Monday, November 11, 2013

Anti-Malware Response “Go-Kit”

I don’t know how many of my readers feel when it comes to performing a malware response.

I tend to get very frustrated, regardless of the response situation. A very wise person said to me that of all the challenges I am constantly wrestling against with myself, the core issue from their perspective is that I am a problem solver. Got a problem? I can and will step up and try to solve it; often by the book (as best I can muster) and then taking it beyond.

What I should be doing is learning to execute well, execute efficiently, and then walk away when done.

In other words, there are some bones I just need to bury and stop digging back up and chewing on again.

That’s often the problem I face with dealing with malware infections.

At work the response calls almost always come in from an automated alert. Some AV client on a system alerted when it found some binaries that matched something in its DAT collection. That client talks to the mother-ship program which is monitored by an admin who sends and email requesting the system be responded.

In almost every case, the required (per operational policy and procedures) response is to recover user data, wipe and reimage the system, scan the user data, restore the user data. Move on.

While we don’t probably have the resources available to do a full-blown incident response on every end-user system we get an infection alert on, I shudder to consider that we could be consistently missing out on understanding and identifying potential data-leakage off our user’s systems not to mention the lost opportunity to learn how the infection occurred and how take-aways from a in-depth analysis could help be used to better harden the protection systems in place; and educate the end users.

Sigh.

The case generally doesn’t get any easier in the home front. More than many times have friends and family approached to me explain they have some sinister problem on their home system and need some advice. What they generally are asking is, “Can you fix it for me?”

What they aren’t asking is, “Can you perform an in-depth analysis on what I have on my system, what data I may have lost in the process, how it got on there, and how I can keep it clean in the future?”

Nope.

They are in a panic, and want the system restored to a functional state so they can go back to their old habits.

So despite the tons of material out there from awesomely good-at-their-jobs malware and incident response experts, we generally continue the same fruitless routine of getting infected, getting the system cleaned, walking away, and getting infected again.

In my frustration, I wanted to spin it to the positive and try to share some of my “go-kit” for malware responses. It isn’t really geared to enterprise incident response and cleanup where a whole host of organized protocols, processes, and tools should (hopefully) come to bear on an issue; though there is some linkage that could support/supplement it perhaps.  It’s what I carry on my personal USB stick when I’m responding to family and friends who get themselves into trouble.

My USB stick is a Kanguru 16 GB Flashblu. I like it in that it has a physical write-lock switch so I can control USB infection when connecting it to a potentially hostile system. Because it is an otherwise “simple” USB stick, I can configure it for use as bootable USB device and load a custom WinPE system on it for off-line booting of an infected Windows system. Some more advanced USB drives (IronKey) have additional cryptographic security embedded in them that is good for file security, but a real nuisance in trying to make the device bootable. I do wish the storage size was greater but on the other hand it keeps me honest with stripping down my file and tool set on it to critical ones.

Most of these get regular version updates, so I have to check back frequently to download the newest versions.

One final note, tools listed are generally in alphabetical order rather than order of preference.

Stage One…Hone your Skills

The very first tool that should be used when responding to a potential malware infection is your brain.

Being familiar with Windows system operations, incident response techniques, and malware busting moves is critical. If you don’t get this part down first, the rest is just spinning your wheels and could lead to reinfection or infection spread.

Some resources you may want to review are:

And, from a previous GSD blog post,

Linkz 4 Free Infosec and IT Training - Journey Into Incident Response - Corey Harrell goes above and beyond with an outstanding listing of trainings, exercises, and learning resources that are ForSec focused and absolutely-friggin-free for the taking!  Corey promises to keep the listing updated so bookmark the page and check back often. I’m particularly interested in the CSIRT-like topics and materials listed like those in the ENISA CERT linkage. I’ve downloaded most all of the PDF versions already to review this week as time allows!

Many of these trainings have supplemental videos and VM’s for download.

Other specific courses from Corey’s post.

Stage Two…My Core Tools

In almost every case, I will use these tools as part of my initial assessment. They will also very likely come into play as part of the malware track down and removal. I consider use and drilling in these tools my IT counterpart of “3-gun shooting”.

  • Process Explorer - Windows Sysinternals - Shows me what is running on a Windows system, where it is running from, and why.
  • Autoruns - Windows Sysinternals - Shows me what caused some of the “auto-start” execution of software on a Windows system, where it was called to run from from, and why.
  • Process Monitor - Windows Sysinternals - Also shows me what is running on a Windows system, where it was called to run from from, and why. The logging is great for post analysis.
  • ESET SysInspector - This tool does some of the things listed above but also performs advanced logging as well as heuristic coding to results. This helps me get a quick reconnoiter on the system which is critical when it is one I may not be familiar with. From there I can better plan points of focus.

Stage Three…Packaged Sweeps

As I said before, I really want to do full-blown reviews of systems to understand just what happened and how it happened, so I can then respond to make sure it doesn’t happen again.

But with non-technical users hovering over me in their (or my) living room this can be a frustrating situation for both of us.

One technique that I have found helpful is to run one or more advanced triaging tools on the system before starting the cleaning process. Most all of these tools help to automate the incident response and data collection process. These let me run a slew of individual tools at a single command and package the findings up for later review. If the end-user is agreeable (sometimes some personal information and data can get collected in the process so trust and integrity is critical) I’ll run some captures on the system for later review and post-mortem work after the system has made its way back home.

These resources are great starting points before we hit the tool sets.

Now the collection tool sets. Note that “some assembly is required” in most packages due to licensing restrictions of some of the leveraged utilities. One other consideration is that they can be “high maintenance.” Most depend on third-party tools -- like NirSoft or Sysinternals. As those get updated then you may find benefit in dropping the updated version into your sweep sets. That’s a lot of work and depending on the change made, might add/break certain functionality. Just something to consider.

  • Confessor - Home - “Confessor is a Windows Application that utilizes WMI or PsExec along with standard tools to quickly gather live forensic information from any number of hosts." Confessor v.10 User Guide & Confessor v.10 download.
  • Mandiant Redline - Mandiant - “…provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.”
  • MIR-ROR - Home - “…MIR-ROR is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful utilities, to provide live capture data for investigation.” MIR-RORv2.0 download
  • rapier - First Responders Info Gathering Tool - Google Project Hosting - “…RAPIER is a security tool built to facilitate first response procedures for incident handling. It is designed to acquire commonly requested information and samples during an information security event, incident, or investigation. RAPIER automates the entire process of data collection and delivers the results directly to the hands of a skilled security analyst.”
  • RegRipper - Google Project Hosting - Tool developed by Harlan Carvey that allows parsing of Windows registry hives via plugins depending on the targeted information sought. Plugins are developed by the community so there are a lot out there now. Pretty amazing stuff and the logging results with just some of the standard “"
  • TR3 Tool Kit v2 - Journey Into Incident Response Blog Resources - Google Project Hosting - See the post Tr3Secure Data Collection Script Reloaded for more information.
  • triage-ir - Triage: Incident Response - Google Project Hosting - More details from project author Michael Ahrendt here in his blog post Student of Security: Automated Triage Utility
  • ThreatExpert Memory Scanner - Like the previously mentioned ESET Sysinspector tool, this is a tool that allows you scan the live system memory and look for potentially rogue memory modules.

Finally, both the DEFT Linux live CD & CAINE Live CD/DVD have Windows-side packages (DART and WinTaylor/NirLaucher) available that can easily be ported to a USB stick.

The CAINE team is partnering with WIN-UFO (Ultimate Forensics Outflow) for a packaged multi-tool launcher that is pretty interesting and worth checking out. Win-UFO Beta (PDF link) has detailed tool information.

Stage Four…Rootkit Sweeps

After the first sweep and assessment, I generally want to confirm if there is a root kit running on the system. All the hard work after is for naught if a rootkit just re-infects the system once you have “cleaned” it.

Rootkits and other APT (Advanced Persistent Threats) are constantly evolving and detection tools must keep pace. Certainly no one tool here can identify every threat out there, but it is a good starting place.

Also, read carefully the supported OS of the tools, it doesn’t do much good to run a tool designed only for XP x32-bit on a Windows 8.1 x64-bit system!

I do have quite a number of additional anti-rootkit tools that are a bit more advanced, but they aren’t really suitable for average home users…so I’ve left them out of this list for now.

Stage Five…General Malware Sweeps

Now that we have (hopefully) established we are not dealing with rootkit activity, next comes the general scan.

Again there are an incredible number of tools to help purge a system of a malware infection. Some are designed to be run “live” on the system, and others work “off-line” against the system files by running from a “pre-boot” alternative OS environment. I have found that in most cases, the latter works better and more effectively than the former.

Be aware that depending on the scan engine and the system hardware, these scans can take a considerable amount of time…I often have to let them run overnight.

Pick and use judiciously.

Also, you must keep them current either by freshly downloading the latest version before using, or downloading a DAT file package or two. Failure to do that may miss the most current iterations of the virus!

Stage Six…Highly Specialized Responses…

In some cases, even if you are able to clean up a system and “de-infect” it, the remaining mess it has made can still cause untold headaches. Registry keys are changed, EXE’s don’t execute, the internet sockets have been screwed up.

Use these tools ONLY if you know what you are doing and have a specific reason to be doing so. Use of them where not warranted may only exacerbate the mess you are trying to clean up.

  • AdwCleaner - General Changelog Team FR - How to use AdwCleaner version 3.x
  • ComboFix Download - Bleeping Computer hosted by author “sUBs”
  • CryptoPrevent - Foolish IT LLC - to be clear this doesn’t “clean” CryptoLocker infections, but it prevents it from executing in the first place.
  • exeHelper from Raktor - Cannot execute .exe, .reg, regedit? - Am I infected? What do I do?
  • AntiVirus Utilities - Kaspersky Lab has a ton of specialized tools
  • MBRWizard CLI - This free utility is a command line version only - you can pay $ for the GUI version if that is what you want. It’s under $10 if that’s your thing. It may be able to restore and repair your MBR.
  • Remove Fake Antivirus 1.93 - Yes, Yes, Yes…the website does have that “is this dodgy?” vibe, but based on the testimony of many users whose systems were infected with fake AV malware, it’s the real deal. Cheers to the author for working tireless at keeping it effectively updated!
  • RKill Download - Bleeping Computer
  • Unhide Download - Bleeping Computer
  • Windows Security Utilities - BleepingComputer - 20 specialized programs listed over two pages for your review and selection when needed.
  • Download WinSock XP Fix - MajorGeeks - used to repair damages WinSock files after an infection. I don’t see this very much any more. Now days, the malware does all it can to keep the system online and communicating so it can be a RAT/Zombie/span-factory/APT.
  • XP TCP/IP Repair 2.2 - WareSoft Software - Likewise.

GSD Field Dispatches…

In closing, here are some Grand Stream Dream blog posts that may be worth a re-read (or first read) that touched upon malware-busting.

Cheers,

--Claus Valca

2 comments:

TeamRocketOps said...

Excellent blog post, very informative and complete. Thank you for sharing!

Anonymous said...

Hi Claus,

Outstanding post!

Regarding: "I do have quite a number of additional anti-rootkit tools that are a bit more advanced, but they aren’t really suitable for average home users…so I’ve left them out of this list for now."

I'm assuming one of these is GMER. Could you provide the list of the more advanced anti-rootkit tools you use or recommend?

Thanks!