Table Of Contents: Introduction………………………………………………………………………………………………………………………………3 Scope…………………………………………………………………………………………………………………………………………3 Limitations…………………………………………………………………………………………………………………………….….3 About Malware…………………………………………………………………………………………………………………………4 Tools Preparation………………………………………………………………………………………………………………………4 The Setup…………………………………………………………………………………………………………………………………..4 Forensic Analysis Process………………………………………………………………………………………………………….7 Running The Malware: Conduit Toolbar……………………………………………………………………………………7 Procmon Analysis…………………………………………………………………………………………………………………...12 Regshot Analysis……………………………………………………………………………………………………………………..15 Malware Removal Forensics……………………………………………………………………………………………………17 Malware Bytes Analysis…………………………………………………………………………………………………………..17 AdwCleaner Analysis……………………………………………………………………………………………………………….21 Conclusion……………………………………………………………………………………………………………………………….23 Recommendations…………………………………………………………………………………………………………………..24 Appendix…………………………………………………………………………………………………………………………………24
Page 2
Introduction: In today’s cyber world, malware has thickly infiltrated our computers with such types: the typical computer virus, the crawling worm, the stealthy Trojan horse, the merciless ransomware, the annoying spyware and adware, and the creepy scareware. The purpose of this paper is to teach you how to analyze malware and clean it out (just like a virologist finding the appropriate antidote for an epidemic). Some of the tools used in the process of artifact analysis includes: Free Cloud VPN, VMWare Workstation 11, Regshot, and the featured Microsoft SysInternal tool, Procmon. For the cleaning process, I will show you how to use Malware Bytes and Adwcleaner to clean out the malware. Malware Bytes and Adwcleaner also shows a different perspective of where truly the forensics artifacts lies, since it has a record of it and cleans out the malware (including accurate information such as logs). The above tools will teach you how to sleuth out the malware pragmatically and orderly. Like dissecting an object, you must realize the complexity of the electronic virology and know it inside and out to be able to analyze it completely. Scope: The primary scope of this project is that this report will be used as a practical guide for dissecting malware with VMWare Workstation 11 as the sandbox (something used to contain the electronic specimen without it infecting the outbound). The incentive of using VMWare Workstation is that it can take snapshots of the virtualized operating system I am using like Windows 7 Enterprise. If I make several mistakes in the process, I can revert back to the past without having to format the whole VM again and start new. Thus, this will save a lot of work and time. Forensically speaking, this project is a guide targeted to people specializing in the area of cybercrime and to teach the average computer professional how to dissect a malware piece using a SysInternal tool such as Process Monitor, Regshot, and clean it out using Malware Bytes and AdwCleaner. Limitations: There are limitations for analyzing malware. Due to the anomalous and “trojanic” malware, such as Conduit Toolbar, I am unable to list out every registry key’s function, since it is only verified by the source code and the intelligence of the malware author. But, I will provide the main registry keys that were effected during the installation of the malware, and provide information about which files were created and closed by the program as recorded by Procmon. I will also do a comparative analysis of which registry records were added by using the intelligence object, Regshot.
Page 3
About Malware: Malware are often identified as bad programs. The French word for bad is “mal”, and it means harmful or malicious. So, what are we usually looking for in malware? We are usually looking for processes that are suspicious. Sometimes, they even bear no icon, have no signed certificates in the program that it is from a verified signer. These usually have a company or no company name. It really depends on the company that made the malware. Sometimes, they can even be legit malware, but, usually it bears the terms of agreement before you install the program. It will have suggestive indications that they are spying on your computer. The algorithmic process is usually extremely complex, so that it is hard for the average person trying to clean the malware. It would take a heck of a time to detect without the proper tools. Annoying malwares can do tasks like hijacking your browser’s homepage and add toolbars that were not intended to be there without your permission. They usually also send your information to a target host or server that mines your information in exchange for blackhat money. Tools Preparation: To prepare for the big lab, we need to prepare the following tools. You can download them at the following sites:
An evaluation version of Windows 7 Enterprise (90-day edition) http://www.microsoft.com/en-us/evalcenter/evaluate-windows-7-enterprise VMWare Workstation 11: (the trial version will do) – http://www.vmware.com Process Monitor - https://technet.microsoft.com/en-ca/sysinternals/bb896645.aspx 7zip: for extracting the .7z file on Regshot - http://www.7-zip.org/ Regshot: for taking a before and after picture of the registry for comparison http://sourceforge.net/projects/regshot/ Malware Bytes: for cleaning out the malware and getting a forensic log of the artifacts https://www.malwarebytes.org/ AdwCleaner: for cleaning the hijacked home page and web browser forensics https://toolslib.net/downloads/viewdownload/1-adwcleaner/
The Setup: The first step to your success in figuring out malware analysis is to download the following tools mentioned above. You will get a better grasp of it once I teach you how to use the tools. Before we get into the VMWare process, we need to set up a VPN called Free Cloud VPN to masquerade your IP address. For this example, I will use Windows 8 to demonstrate. First, click on your Network icon on the bottom-right hand corner of your taskbar.
Page 4
FIGURE A: CLICK ON CONNECTION SETTINGS 1
Then, click on View Connection Settings.
FIGURE B: CLICK ON CONNECTION SETTINGS 2
Click on Add a VPN Connection.
Page 5
FIGURE C: CONFIGURE THE VPN SETTINGS USING FREECLOUDVPN.COM
Under your VPN connections, change it to these settings: VPN Type: PPTP VPN VPN Encryption: Enabled (Auto) US VPN Hostname: us.freecloudvpn.com US VPN Username: freecloudvpn.com US VPN Password: 2724 For the VMWare Workstation, make sure that you have a snapshot saved after you have downloaded all the programs. You can name it ‘VMTools Installed Before Infection’. Just in case you may run into trouble in the future, taking snapshots along the way is the way to go. Another important fact with VMWare Workstation is that you want to isolate your sandbox to a different gateway before the analysis. Under the VM menu, click on Settings. Then, click on Network. Click on NAT (Network Address Translation) under Network Adapter. For this research, I have chosen a non-lethal malware that is adware-based. It is not a worm malware, which the main objective is to spread through your computer and network finding places to hide and exploiting vulnerabilities to travel in your network. It is basically spyware. Spyware usually contain trojans, so that it can send information from your computer to a remote host. You can download the malware or potentially unwanted program by doing a simple search on Google namely Conduit Toolbar.
Page 6
Many people complain about Conduit Toolbar, because it saps up a lot of memory in their CPU usage; therefore, they may take a lot of time for them to fire up their applications or load a certain process on their computer. Conduit Toolbar is categorized as grayware, or nonmalicious spyware. Before we begin, it is necessary to run and start the artifacts monitoring using: Procmon, and Regshot analysis in the background. For Regshot, we will take our very first snapshot before the malware infection starts. Please open Regshot. 1. Click on 1st Shot. 2. Make sure you have the right Output path.
FIGURE 1: FIRST CAPTURE WITH REGSHOT
Please have Regshot open till we finish the total analysis of the spyware. A download site for downloading the malware is: http://conduit.ourtoolbar.com/. Once it is downloaded on your computer perhaps in your Documents/Downloads folder, you can proceed to executing it. Note, that this malware is infamous for creating a toolbar in your browser and hijacking your homepage for advertising uses. Please rename the conduit file, tb_Conduit.exe to conduitMalware.exe for examination and educational purposes.
Forensic Analysis Process: A.
Running The Malware – Conduit Toolbar Page 7
When you are ready, you can run the malware, Conduit Toolbar. Double-click on the binary file, to execute it. It will go through the installation process.
FIGURE 2: CONDUIT TOOLBAR INSTALLATION SCREEN 1
When you are prompted, check the part where it states, “Set my default search and homepage to Trovi Search” and “I allow my current home page and default search settings to be stored for easy reverting later”. These are to be checked, because the average user that is forced to install malicious programs like a program that features the Conduit spyware, will most likely click on these checkbox options. Note that this is considered, “legit” or “legal” spyware (grayware), because it has a policy below stating that “this toolbar may contain apps that access, collect and use your personal data, including your IP address and the address and content of web pages you visit”. They are not obvious text, because the average user will usually skip over them. But, it is a critical piece of information for us to understand why this is “legal” spyware (grayware) after all. So, click Agree and Install to proceed to the next step. Since, we are only analyzing the spyware toolbar and hijacking of the homepage, we will need to worry about next few offers, which offers ScreenGlaze, a smart search-powered screen saver.
Page 8
FIGURE 3: CONDUIT TOOLBAR - SKIP ALL
When you are ready, click on Skip All.
FIGURE 4: CONDUIT TOOLBAR – INSTALLATION COMPLETE
Page 9
The installation should be complete, thereafter. You can click on Finish, and the process will stop.
FIGURE 5: CONDUIT TOOLBAR PROMPTS INSTALLATION ON FIREFOX
Next, your default browser, or in my case, Firefox, will pop-up. After that, check the box, Allow this installation and then click on Continue.
Page 10
FIGURE 6: CONDUIT TOOLBAR AND HOMEPAGE HIJACKING PRE-STAGE
From this point on, Firefox will install the Conduit toolbar (malware). After that, you should click Finish to see that the Conduit Toolbar will have hijacked your homepage.
FIGURE 7: CONDUIT TOOLBAR INSTALLATION FINISHES
So, from this point on, you can restart Firefox.
Page 11
FIGURE 8: CONDUIT TOOLBAR INSTALLATION FINISHES
You will see that your homepage is temporary hijacked by the adware, Conduit. This should be all that the malware intends to do. Other than that, it trojanizes your system and spies on it every once in a while, but the effects are unnoticeable. Your system should slow down a lot by this point. B.
Procmon Analysis
In Procmon, we will monitor the process of the ConduitToolbar by Process Name, as it applies to the most relevant pieces that we are analyzing. Also, for operation, we need to monitor it by CreateFile, and CloseFile to see what moves it intends to do to spawn files and close files. Sometimes, it also propagates by creating new malware specimens for example in the C:/TEMP folder, where it is not obvious and hard to unravel and clean up. It is always unpredictable of what problematic software will do to your computer. We will not analyze the registry part of it yet, as it will come later in our Regshot forensic analysis process.
Page 12
FIGURE 9: ANALYSIS OF PROCMON CREATING FILES
When we filter wsmallstub.exe, which is the malware specimen we are analyzing, we can see that it creates the following files and more shown on the screen such as: C:\Windows\System32\wow64.dll C:\Windows\System32\wow64win.dll C:\Windows\System32\wow64cpu.dll C:\Windows\System32\wow64log.dll C:\Users\Nathan\AppData\Local\Temp\RarSFX0 C:\Windows\SysWOW64\sechost.dll C:\Users\Nathan\AppData\Local\Temp\RarSFX0\version.DLL C:\Windows\SysWOW64\version.dll C:\Windows\SysWOW64\apphelp.dll C:\Windows\AppPatch\sysmain.sdb C:\Users\Nathan\AppData\Local\Temp\RarSFX0\wsmallstub.exe C:\Users\Nathan\AppData\Local\Temp\RarSFX0 Page 13
C:\Windows\AppPatch\AcLayers.dll C:\Users\Nathan\AppData\Local\Temp\RarSFX0\WINSPOOL.DRV C:\Users\Nathan\AppData\Local\Temp\RarSFX0\MPR.dll C:\Windows\SysWOW64\imm32.dll C:\Users\Nathan\AppData\Local\Temp\RarSFX0\icon.ico C:\Windows\SysWOW64\uxtheme.dll C:\Windows\SysWOW64\msxml3.dll C:\Windows\SysWOW64\en-US\KernelBase.dll.mui C:\Windows\SysWOW64\msxml3r.dll C:\Users\Nathan\AppData\Local\Temp\RarSFX0\stub_settings.xml C:\Users\Nathan\AppData\Local\Temp\RarSFX0\Secur32.dll C:\Windows\Globalization\Sorting\SortDefault.nls C:\Users\Nathan\AppData\Local\Microsoft\Windows\Temporary Internet Files C:\Users\Nathan\AppData\Local\Temp\RarSFX0\api-ms-win-downlevel-advapi32-l2-1-0.dll C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll C:\Windows\winsxs\x86_microsoft.windows.commoncontrols_6595b64144ccf1df_5.82.7601.18201_none_ec80f00e8593ece5 C:\Windows\SysWOW64\winhttp.dll C:\Windows\SysWOW64\webio.dll C:\Windows\SysWOW64\mswsock.dll C:\Windows\SysWOW64\wship6.dll C:\Users\Nathan\AppData\Local\Temp\RarSFX0\IPHLPAPI.DLL C:\Users\Nathan\AppData\Local\Temp\RarSFX0\WINNSI.DLL C:\Windows\SysWOW64\winnsi.dll After creating the files, it will close each file after the process is done.
Page 14
FIGURE 10: ANALYSIS OF PROCMON CLOSING FILES
C.
Regshot Analysis
Page 15
FIGURE 11: SECOND CAPTURE WITH REGSHOT
We will take another snapshot after the execution of the malware. 1. Please press 2nd shot when you’re ready. 2. Please locate your output path name as well by pressing on … Upon analysis, we figure out that 51 keys have been added. HKU\S-1-5-21-3479963163-2589350846-12095744901000\Software\AppDataLow\Software\Smartbar These registry entries perhaps create the Smartbar adware. Again, it is undetectable by the average user, because the average user doesn’t know how to go into registry and view the changes. HKU\S-1-5-21-3479963163-2589350846-12095744901000\Software\AppDataLow\Software\Smartbar\AppPaths This registry entry defines the path of where the Smartbar adware is located. HKU\S-1-5-21-3479963163-2589350846-12095744901000\Software\AppDataLow\Software\Smartbar\FF HKU\S-1-5-21-3479963163-2589350846-12095744901000\Software\AppDataLow\Software\Smartbar\UninstallerData This registry entry probably gets written over and deleted when the Smartbar (Conduit) adware is uninstalled. But, we can’t guarantee deletion unless we have Malware Bytes and Adwcleaner.
Page 16
HKU\S-1-5-21-3479963163-2589350846-12095744901000\Software\AppDataLow\Software\Smartbar\UninstallerData\CT408137 HKU\S-1-5-21-3479963163-2589350846-12095744901000\Software\AppDataLow\Software\Smartbar\UninstallerData\CT408137\FF HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig ďƒ This registry and the ones below this entry modify the Internet Explorer process. \PropertyStore\42008bfa_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F} HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig \PropertyStore\a723b4e6_0 HKU\S-1-5-21-3479963163-2589350846-1209574490-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig \PropertyStore\a723b4e6_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F} These entries only are part of the 51 keys that have been added. The list is too large to list; that is the limitation, since a spyware is very lengthy and can propagate itself. Malware Removal Forensics: Conclusively, the easiest way to get a clean forensic examination of which files were effected during the stay of the malware is to obtain the results from a malware scanner such as Malware Bytes and Adwcleaner. A.
Malware Bytes Analysis
To tell, finally, which malware or trojans were packed inside the Conduit, we can tell by doing a full scan. First, make sure that it is fully updated by starting the program and allowing it to update.
Page 17
FIGURE 12: UPDATING MALWARE BYTES
Page 18
FIGURE 13: SCANNING WITH MALWARE BYTES
When you are ready for the scan, press Fix Now. It should take a while to scan, perhaps 15 to 20 minutes depending on how much RAM is allocated to your VMWare, the number of files on your computer, and the processor speed.
FIGURE 14: CLICKING ON REVIEW DETECTED ITEMS
For a full forensics analysis of which files were identified as malware infections, you can click on Review Detected Items. After the scan, you should be able to copy the forensic analysis to a clipboard by clicking on Copy to Clipboard.
Page 19
FIGURE 15: MALWARE ITEMS DETECTION
Then, after this, open up Notepad, and do a Ctrl + V or Edit >> Paste.
Page 20
FIGURE 16: MALWARE BYTES FORENSIC LOG
B. Adwcleaner Analysis After this process of Malware Bytes Forensics, we are going to check Adwcleaner to remove files from the registry that are malicious.
Page 21
FIGURE 17: SCAN WITH ADWCLEANER
Do press Scan when you are ready to do cleaning in the registry.
FIGURE 18: FIREFOX ARTIFACTS UNCOVERED WITH ADWCLEANER
Page 22
When you are done with the scan, it produces a logfile you can look at and save for forensics evidence of which places in the browser and registry it has effected. Let’s click on Logfile to generate a log of what we need to acquire as forensic artifacts and evidence.
FIGURE 19: LONG LIST OF ARTIFACTS ACQUIRED BY ADWCLEANER
As you can see, it detected keys that were found in the registry that were malicious such as HKCU\Software\Conduit and [x64] HKCU\Software\Conduit. There were also indications that there were modifications within Firefox. This can be used also as forensic evidence as to what changed as Firefox artifacts. Conclusion: Now, you may have a better grasp of how to analyze malware. Though there are a lot of limitations such as anomalous code and tricky parts where it is undetectable by Procmon and Regshot, we can see it is painstakingly great that there are anti-virus researchers and other code researchers that have brought wonderful, amazing solutions to the table. Once there are definitions of malware in the scanners, Malware Bytes and AdwCleaner, we can see that it is a viable alternative to find forensic evidence through them including many great objects that we Page 23
can bring in as artifacts for the “crime scene investigation”. We can also know that reverse engineering may only get us so far, but may bring us into cryptic confusion, unless we have the right malware definitions. Recommendations: After you have read this guide, I have many recommendations for you. To ensure that your computer is safe and sound, it is good to regularly update your malware definitions to the latest. And, if you have malware infections on your computer, it is good to run scans with it with Malware Bytes. If you have a hijacked homepage or web browser in general (including toolbars and nonsense that may pop up), it is good to free it up by running AdwCleaner, which sole purpose is to bring the browser back to normal after a restart of your computer. So, don’t forget that you do not have to always waste time to reformat your computer even if your disk has been infected with hundreds or thousands of instances of malware. Your lucky bet may just be the right software to clean out the malware. Appendix: Malware Victimizes Sandbox (Virtualization Machine)
Report Writing and Research. If you want to continue with the research, repeat cycle in safe sandbox.
Record logs
Initial Forensic Analysis with Procmon and Regshot
Complete Forensic Analysis with Malware Bytes and AdwCleaner. Cleansing process.
APPPENDIX 1: THE MALWARE FORENSICS CYCLE
Page 24