tools and techniques for cleaning malware incidents · tools and techniques for cleaning malware...
TRANSCRIPT
Tool
s an
d te
chni
ques
for c
lean
ing
mal
war
e in
cide
nts
Mar
tin O
vert
on –
IBM
Sec
urity
Ser
vice
sM
alw
are/
Ant
i-Mal
war
e SM
E, F
oren
sics
, Eth
ical
Hac
ker,
etc.
All
my
publ
ishe
d pa
pers
and
art
icle
s ca
n be
dow
nloa
ded
from
: y
pp
pht
tp://
mom
usin
gs.c
om/p
aper
s/
Age
nda
•D
iscl
aim
er•
Dis
clai
mer
•So
lutio
nsS
i&
Rl
–S
cann
ing
& R
emov
al–
Oth
er O
ptio
nsR
lWld
El
–R
eal W
orld
Exa
mpl
es–
Con
clus
ions
•Q
uest
ions
Dis
clai
mer
•P
rodu
cts
nam
ed in
this
pre
sent
atio
n ar
e us
ed a
s ex
ampl
es o
nly,
and
sho
uld
not b
e ta
ken
as a
ny fo
rm o
f en
dors
emen
tby
IBM
orIS
Sen
dors
emen
t by
IBM
or I
SS
.
•A
lltra
dem
arks
and
copy
right
sar
eac
know
ledg
ed.
All
trade
mar
ks a
nd c
opyr
ight
s ar
e ac
know
ledg
ed.
Sol
utio
ns…
…
Sca
nTh
eS
yste
mS
can
The
Sys
tem
•S
can
with
up-
to-d
ate
anti-
mal
war
e to
ols
and
pse
e if
anyt
hing
is id
entif
ied,
ens
ure
that
he
uris
tics
and
gene
ric d
etec
tion
feat
ures
are
en
able
den
able
d.
•P
refe
rabl
yyo
ush
ould
use
atle
astt
wo
diffe
rent
Pre
fera
bly
you
shou
ld u
se a
t lea
st tw
o di
ffere
nt
prod
ucts
from
eac
h ca
tego
ry, a
fter a
ll th
e an
ti-m
alw
are
solu
tion
you
have
dep
loye
d di
dn’t
dete
ctit
did
it?de
tect
it, d
id it
?
•If
the
mal
war
eis
dete
cted
cons
ider
usin
gth
e•
If th
e m
alw
are
is d
etec
ted,
con
side
r usi
ng th
e de
tect
ion
tool
to re
mov
e it.
Sca
nnin
g…co
nt.
Sca
nnin
g…co
nt.
•B
ut…
Look
atre
mov
alop
tions
,und
erst
and
But
…Lo
ok a
t rem
oval
opt
ions
, und
erst
and
how
the
spec
ific
mal
war
e w
orks
.
•C
heck
for f
alse
pos
itive
s, th
ere
is n
othi
ng
mor
ean
noyi
ngth
anre
mov
ing
ano
n-m
ore
anno
ying
than
rem
ovin
g a
non-
exis
tent
mal
war
e fil
e, (t
hat’s
wha
t Fak
e A
V
isfo
r)ex
cept
is fo
r ) e
xcep
t…
Ifth
ean
tim
alw
are
does
n’te
ven
dete
ctit!
!!•
If th
e an
ti-m
alw
are
does
nt e
ven
dete
ct it
!!!
Onl
ine
Sca
nner
s…O
nlin
e S
cann
ers…
Sca
nTh
eS
yste
m…
cont
.S
can
The
Sys
tem
…co
nt.
•If
you
now
hav
e so
me
susp
ecte
d fil
es, s
end
them
toyo
uran
tim
alw
are
vend
orfo
rana
lysi
sho
wev
erto
you
r ant
i-mal
war
e ve
ndor
for a
naly
sis,
how
ever
, th
is d
oes
not s
top
you
anal
ysin
g th
e fil
es y
ours
elf.
•P
lace
sus
pect
file
s in
to a
pas
swor
d pr
otec
ted
zip
file
[use
the
pass
wor
d of
infected
] and
sen
d th
em
tf
dti
lto
you
r pre
ferr
ed a
nti-m
alw
are
com
pany
.
•Y
ouco
uld
also
send
any
sam
ples
tosc
anni
ng•
You
cou
ld a
lso
send
any
sam
ples
to s
cann
ing
serv
ices
, suc
h as
Viru
sTot
al a
nd J
otti,
and
als
o to
sa
ndbo
xes
such
as
the
one
run
b y N
orm
an, o
r the
y
CW
San
dbox
.
Onl
ine
San
dbox
esO
nlin
e S
andb
oxes
•S
ome
of th
ese
serv
ices
will
anal
yse
the
files
in g
reat
d
hd
lih
if
fl
dept
h an
d su
pply
you
with
cop
ious
am
ount
s of
use
ful
data
.
Sam
ple
CW
San
dbox
Out
put
RlM
l–
Rea
l Mal
war
eFi
lesy
stem
N
ew F
iles
C\W
IND
OW
S\S
t32
\C
:\WIN
DO
WS\
Sys
tem
32\c
rsss
.exe
Ope
ned
File
s\S
yste
mR
oot\A
ppP
atch
\sys
mai
n.sd
b\S
yste
mR
oot\A
ppP
atch
\sys
test
.sdb
\Dev
ice\
Nam
edP
ipe\
Shi
mV
iew
erC
:\WIN
DO
WS
\Sys
tem
32\c
rsss
.exe
Chr
onol
ogic
alor
der
Chr
onol
ogic
al o
rder
Cop
y Fi
le: c
:\tem
p\ff3
7e57
4c76
9487
9ff7
3777
886a
82de
e.ex
e to
C:\W
IND
OW
S\S
yste
m32
\crs
ss.e
xeO
pen
File
: \S
yste
mR
oot\A
ppP
atch
\sys
mai
n.sd
b (O
PE
N_E
XIS
TIN
G)
Ope
n Fi
le: \
Sys
tem
Roo
t\App
Pat
ch\s
yste
st.s
db (O
PE
N_E
XIS
TIN
G)
Ope
n Fi
le: \
Dev
ice\
Nam
edP
ipe\
Shi
mV
iew
er (O
PE
N_E
XIS
TIN
G)
Ope
n Fi
le: C
:\WIN
DO
WS
\Sys
tem
32\c
rsss
.exe
()Fi
ndFi
le:c
rsss
.exe
Find
File
: crs
ss.e
xeR
egis
try
Pro
cess
Man
agem
ent
Cre
ates
Pro
cess
-Fi
lena
me
() C
omm
andL
ine:
(C:\W
IND
OW
S\S
yste
m32
\crs
ss.e
xe --
inst
all
c:\te
mp\
ff37e
574c
7694
879f
f737
7788
6a82
dee.
exe)
As
Use
r: ()
Cre
atio
n Fl
ags:
(DE
TAC
HE
D_P
RO
CE
SS
)K
ill P
roce
ss -
File
nam
e ()
Com
man
dLin
e: ()
Tar
get P
ID: (
588)
As
Use
r: ()
Cre
atio
n Fl
ags:
()S
yste
m In
fo
Get
Sys
tem
Dire
ctor
yTh
e fo
llow
ing
proc
ess
was
sta
rted
by p
roce
ss: 1
Anal
ysis
Num
ber
2P
aren
t ID
1
Pro
cess
ID
1020
File
nam
e C
:\WIN
DO
WS
\Sys
tem
32\c
rsss
.exe
--in
stal
l c:\t
emp\
ff37e
574c
7694
879f
f737
7788
6a82
dee.
exe
File
size
21
5040
byt
esM
D5
ff37e
574c
7694
879f
f737
7788
6a82
dee
Sta
rtR
easo
nC
reat
ePro
cess
Sta
rt R
easo
n C
reat
ePro
cess
Term
inat
ion
Rea
son
Nor
mal
Term
inat
ion
Sta
rt Ti
me
00:0
3.75
0St
op T
ime
01:0
0.53
1
My
Sca
nner
Did
n’tF
ind
Any
thin
g…M
y S
cann
er D
idn
t Fin
d A
nyth
ing…
•N
exts
teps
…N
ext s
teps
…•
Boo
t int
o S
afe
Mod
e(if
Win
dow
s)M
ode
(if W
indo
ws)
•C
lean
boo
t (ta
ke
the
infe
cted
OS
off
the
infe
cted
OS
off-
line)
“f
•“H
e w
ho b
oots
firs
t w
ins…
” (us
ually
!)
Roo
tkits
/Ste
alth
•D
iffer
entia
l Ana
lysi
sT
it
dT
td
i‘L
i’
–Ta
inte
d vs
Tru
sted
vie
ws
‘Liv
e’–
Tain
ted
vs T
rust
ed v
iew
s ‘O
ff-lin
e’
•C
an b
e de
feat
ed b
y:–
Det
ectin
gth
esc
anne
rand
un-
Det
ectin
g th
e sc
anne
r and
un
hidi
ng th
emse
lves
. (D
efea
ts th
e ta
inte
d/tru
sted
vie
w te
chni
que)
–A
ddin
g ‘R
ootk
it/S
teal
thki
t/Ste
alth
:TN
G’
proc
ess
and/
orfil
ena
me(
s)to
proc
ess
and/
or fi
le n
ame(
s) to
tru
sted
list
.
Cle
anB
ootD
isks
Cle
an B
oot D
isks
•U
sing
live
Linu
xor
aP
Ebo
otdi
sk,s
uch
asU
sing
live
Lin
ux o
r a P
E b
oot d
isk,
suc
h as
B
art_
PE
can
be
very
han
dy, n
ot o
nly
in c
lean
bo
otin
g a
susp
ecte
d sy
stem
but
als
o in
sca
nnin
g th
esa
me
syst
emw
ithlit
tleor
noris
kth
atan
yth
e sa
me
syst
em w
ith li
ttle
or n
o ris
k th
at a
ny
mal
code
will
stil
l be
activ
e on
it. I
t nee
ds n
ot b
e a
CD
or D
VD
[fro
m a
n IS
O im
age]
, it c
ould
als
o be
C
o[
oa
SO
age]
,co
ud
aso
bean
ext
erna
l US
B h
ard
disk
or a
US
B fl
ash
driv
e in
stea
d.
•Th
is w
on’t
wor
k if
the
disk
is e
ncry
pted
, suc
h as
P
GP
WD
ETr
ueC
rypt
orE
FSP
GP
WD
E, T
rueC
rypt
or E
FS…
Mou
ntth
eD
isk
inLi
nux
Mou
nt th
e D
isk
in L
inux
…
•M
ount
ing
the
driv
e un
der L
inux
can
be
very
ha
ndy,
not
onl
y in
cle
an b
ootin
g a
susp
ecte
d in
fect
ed d
rive
but a
lso
in s
cann
ing
the
sam
e sy
stem
with
littl
e or
no
risk
that
any
mal
code
will
st
illbe
activ
eon
itst
ill b
e ac
tive
on it
.
•Th
isw
on’t
wor
kif
the
disk
isen
cryp
ted
such
as•
This
won
t wor
k if
the
disk
is e
ncry
pted
, suc
h as
P
GP
WD
E, T
rueC
rypt
or E
FS…
Erro
r Mes
sage
s A
re Y
our F
riend
s
Win
Pat
rol
Win
Pat
rol
Hija
ckTh
is…
Hija
ckTh
is…
Sup
erS
can,
Nm
ap,N
etst
atS
uper
Sca
n, N
map
, Net
stat
AFr
ont-e
ndfo
rMos
toft
heTo
ols…
A F
ront
end
for M
ost o
f the
Too
ls…
http
://w
iki.l
unar
soft.
net/w
iki/A
nti-M
alw
are_
Tool
kit
Stil
lNot
hing
?Ti
me
toD
igD
eepe
r!S
till N
othi
ng?
Tim
e to
Dig
Dee
per!
SN
OR
TS
NO
RT
Wire
shar
k-W
in32
/Sal
ity.n
ar-D
NS
Wire
shar
k W
in32
/Sal
ity.n
ar
DN
S
Wire
shar
k-W
in32
/Sal
ity.n
ar-H
TTP
Wire
shar
k W
in32
/Sal
ity.n
ar
HTT
P
Wire
shar
k-
Win
32/S
ality
.nar
-SM
TPW
iresh
ark
Win
32/S
ality
.nar
S
MTP
Rem
edia
tion
Rem
edia
tion
•Y
oum
ayde
cide
that
you
can
crea
teyo
urY
ou m
ay d
ecid
e th
at
you
can
cre
ate
your
ow
n cl
ean-
up s
crip
ts [p
aper
and
/or c
ode]
ra
ther
than
wai
t for
you
r ant
i-mal
war
e y
vend
ors
to g
et d
etec
tion
and
clea
nup
defin
ition
s [s
igna
ture
s] to
you
.
•O
ther
wis
eyo
uw
illha
veto
bepa
tient
until
Oth
erw
ise
you
will
have
to b
e pa
tient
unt
il yo
ur a
nti-m
alw
are
vend
or d
eliv
ers
the
good
s…g
Rem
edia
tion…
IfA
llE
lse
Fails
!R
emed
iatio
n…If
All
Els
e Fa
ils!
•Th
eot
hera
ltern
ativ
ees
peci
ally
ifa
syst
emis
The
othe
r alte
rnat
ive,
esp
ecia
lly if
a s
yste
m is
he
avily
infe
cted
, or y
ou c
an’t
find
any
sign
of
mal
code
[eve
n w
hen
usin
g al
l the
tool
s/tri
cks
dt
hi
lit
di
th]
it
and
tech
niqu
es li
sted
in th
e pa
per],
is to
…
Rt
tht
fth
ltk
l•
Res
tore
the
syst
em fr
om th
e la
st k
now
n cl
ean
back
up, o
r re-
imag
e it
to y
our o
rgan
isat
ions
st
anda
rdde
skto
p/se
rver
build
imag
est
anda
rd d
eskt
op/s
erve
r bui
ld im
age.
•Yo
udo
have
back
ups
don’
tyou
?Yo
u do
hav
e ba
ckup
s, d
ont y
ou?
Tric
ksTr
icks
•V
B S
crip
ting
for q
uick
and
dirt
y cl
eanu
p,
pg
qy
pex
ampl
e:
–'RemSdbot2
vbs
-SDbot
remover
for
specificvariant
RemSdbot2.vbs
SDbot remover for specific variant.
–'
©Martin Overton, 2007 ([email protected])
–'Verson 0.99.2'
–'Created to detect and remove an infection of the following
Sdb
ti
tSdbot variant
–'
–'FileName: rundll.exe
–'FileDateTime: 19/01/2007 14:05:00
//
–'Filesize: 1364992
–'MD5: 71fd1205f6d7550967bda6bf4491a50a
–'CRC32: 36E8176E
'Fil
TPE
Et
bl
–'File Type: PE Executable
–…
[For the rest see the paper]
Cou
nter
mea
sure
s?C
ount
er m
easu
res?
•Po
licie
s an
d Pr
oced
ures
e.g
. USB
stic
ks•
Use
rEdu
catio
nU
ser E
duca
tion
•Pr
oact
ive
patc
hing
str
ateg
y•
Goo
d an
ti-m
alw
are
stra
tegy
(inc
ludi
ng a
nti-r
ootk
it)R
lt
kd
il
lbi
lit•
Reg
ular
net
wor
k an
d w
irele
ss v
ulne
rabi
lity
scan
ning
•R
egul
ar P
enet
ratio
n te
stin
g of
net
wor
ks, s
erve
rs
and
wor
ksta
tions
, inc
ludi
ng la
ptop
s an
d ot
her
port
able
dev
ices
•R
e gul
ar w
eb a
pplic
atio
n te
stin
gg
ppg
•N
etw
ork
and
anti-
mal
war
e se
curit
y re
view
s•
IPS/
IDS
(Net
wor
k an
d H
ost)
•Lo
gan
alys
isR
emem
ber t
here
is n
o lo
nger
a
perim
eter
•Lo
g an
alys
ispe
rimet
er -
that
old
met
hodo
logy
is n
ow d
ead!
War
Sto
ries…
.W
ar S
torie
s….
•In
tern
atio
nal D
efen
ce C
ontr
acto
r (R
eal)
–U
nkno
wn
Mal
war
e st
ealin
g da
ta, i
nclu
ding
ele
ctro
nica
lly
bugg
ing
chie
fexe
cutiv
esla
ptop
sR
ecor
ding
mee
tings
via
bugg
ing
chie
f exe
cutiv
es la
ptop
s. R
ecor
ding
mee
tings
via
th
e w
ebca
m a
nd m
icro
phon
e. P
ossi
bly
an e
arly
vic
tim o
f S
hady
Rat
.
•La
rge
Petr
oleu
m C
ompa
ny (R
eal)
–H
itby
Con
ficke
rand
Stu
xnet
.Nee
ded
help
inre
med
iatio
nas
Hit
by C
onfic
ker a
nd S
tuxn
et. N
eede
d he
lp in
rem
edia
tion
as
wel
l as
a se
curit
y re
view
of t
heir
mal
war
e de
fenc
es.
Con
clus
ions
Con
clus
ions
•A
s w
ith o
ther
sec
urity
thre
ats,
esp
ecia
lly m
alw
are
lt
dd
td
llti
ld
rela
ted
ones
, you
nee
d to
dep
loy
a m
ulti-
laye
red
appr
oach
•Th
is m
eans
not
onl
y do
you
nee
d go
od
tech
nolo
gica
lsol
utio
nsan
dov
erla
ppin
gte
chno
logi
cal s
olut
ions
, and
ove
rlapp
ing
tech
nolo
gies
at t
hat;
but t
hese
nee
d to
be
back
ed
upw
ithgo
odse
curit
ypo
licie
s,pr
oced
ures
,up
with
goo
d se
curit
y po
licie
s, p
roce
dure
s,
educ
atio
n an
d co
nsta
nt v
igila
nce.
•K
now
you
r ene
my!
Que
stio
ns?
Que
stio
ns?
Con
tact
deta
ils…
..C
onta
ct d
etai
ls…
..
Mar
tinO
verto
nM
artin
Ove
rton
Mal
war
e/A
nti-M
alw
are
SM
EIB
M S
ecur
ity S
ervi
ces
•E
-Mai
l: ov
erto
nm@
uk.ib
m.c
om•
Tele
phon
e: +
44 (0
)239
256
3442
All
my
publ
ishe
d pa
pers
and
art
icle
sb
dl
dd
fca
n be
dow
nloa
ded
from
: ht
tp://
mom
usin
gs.c
om/p
aper
s/