Let’s take a look at the next scenario: in a morning when you check your emails, you find one with the subject “Top Ten jokes about wives” or … “Eva Mendes naked in the pool” but the sender is unknown to you. The email has a PDF file as attachment or maybe contains a link, what are you gonna do? Perhaps you think: if the attachment is not an executable then it can not be a virus and it’s safe to open it or if it’s about a website, it’s safe to visit it as long as I don’t download anything.
Then you open and view the attachment which indeed contains some good jokes about wives or maybe you click the link in the email which promises some good photos with Eva Mendes naked in the pool but you encounter an 404 Error(Page Not Found). However, after a month or so when you forgot long time ago about this strange email, you receive the monthly statement from your bank and when you open it you find out that you were made a transaction and now your bank account is empty. A hypothetical nightmare scenario? Unfortunately, this scenario can be a real story where the personages are you and the malware(the shortening for malicious software) which infected you starting with the reading of that email. The infections occurs in a chain type, a malicious script is executed which connects to a malicious domain from where it downloads and executes unnoticed a computer trojan.
A malware(malcode) is a computer set of instructions designed to perform a malicious action against other people interests.
All computer viruses, trojans, worms, rootkits, passwords stealers are malware.
Sometimes the line between a malicious software and a benign one is very thin, I am thinking now at some capabilities of certain type of software to collect and send informations from your computer for statistics purposes: how you use your computer, what operating system and browser you have installed, Internet navigation history and so on. If for some users a software that leak these kind of informations is not necessarily malicious, others will feel a discomfort if these informations are disclosed , even more will feel that their privacy is severely affected and will catalogue the software as malicious.
Another example, the zombie cookies are malicious due to their nature: them track the users personal browsing habits are very resistant to deletion. The project page for this type of cookies is here, you can read if you want to learn more about them.
But let’s take a closer look at our subject, the malware and a concrete example for our analysis, the Poison Ivy trojan. It comes in many variants(many different executables) because the malevolent persons who spread it trying to deceive the antivirus scanners use executable crypters or obfuscators. In fact, you must know that the biggest problem of the security vendors are not the viruses themselves because virus writers are not after every corner and they do not develop a virus every day, the biggest problem is these crypters and obfuscators able to create thousands of new and indetectable virus variants. It’s more easier to code a crypter in an easy programming language like Visual Basic 6 than to code a virus from the scratch. Using a crypter and adding some junk code to computer trojan executable can diminish the antivirus detection massively. If, for example a trojan submitted to virustotal.com and scanned with more than 40 antivirus engines gives a rate of detection of 90% from all antiviruses, the same trojan executable encrypted gives a detection rate of 5%. The decryption is performed in RAM memory at run time, it’s very important to remember this, in fact the original trojan code never touches the hard disk, so an antivirus that watch the hard disk read-write operations searching for viruses signatures, can be easily bypassed.
As methods of distribution, attackers often choose to bind the trojan executable with another benign computer program in a newly created program installer and to offer this infected kit on warez forums and blogs for example. Let’s assume that the trojan body is encrypted and its signature does not exist yet in the antivirus database. If the chosen name for the trojan is looking credible like “update.exe” or “msinstaller.exe” will not trigger any alert on the victim side and will allow its execution together with the real installer when he’s asked by the antivirus for a decision. It’s very similar with a matryoshka doll, an installer inside another installer, a trojan and the needed scripts to run both in parallel. Another method of spreading the trojan is to send it as a photo in an email attachment with an icon representing a photo and with an extension like “cool_photo.jpg.exe”. The infection occurs when the careless victim fall into the trap and double clicks the false photo.
The Poison Ivy trojan is good as example because it has all major features a malware can have:
-it injects itself in a legitimate process;
-it can bypass firewalls using reverse connections;
-it uses encrypted transmissions with Camellia cipher;
-it can remotely download and upload files;
-it can execute files, kill or suspend processes;
-it can view the web camera on the victim computer, or it can takes screenshots;
-using plugins it can decrypt the passwords stored in Mozilla Firefox profile folder;
and many more. A banking trojan as Zeus or SpyEye has a feature more, the ability to inject html forms in banks web pages.
The big question is where is the best place in the computer to detect the presence of a computer virus?
We can possibly see a sign of the existence of malware in the autorun locations in the registry, because somehow any computer trojan virus must survive at a computer reboot. Unless it’s a computer trojan with abilities to hide the registry keys(rootkit) or one that has auto start code written in Master Boot Record(MBR), we can find a registry entry that assures the trojan automatic start at next computer reboot.
You can see in the below image the autorun registry entry for Poison Ivy trojan. It is used Autoruns, an excellent program for revealing the autorun entries.
Autorun entry: HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
Here are a few registry keys(not all though) used commonly for autorun by malware :
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
If you find in these locations strange file names or with strange descriptions, this raises a question mark and supposes a deeper investigation.
However, there are computer viruses do not use registry keys for autorun or are able to hide their own entries(see rootkits). What about running processes viewed with a very powerful tool like Process Hacker? The default Windows Task Manager is too simple and lacking in features for our analysis.
The first two Opera browser processes with PID 1588 and 2040 are in fact the Poison Ivy trojan injected in the Opera process space:
The last process with PID 2924 is the real Opera browser process, we can see how it consumes 342 MB, a lot if you ask me. In comparison the Poison Ivy trojan consumes much less RAM memory.
How differ these processes as Properties?
First, the trojan with PID 1588:
And here are the real Opera process with PID 2924:
Hmmm, there is not difference between processes so how can we know which one is infected? A few words about how can a trojan perform this substitution as process with a legit browser? How can it invade the process space of another program? Well, a such process is named a “hollow process” in security terms. Practically the malware starts a new instance of the “host” process in our case Opera browser but immediately suspend its thread. Then the malware deallocates the memory containing Opera code and replaces it with its own process code. After that, the malware resume the suspended thread but now the process execution start with the malware code because the start address of the legitimate thread is now replaced by the malware process Address Entry Point.
The problem here is with different processes viewers or task managers which due to the way them are functioning and read data about running processes, will “think” the legitimate process is running, without any suspicion about a malicious process code replacement.
However, if we search for strings in Memory tab of Process Hacker we can find more than enough signs of an infection. Everything in strings is looking strange, see here :
We can see here pretty much all we are interested in:
- The sub-domain where the trojan connects, www.no-ip.com is used as a free DNS solution. If the attacker has a dynamic IP, using a domain instead of an IP is a must for the malicious client-server(attacker-victim) connection;
-The autostart registry entry added by the trojan ;
-The location where the trojan virus reside;
Now we come at a conclusion: the memory is the best place where we can detect easy the sign of a computer infection. No more encrypted or obfuscated code, just plain and simple code – the original one. You can dump your memory and save it to file; if you think you are infected and your antivirus does not detect anything scanning your hard disk, for sure it will find when the saved dump file is scanned. One of the best tool for forensic memory analysis is Volatility Framework, an open source collection of tools written in Python offering the possibility of extraction of digital artifacts from RAM memory. Using plugins, it gives not only high details about running processes, but also details about network connections performed by the analyzed computer, kernel modules, registry handles for each process and so on.
Keep safe !