6.5 Malware Detection
How to Detect Trojans
- Scan for suspicious OPEN PORTS.
- Scan for suspicious RUNNING PROCESSES.
- Scan for suspicious REGISTRY ENTRIES.
- Scan for suspicious DEVICE DRIVERS installed on the computer.
- Scan for suspicious WINDOWS SERVICES.
- Scan for suspicious STARTUP PROGRAMS.
- Scan for suspicious FILES and FOLDERS.
- Scan for suspicious NETWORK ACTIVITIES.
- Scan for suspicious modification to OPERATING SYSTEM FILES.
- Run Trojan SCANNER to detect Trojans.
Scanning for Suspicious Ports
- Trojans open unused ports in victim machine to connect back to Trojan handlers.
- Look for the connection established to unknown or suspicious IP addresses.
- Type
netstat -an
in command prompt.
- TCPView, CurrPorts
- 查Service short name:
tasklist -svc
Port Monitoring Tools: TCPView and CurrPorts
- TCPView: TCPView show detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.
- CurrPorts: CurrPorts is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer.
Scanning for Suspicious Processes
- Trojans camouflage themselves as genuine Windows services or hide their processes to avoid detection.
- Some Trojans use PEs (Portable Executable) to inject into various processes (such as explorer.exe or web browsers).
- Processes are visible but looks like a legitimate processes and also helps bypass desktop firewalls.
- Trojans can also use rootkit methods to hide their processes.
- Use process monitoring tools to detect hidden Trojans and backdoors.
- Process Monitor: Process Monitor is a monitoring tool for Windows that shows file system, registry, and process/thread activity.
Process Monitoring Tool: What's Running
- What's Running gives an inside look into your Windows operating systems.
Process Monitoring Tools
- Process Explorer
Scanning for Suspicious Registry Entries
- Windows automatically executes instructions in:
- Run
- RunServices
- RunOnce
- RunServicesOnce
- HKEY_CLASSES_ROOT\exefile\shell\open\command "%1" %*.
- Scanning registry values for suspicious entries may indicate the Trojan infection.
- Trojans insert instructions at these sections of registry to perform malicious activities.
Autoruns
Registry Entry Monitoring Tool: RegScanner
- RegScanner allows you to scan the Registry, find the desired Registry values that match to the specified search criteria, and display them in one list.
Registry Entry Monitoring Tools
Scanning for Suspicious Device Drivers
- Trojans are installed along with device drivers downloaded from untrusted sources and use these drivers as a shield to avoid detection.
- Scan for suspicious device drivers and verify if they are genuine and downloaded from the publisher's original site.
- Go to
Run -> Type msinfo32 -> Software Environment -> System Drivers
- 檢視系統內已安裝的驅動程式:
$ sc query type= driver
- 使用Process Explorer查看程序載入了哪些DLLs:
- View -> Lower Pane View -> DLLs
Device Drivers Monitoring Tool: DriverView
- DriverView utility displays the list of all device drivers currently loaded on system. For each driver in the list, additional information is displayed such as load address of the driver, description, version, product name, company that created the driver, etc.
Device Drivers Monitoring Tools
Scanning for Suspicious Windowes Services
- Trojans spawn Windows services allow attackers remote control to the victim machine and pass malicious instructions.
- Trojans rename their processes to look like a genuine Windows service in order to avoid detection.
- Trojans employ rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\CurrentControlSet\Service registry keys to hide its processes.
Windows Services Monitoring Tool: Windows Service Manager (SrvMan)
- Windows Service Manager simplifies all common tasks related to Windows services. It can create services (both Win32 and Legacy Driver) without restarting Windows, delete existing services, and change service configuration.
Windows Service Monitoring Tools
Scanning for Suspicious Startup Programs
- Check startup program entries in the registry: Details are covered in next slide.
- Check device drivers automatically loaded: C:\Windows\System32\drivers
- Check boot.ini: Check boot.ini or bcd (bootmgr) entries.
- Check Windows services automatic started: Go to Run -> Type services.msc -> Sort by Startup Type.
- Check startup folder:
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
- C:\Users(User-Name)\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
BCD開機設定資料:
$ bcdedit
Windows 8 Startup Registry Entries
Startup Programs Monitoring Tool: Security AutoRun
- Security AutoRun displays the list of all applications that are loaded automatically when Windows starts up.
Startup Programs Monitoring Tools
Scanning for Suspicious Files and Folders (重要)
- Trojans normally modify system's files and folders. Use these tools to detect system changes.
SIGVERIF:
- It checks integrity of critical files that have been digitally signed by Microsoft.
- To launch SIGVERIF, to to Start -> Run, type
sigverif
and press Enter.
掃Windows資料夾底下的數位簽章
FCIV (File Checksum Integrity Verifier):
- It is a command line utility that computes MD5 or SHA1 cryptographic hashes for files.
- You can download FCIV at http://download.microsoft.com
- TRIPWIRE:
- It is an enterprise class system integrity verifier that scans and reports critical system files for changes.
檢查Windows執行檔是否含有數位簽章:
$ sigcheck -v C:\Windows\System32\nc.exe
,-v
是結合使用VirusTotal掃描
Files and Folder Integrity Checker: FastSum and WinMD5
- FastSum:
- FastSum is used for checking integrity of the files.
- It computes checksums according to the MD5 checksum algorithm.
- WinMD5:
- WinMD5 is a Windows utility for computing the MD5 hashes ("fingerprints") of files.
- These fingerprints can be used to ensure that the file is uncorrupted.
Files and Folder Integrity Checker
Scanning for Suspicious Network Activities
- Trojans connect back to handlers and send confidential information to attackers.
- Use network scanners and packet sniffers to monitor network traffic going to malicious remote addresses.
- Run tools such as Capsa to monitor network traffic and look for suspicious activities sent over the web.
Detecting Trojans and Worms with Capsa Network Analyzer
- Capsa is an intuitive network analyzer, which provides detailed information to help check if there are any Trojan activities on a network.
Virus Detection Methods
- Scanning:
- Once a virus has been detected, it is possible to write scanning programs that look for signature string characteristics of the virus.
- Integrity Checking:
- Integrity checking products work by reading the entire disk and recording integrity data that acts as a signature for the files and system sectors.
- Interception:
- The interceptor monitors the operating system requests that are written to the disk.
- Code Emulation:
- In code emulation techniques, the anti-virus executes the malicious code inside a virtual machine to simulate CPU and memory activities.
- This techniques is considered very effective in dealing with encrypted and polymorphic viruses if the virtual machine mimics the real machine.
- Heuristic Analysis:
- Heuristic analysis can be static or dynamic.
- In static analysis the anti-virus analyses the file format and code structure to determine if the code is viral.
- In dynamic analysis the anti-virus performs a code emulation of the suspicious code to determine if the code is viral.
Q1) Virus Scrubbers and other malware detection program can only detect items that they are aware of. Which of the following tools would allow you to detect unauthorized changes or modifications of binary files on your system by unknown malware?
- System integrity verification tools
- Anti-Virus Software
- A properly configured gateway
- There is no way of finding out until a new updated signature file is released
A1) Programs like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g.,daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.
Q2) Which Windows system tool checks integrity of critical files that has been digitally signed by Microsoft?
- signverif.exe
- sigverif.exe
- msverif.exe
- verifier.exe
Q3) Which of the following tool would be considered as Signature Integrity Verifier (SIV)?
- Nmap
- SNORT
- VirusSCAN
- Tripwire
Q4) A file integrity program such as Tripwire protects against Trojan horse attacks by:
- Automatically deleting Trojan horse programs
- Rejecting packets generated by Trojan horse programs
- Using programming hooks to inform the kernel of Trojan horse behavior
- Helping you catch unexpected changes to a system utility file that might indicate it had been replaced by a Trojan horse
A4) Tripwire generates a database of the most common files and directories on your system. Once it is generated,you can then check the current state of your system against the original database and get a report of all the files that have been modified,deleted or added. This comes in handy if you allow other people access to your machine and even if you don't,if someone else does get access,you'll know if they tried to modify files such as /bin/login etc.
Q5) You have just installed a new Linux file server at your office. This server is going to be used by several individuals in the organization, and unauthorized personnel must not be able to modify any data.
What kind of program can you use to track changes to files on the server?
- Network Based IDS (NIDS)
- Personal Firewall
- System Integrity Verifier (SIV)
- Linux IP Chains
A5) System Integrity Verifiers like Tripwire aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g.,daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner.
Q6) How does Tripwire (and programs like it) help against Trojan attacks?
- Tripwire is an AV application that quarantines and removes Trojans immediately.
- Tripwire is an AV application that quarantines and removes Trojans after a scan.
- Tripwire is a file-integrity-checking application that rejects Trojan packets intended for the kernel.
- Tripwire is a file-integrity-checking application that notifies you when a system file has been altered, thus indicating a Trojan.
A6) Tripwire is one of the better-known file integrity verifiers, and it can help prevent Trojans by notifying you immediately when an important file is altered.
Q7) Which tool is a file and directory integrity checker that aids system administrators and users in monitoring a designated set of files for any changes?
- Hping2
- DSniff
- Cybercop Scanner
- Tripwire
Q8) Which program is useful in ensuring the integrity of a file that has been downloaded from the Internet?
- Tripwire
- Norton Internet Security
- Snort
- WinMD5
A8) WinMD5 can be used to verify the integrity of a file downloaded from the Internet.
Q9) Your computer is infected by E-mail tracking and spying Trojan. This Trojan infects the computer with a single file - emos.sys
Which step would you perform to detect this type of Trojan?
- Scan for suspicious startup programs using msconfig
- Scan for suspicious network activities using Wireshark
- Scan for suspicious device drivers in c:\windows\system32\drivers
- Scan for suspicious open ports using netstat
Q10) Which utility will tell you in real time which ports are listening or in another state?
- Netstat
- TCPView
- Nmap
- Loki
A10) TCPView lists ports and what their statuses are in real time.