular backups
    o Monthly Full image backups on a USB hard disk (on-site and off-site)
    o Weekly data backups
    o Daily online backups of essential data
  • I patch diligently
  • I maintain an unattended, slipstreamed Windows installation image (nlite), mainly for building virtual machines, but I can use it to rebuild a real machine
  • I maintain a list and backup of the applications I install
  • My banking applications run in a dedicated, virtual environment

You’re probably thinking that the cost of these mitigating actions is higher than the cost of dealing with a real infection, and you’re probably right. Except that these actions also mitigate other risks that I run, like data loss, disasters …
And cost is not only expressed in money and time, but there’s also the “sentimental” cost a person can incur. I’ve taken more than 10,000 digital pictures over a decade, and they’re priceless.

Blog at WordPress.com.