Tutorial – Investigating Malware in action
ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
Tiger Shark from Antionline has kindly given his permission for his tutorial to be hosted at The Taz.
You can find the original post here:
Have you ever wanted to _really_ know what is going on inside your computer? Ever wondered _exactly_ what that suspicious file will do to your computer when you click on it? Maybe you are suspicious about a particular web site and what it does when connected to. Or, maybe, you are doing a forensic investigation and want to watch what activity is taking place when the system is running. There are five tools, all available from
, that will allow you to do just this. SysInternals has versions for Win9X/ME and for NT based systems, (the Win9X versions do not have a Process Monitor. For the purpose of this tutorial I will be using the NT based versions.
Windows 2000, SP4, fully patched. All uneccesary applications closed down to simplify the output.
1. Regmon: Registry Monitor – Monitors all access to the computer’s registry. (NOTE:- This has a handy “Log Boot” feature to help you track down registry changes by spyware at start-up which may help give you a clue as to how the spyware is working and thus give you an opportunity to defeat it).
2. TDIMon: Transport Driver Interface Monitor – Monitors all TCP and UDP connections to and from the computer.
3. FileMon: File Monitor – Monitors all file system activity.
4. NTPMon: NT Process Monitor – Monitors all process activity.
5. Autoruns: Lists all the automatically starting services and applications and the locations from which they are initiated.
Login an as an administrator of the machine since these tools require administrative access. Back up the registry in case the program removes registry entries. Start Regmon and Filemon and filter out the above four applications activity to simplify the output. This filtering will be saved for the next time you start these two apps. Have your suspicious file in place ready to activate or the web site bookmarked and ready to be connected to. For the sake of simplicity have the computer set with everything already running because these tools have voluminous output so the more you can avoid capturing the better. If you are about to test a suspicious file or a web site use Autoruns to take a “snapshot” of the current start-up items on the computer and save the output to a safe place, (floppy, key fob or network drive and disconnect or write protect). Prior to saving Autoruns’ output you need to use the file-view menu and select the following items:-
1. Show AppInit DLL’s
2. Show Explorer Addons
3. Show Services
4. Show Winlogon Notifications
5. Show Winsock Providers
6. Verify Code Signatures
7. Include Empty Locations
8. Refresh (to refresh the information).
Then save the data.
Start the four applications and, again, for the sake of simplicity, stop captures and set yourself up to activate the item to be tested. The application I will use for this tutorial is an anonymizer called Tor, (
), because I know it will install itself, create an autostart and contact the internet. This should show us good activity on all the tools making it a good demonstration.
Start the capture or clear any existing items in the tools and click on the suspect item and follow the prompts if any until completion, (in this case I told it to make Tor run at startup). As soon as the installer completes running and Tor runs itself I stopped the capture on all four applications and saved the data to files in a protected location. In reality you should probably leave them running for a few minutes before stopping the capture in case anything important occurs on a delayed schedule, (like after a download has completed there may be a further installation, reconnection to the internet etc.).
We’ll start with the easy one first since it contains the least data. You will notice that some of the file sizes are quite large and is an interesting view into the complexity of your computer. (Filemon.log – 410kb, Process.prc – 2kb, Regmon.log – 1028kb, TDImon.log – 13kb).
325 0 explorer.exe Process Create tor-0.0.9.5-win 6.546750
326 0 tor-0.0.9.5-win Thread Create TID: 336 0.000000
327 0 explorer.exe Thread Delete TID: 284 1.703092
328 0 tor-0.0.9.5-win Thread Create TID: 284 1.265601
329 0 tor-0.0.9.5-win Thread Create TID: 324 0.140622
330 0 tor-0.0.9.5-win Thread Create TID: 1332 0.015625
331 0 System Thread Create TID: 876 0.000000
332 0 System Thread Create TID: 428 0.000000
333 0 WINLOGON.EXE Thread Create TID: 748 0.000000
334 0 WINLOGON.EXE Thread Delete TID: 748 1.109353
335 0 System Thread Delete TID: 428 0.015625
336 0 System Thread Delete TID: 876 0.000000
337 0 tor-0.0.9.5-win Process Create tor.exe 1.859339
338 0 tor.exe Thread Create TID: 876 0.000000
339 0 tor-0.0.9.5-win Thread Delete TID: 284 0.015625
340 0 tor-0.0.9.5-win Thread Delete TID: 324 0.062499
341 0 tor-0.0.9.5-win Thread Delete TID: 1332 0.000000
342 0 tor-0.0.9.5-win Thread Delete TID: 336 0.000000
343 0 explorer.exe Process Delete tor-0.0.9.5-win 0.000000
344 0 tor.exe Thread Create TID: 336 0.171872
345 0 tor.exe Thread Create TID: 324 0.000000
346 0 SERVICES.EXE Thread Create TID: 1332 0.078123
347 0 tor.exe Thread Create TID: 284 0.749986
As can be seen, the act of clicking the executable causes explorer.exe to spawn a process for it, (tor-0.0.9.5-win.exe), in #325. The executable then creates 4 threads within that process in #326/8/9 and 330. The next important entries begin at #337 where the installer starts the application itself, (process create). Now Tor.exe is running the installer closes it’s threads it started, (thread delete #339-342), and, as it closes itself, explorer.exe kills the process, (process delete #343). Now Tor is running it creates it’s own threads in #338, 344, 345 and 347 while services.exe registers the process in 346.
From the output of this tool you can see what exactly happens in terms of running programs and threads when the installer executes. The programs the installer runs may be hidden from your view but this output shows you they are there. More importantly, some applications hide threads in another program’s process. The output here would show you Thread ID’s, (TID’s), being started and a program such as ProcExp, (Process Explorer by Sysinternals), would let you track the threads down by TID and see which processes are being subverted.
This log gives a feel for how complex the filesystem is, how much “work” goes on within it. The actual output has been edited to only leave the Tor Installer’s activity because it shows what files have been written, (altered or added). See FileMonClean.log in the Zip file.
Early in the log you can see the installer thread started by explorer.exe in #325 above reading itself in chunks of 512 bytes into memory:-
157 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 0 Length: 512
158 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 512 Length: 512
159 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 1024 Length: 512
Then it checks for the existence of a folder that _should_exist and does hence the success:-
257 10:27:18 AM tor-0.0.9.5-win:1008 QUERY INFORMATION C:\DOCUME~1\TIGER\LOCALS~1\Temp SUCCES
S Attributes: DA
Next it creates a temporary file in that folder, closes it, recreates it to ensure it can overwrite it, reads data from the installer and writes it to the file. These are the temporary files the installer will use to install the required files later:-
258 10:27:18 AM tor-0.0.9.5-win:1008 CREATE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Options: Create Access: All
259 10:27:18 AM tor-0.0.9.5-win:1008 CLOSE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS
260 10:27:18 AM tor-0.0.9.5-win:1008 CREATE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Options: OverwriteIf Access: All
261 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\Downloads\tor-0.0.9.5-win32.exe SUCCESS Offset: 36380 Length: 16384
262 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 0 Length: 32768
263 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 32768 Length: 32768
264 10:27:18 AM tor-0.0.9.5-win:1008 WRITE C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 65536 Length: 3793
265 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 0 Length: 4
266 10:27:18 AM tor-0.0.9.5-win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm56.tmp SUCCESS Offset: 4 Length: 15160
You will also notice in all the text that installer generates also indicates that the installer references various system DLL’s as it goes. As long as these aren’t Write or delete attempts then no harm is done to them.
After creating several temporary files and folders the installer moves on with it’s job:-
805 10:27:21 AM tor-0.0.9.5-win:1008 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Program Files
806 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\ SUCCESS
807 10:27:21 AM tor-0.0.9.5-win:1008 OPEN C:\Program Files\ SUCCESS Options: Open Directory Access: All
808 10:27:21 AM tor-0.0.9.5-win:1008 DIRECTORY C:\Program Files\ NO SUCH FILE FileBothDirectoryInformation: Tor
809 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\Program Files\ SUCCESS
810 10:27:21 AM tor-0.0.9.5-win:1008 CREATE C:\Program Files\Tor SUCCESS Options: Create Directory Access: All
811 10:27:21 AM tor-0.0.9.5-win:1008 CLOSE C:\Program Files\Tor SUCCESS
812 10:27:21 AM tor-0.0.9.5-win:1008 OPEN C:\Program Files\Tor SUCCESS Options: Open Directory Access: Traverse
Here it opens and closes each folder in the structure till it gets to program files, then it tests to see if there is a Tor folder already there, (#808). Since there isn’t it creates one, (#809).
Then it creates Tor.exe itself in the new folder and after some “messing around” it begins writing to it:-
818 10:27:21 AM tor-0.0.9.5-win:1008 CREATE C:\Program Files\Tor\tor.exe SUCCESS Options: Create Access: All
874 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 0 Length: 16384
875 10:27:21 AM tor-0.0.9.5- win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm5
6.tmp SUCCESS Offset: 80305 Length: 16384
876 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 16384 Length: 16384
877 10:27:21 AM tor-0.0.9.5- win:1008 READ C:\DOCUME~1\TIGER\LOCALS~1\Temp\nsm5
6.tmp SUCCESS Offset: 96689 Length: 16384
878 10:27:21 AM tor-0.0.9.5-win:1008 WRITE C:\Program Files\Tor\tor.exe SUCCESS Offset: 32768 Length: 16384
A quick search for the word “create” will provide you with a list of every file the installer created. See FilemonCreated.Log in the zip file.
This is where it creates it’s autostart entry which it writes to later:-
1569 10:27:22 AM tor-0.0.9.5-win:1008 CREATE C:\Documents and Settings\TIGER\Start Menu\Programs\Tor SUCCESS Options: Create Directory Access: All
After that there is a lot or writing the files themselves, checking them, gathering information about the system, housekeeping and cleaning up.
Now we know every file and folder that was opened, created, written or deleted on the system. Handy information if we need to do a manual removal.
It’s actually fascinating to see how much information and the way the installer locates it in the registry, (mostly by trial and error). See regmonclean.log in the zip file.
You will see hundreds of entries like this:-
1 37.48215737 tor-0.0.9.5-win:652 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Advanced SUCCESS Key: 0xE27AE4E0
2 37.48219005 tor-0.0.9.5-win:652 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
3 37.48222609 tor-0.0.9.5-win:652 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Advanced SUCCESS Key: 0xE27AE4E
as the installer finds certain information about the system. Here and there amongst all these entries you will find entries such as:-
25 37.61170344 tor-0.0.9.5-win:652 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Exp
lorer\Shell Folders SUCCESS Key: 0xE2AD3440
where the installer creates keys it will need in the future. Thus a search for all “CreateKey” entries will show you the keys that the installer created. Furthermore you should search for “Setvalue” which will indicate that a value was either created or changed within the registry;_
26 37.61172747 tor-0.0.9.5- win:652 SetValue HKCU\Software\Microsoft\Windows\C
urrentVersion\Explorer\Shell Folders\AppData SUCCESS “C:\Documents and Settings\TIGER\Application Data”
It would, of course, be prudent to search for “DeleteKey” in case your chosen malware deletes keys that may be of use. This is why we backed up the registry. We can import the backup and fix these deleted keys without knowing their contents – It also makes it quicker to retore the original state rather then doing it all manually.
See tdimonclean.log in the zip file.
In this file you can see the now started process, (Tor.exe), setting itself up to talk to the address 127.0.0.1, (this computer). This is because the program actually requires to connect to Privoxy, (a local proxy), before it can function properly.
2 2.21473400 tor.exe:428 82C0E2A8 IRP_MJ_CREATE TCP:127.0.0.1:9050 SUCCESS Address Open
3 2.21479993 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Error Event
4 2.21481501 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Disconnect Event
5 2.21482535 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Receive Event
6 2.21483541 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Expedited Receive Event
7 2.21484574 tor.exe:428 82C0E2A8 TDI_SET_EVENT_HANDLER TCP:127.0.0.1:9050 SUCCESS Chained Receive Event
8 2.21485664 tor.exe:428 82C0E2A8 TDI_QUERY_INFORMATION TCP:127.0.0.1:9050 SUCCESS Query Address
9 2.21489631 tor.exe:428 FB37EE88 IRP_MJ_CREATE TCP:Connection obj SUCCESS Context:0x811511A8
10 2.21491586 tor. exe:428 FB37EE88 TDI_ASSOCIATE_ADDRESS TCP:Connect
ion obj SUCCESS TCP:127.0.0.1:9050
Once it has set up it’s communication with Privoxy it then tries to connect to the outside world through SSL and finds a connection:-
78 3.03891584 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Error Event
79 3.03893204 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Disconnect Event
80 3.03894210 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Receive Event
81 3.03895188 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Expedited Receive Event
82 3.03896166 tor.exe:428 FA08E708 TDI_SET_EVENT_HANDLER TCP:0.0.0.0:4067 SUCCESS Chained Receive Event
83 3.03897199 tor.exe:428 FA08E708 TDI_QUERY_INFORMATION TCP:0.0.0.0:4067 SUCCESS Query Address
84 3.03901641 tor.exe:428 FA08E368 IRP_MJ_CREATE TCP:Connection obj SUCCESS Context:0xFA1A2DA8
85 3.03903513 tor. exe:428 FA08E368 TDI_ASSOCIATE_ADDRESS TCP:Connect
ion obj SUCCESS TCP:0.0.0.0:4067
86 3.03905105 tor.exe:428 FA08E368 TDI_CONNECT TCP:0.0.0.0:4067 188.8.131.52:443 SUCCESS
87 3.23438314 tor.exe:428 FA08E368 TDI_SEND TCP:0.0.0.0:4067 184.108.40.206:443 SUCCESS Length:49
88 3.43803109 tor.exe:428 FA08E708 TDI_EVENT_CHAINED_RECEIVE TCP:0.0.0.0:4067 220.127.116.11:443 PENDING Length:1398 Flags: ENTIRE_MESSAGE LOOKAHEAD DISPATCH
89 3.46378855 tor.exe:428 FA08E368 TDI_SEND TCP:0.0.0.0:4067 18.104.22.168:443 SUCCESS-100 Length:1262
90 3.71987529 tor.exe:428 FB043B68 IRP_MJ_CREATE TCP:0.0.0.0:0 SUCCESS Address Open
This connection is where the application connects to the master server to determine the currently available proxies that can be used in the chain. It receives a list of them and then makes an initial connection on port 9301, (it’s standard first port of choice but they will vary after this initial connection), to 22.214.171.124. with the successful completion of this connection the Tor window indicates:-
“[notice] circuit_send_next_onion_skin(): Tor has successfully opened a circuit. Looks like it’s working.”
Now, just for confirmation of your finding you can use autoruns again and compare it to your first run to see the differences.
So, now we have all the information we require to determine exactly what a piece of potentially malicious code did to our computer. With this information we could manually reverse the effects and return our computer back to the state it was in. Had the program downloaded additional code and executed it we would have been able to see where it got the code from, what changes that code made to the system and what files it created, changed or destroyed.
We also just took a quick look at how incredibly complex our computers are today.