Saturday, September 22, 2007

MalwareLog Tool Examined

The other day, an anonymous commenter left a note on one of my older "anti-malware tool" posts.

"How about MalwareLog Tool?"

Good question.  I'm always on the lookout for useful anti-malware tools.

Let me see.

Research Time

First I checked out the site.

MalwareLog Tool - Malware Debugging Tool

It seems to have been recently registered according to WhoIs service lookup information on the domain.

I did some Google web and blog searches and only found a handful of result hits.  Not much there, so this seems to be a very new utility offering.

According to the web-site description, this is an initial version release.

The description on the product's web-page says that it identifies running dll and exe files and verifies their signatures against the Windows System catalog, and "...lists and reports all the running programs including dlls (startup programs, BHOs, Toolbars, plug-ins, LSPs, hidden malwares..etc)."

Users can display all running files or only the unverified ones.

Users can use the tool to terminate any of the running files listed.

Items appearing in the list can be logged to the clipboard or to a log file for auditing purposes.

No terms of usage or restrictions were listed on the web-page. Free for personal use? Free for corporate use? Free for non-profit/governmental use?  It's not clear at the moment.

Is it Legit?

Once can't be too cautious nowadays with "anti-malware" tools.

Eric Howes's Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites list is filled with products that, at best don't perform the job claimed, and at worst, actually are malware.

I downloaded the tool and ran it through vtotal, jotti, and Mandiant Red Curtain and it seemed to check out "safe". 

Good enough there to warrant progressing on to watchful testing.

Run Time

I then executed the file. (Version for this post was 1.0.0.1)

It is a single executable and does not "install" as best I can determine. It therefore seems to be able to be considered "portable" for use off a USB stick.

It connects to the Net in two sessions when run.  One appears to be back to the "mother-ship" (looking for updates?) with the same IP address as listed for the domain registration.  The other checks against what seems to be a Microsoft site...I am guessing it is using this connection to figure out which files are "verified" and which ones aren't.

Once run, it also immediately begins to do a system scan and present a list of running files when completed.

The scan-time on my system took about a minute to complete.  As objects were identified during the scan process, they were added to the window display area.

By default it lists the "unverified" dll and exe objects.  You can click a checkbox at the bottom to display all the items, verified and not.  This does not require a re-scan to display the additional items.

The display view provides a check-box to select listed items, the full path of the item, the verified owner name (if found) and the status (verified/unverified).

There is a "Kill" box on the right-hand side.  If you want to terminate a running file, you select the check-box next to the item and hit the kill button.

Kill-effectiveness probably depends on multiple factors.  Many malware authors make terminating running processes difficult and a multitude of techniques and tools may be required.  As I don't have any malware on my system, I cannot test the effectiveness of the termination technique programmed in this tool against "real" malware struggling to stay alive and embedded in a system. Nor does the web-page describe the technique used in the tool.

In comparison, DiamondCS's free utility Advanced Process Termination uses 18 well documented methods

You may view the results in a log-file or copy the log to the clipboard.  This can be helpful for posting results to an on-line forum, and the creator helpfully provides links on the web-page to a number of anti-malware related forums.

The log file did have a helpful amount of information on it.

Application Thoughts

Here are some of my own thoughts on this tool, based on using many anti-malware tools in the field...and giving due consideration that this is a first-time release.

Memory utilization seems a bit high. On my XP Home system, it uses almost 22,000 K memory. In comparison, Microsoft's Sysinternal's Process Explorer is using just 20,000 K to perform a lot more tasks on my machine.  To be fair, they are almost certainly coded significantly different.

There does not appear to be a way to prevent the scan from immediately running when launched. 

You cannot seem to "pause" a scan while being run, only "close" the utility.  It might be nicer to launch the tool, then have a "start scan" button to begin the scan process.

I kept accidentally hitting the "kill" button when I was trying to select the scroll-bar on the right-hand side of the window.  This placement location is a potential source of an unwanted "oopsie! I didn't mean to kill that process!"  Sure, the item would have to be selected manually first, but still, I'd recommend moving it to the bottom of the tool window.

Nor does there appear to be a way to turn "auto-update" checking off.

While it is very kind of the developer to automatically connect to the Net to look for product updates, I really have some concerns.  Could the developer be maintaining a log of IP's for nefarious reasons?  Maybe, though probably not.  Malware fighters are by nature a kinda paranoid bunch from seeing what we see.  I'd like the option to turn that feature off if I so wish.

I suppose you might be able to get around that by a HOSTS file entry for the IP address it connects to, or block the connection if you have an out-bound connection filtering firewall installed.

I am also concerned that the tool might be too simple as presented in the web-page description: There are no warnings or cautions against the consequences of killing running files/processes.

By that I mean it might give an inexperienced or non-technical user the impression that any or all "unverified" files and processes are bad and need to be killed.  This could have serious repercussions on system performance and may not be accurate.

Furthermore, for example, it might be providing incorrect or inaccurate information.

For example, at the very top of my scan list with an "Unverified" status is the following DLL: C:\WINDOWS\system32\WGaLogon.dll  This is a legitimate Windows Genuine Advantage Notification DLL file.

When I cross compared it in Process Explorer for Windows with the option activated to Verify Image Signatures, the results came back that it was verified by Microsoft.  I cannot explain the discrepancy observed.

It does try (successfully) to provide a more simplified approach to exe and dll file identification and log generation.  It isn't the same type of tool as, say, HiJackThis but does attempt the same basic approach: Run a quick scan, provide a list of found items, and offer the opportunity to log and/or kill them.

While HiJackThis can (usually) remove the item identified, MalwareLog Tool doesn't (nor makes any claim to) actually "remove" anything.  It just would attempt to terminate the process, but the file itself and the cause for it launching in the first place would remain intact, likely ready to re-run at next reboot, unless you used the path information provided to then go in and manually rename/delete the file in question. 

Again, as I mentioned, a potentially dangerous move without research and experience behind your actions.

My Humble Opinion

Which gets to the heart of the matter.  Who would be a good target user for the MalwareLog Tool?

  • Average users who are pointed to this tool by more advanced troubleshooters, looking to get a quick and easily-generated log of potentially suspicious running files and processes easily posted to a forum.
  • Advanced users looking to capture a straight-forward log of running exe and dll files when doing a system audit.

For those targeted users and purposes, this initial release version of MalwareLog Tool does the job very well.

In my opinion, Process Explorer for Windows would be a better tool for advanced anti-malware troubleshooters who are looking for a utility to identify, research, and terminate unwanted exe and dll processes.  Granted, it is a very complex and advanced tool, and not for the average user. Who probably needs to use this utility to identify, research and inspect running dll and exe files?

  • Advanced system troubleshooters reviewing a system in person.
  • Advanced system troubleshooters who want to find out more about what the actual file(s) are doing, how and what they are loading into memory, and how they are interacting with other files on the system.
  • Auditors who need a more detailed and segregated log-file output for export and documentation.

So, with these considerations, I will go ahead and keep the MalwareLog Tool on my USB stick.

It's a good first-version start at what it seeks to do. 

I would respectfully hope to see some changes that I mentioned earlier considered for incorporation in future versions, but I don't find any "show-stoppers" and it might provide a helpful resource for helping troubleshoot and inspect a Windows system for evidence of (but not conclusive diagnosis in-of-itself) malware presence.

I'm sure the author has been working hard on this tool, and they should be proud of their work.  It's worth checking out and keeping an eye on for future version releases.

Additional DLL related Tips, Tools, and Utilities

Kindly said,

--Claus

1 comment:

Anonymous said...

Thanks for reviewing my program. I've updated the tool to new version 1.0.0.2

Thanks,
Satish
http://malwareLog.com