More sneaky malware tricks

This is the perfect time of year to spread malware via email. A bogus invoice like the one here will likely catch a few victims. Some people will be expecting an invoice like this and click a link to follow up on it, others will notice the charge and believe the may have had their credit card stolen through a recent holiday purchase. They might also click the links to protest the charge.

Pay close attention to where your email comes from, and where any links go to.


Lurking in the shadows

Continuing off yesterday’s post about how malware covers its tracks when communicating over the network, today I want to highlight two ways in which malware hides itself from discovery on an infected system.

Both of these are Windows-specific techniques. The first exploits a feature of the file system (NTFS), and the second piggybacks onto the automated backup system.

Alternate Data Streams (ADS)
By using an ADS, malware can hide itself within legitimate files or processes. When the malware is written to disk, it can look something like this:

type d:\evil.exe > C:\windows\system32\regedit32.exe:evil.exe

Now, the malware executable exists alongside your registry editor. It cannot be seen through any normal file viewing, and nothing appears different about the registry editor. There are a few ways to detect an ADS. There are a couple utilities (LADS and Streams), which enumerate any ADSs in a directory, but obviously you have to suspect it is there first. The lower-tech route is to monitor the disk usage of the operating system. Although the ADS doesn’t show up as taking any additional space on the file it’s attached to, it still takes up sectors on the drive. So, if you check for a discrepancy between the disk space used by every file on the system and the actual space available on your disk, you might be able to detect if an ADS was introduced to the system.

Volume Shadow Copy Service (VSS)
There is a great write up about this on Pauldotcom.
This is a feature on newer versions of Windows where the system periodically creates backup images of the file system (Volume Shadow Copies) for emergency recovery. Malware can back itself up onto a custom VSC where it becomes a far more difficult target. Antivirus cannot scan it there, users can’t find it, but it can still be mounted and executed from there.

So remember, just because the antivirus gives your computer a clean bill of health, that doesn’t mean there can’t be something hiding in the shadows of you system.

Malware’s latest communication channel

Many strains of malware communicate with a command & control (C&C) server which collects information, and can send specific instructions to execute on an infected client. Most often, they communicate directly with the server, but this can be detected and the server traced.

To avoid detection, the malware authors often use an intermediary step which seems innocuous to anyone looking at the network traffic coming from the client. Some have used a Twitter account for communicating. The client sends information to the server by posting an encoded message to a dummy account, and the server’s “tweets” on that account are checked by the client for new instructions.

A new variant of an existing piece of malware now uses Google Docs as a proxy.

The malware exploits the document viewer functionality to preview the content of a file on a remote URL. So, essentially the client checks a document posted by the server and executes functions based on the document content. The same document could then be written to by the client to send back results or status to the server.

The communication lines are unlikely to be blocked, since many companies allow, or even rely on Google Docs.

Hopefully Google will come up with a way to block this type of action without disrupting legitimate usage.

Analyzing JavaScript attacks

This post by Juan Miguel Paredes is an amazingly in-depth look at how JavaScript can be crafted to take over a computer through its browser.

The article got me thinking about JavaScript exploits in general, and what can be done to reduce them. The idea that came to me was to build a better browser.

Right now, the ideal way to protect yourself is to install a browser extension like NoScript. This allows you to define which sites you trust JavaScript from and block anything else. NoScript also contains a feature that detects and filters out XSS (cross-site scripting) attacks.

We can’t rely on most users to customize their browser with an extension (if an equivalent one is even available). I want to see this functionality built-in.

Microsoft has taken some steps towards this, though not with JavaScript. In the Metro-style Internet Explorer 10 Microsoft has included a plugin for Adobe Flash (a huge source of vulnerabilities), since the user cannot install plugins in the new, streamlined UI paradigm. With Microsoft maintaining the security of the flash capabilities on the browser, they have implemented a whitelist. Flash content will only play on approved sites.
There will likely be some frustrations with this system as sites and users adjust to it, but I think it’s generally a positive step, and I’d like to see it extended to JavaScript as well.
If the default condition for most users is that JavaScript fails to load from unapproved sources, we’ll slow down the spread of malware and botnets.

Improving Android security

One of the defining features of the Android operating system is its freedom to load any application you want. Most people stick to the Google Play store, but sometimes one may want to load a custom app downloaded from another source. This process is called sideloading, and is the reason Android is the only major smartphone OS with any significant amount of malware.

The latest release of Android (4.2) is trying to fix that.

This is undoubtedly a positive development in Android. The new security system automatically checks sideloaded apps against Google’s servers and warns users if the app is either known to be bad or raises any flags.

There’s two caveats in my mind.

First, the system is signature-based. That means they are comparing the code to a known list, and although this is effective at stopping a lot of threats, it will lead malware developers to generate polymorphic code that can avoid signature detection. Now the description of the security system indicates that it will also warn users about apps that don’t fit a signature, but may be harmful anyway. I’m not certain how that is going to be implemented, but if it is overly cautious in warning users, they will end up ignoring those warnings.

The second issue is with Android’s broken update process. Because Android phones go through manufacturer modifications followed by carrier modifications, receiving timely updates to the phone is nigh impossible (apart from the Nexus line, which is never modified from stock Android)
So, even though there is a nice new security enhancement to Android, it will probably be 2-3 years before we can expect to see even half of the installed base running 4.2 or higher.

Well that was fun.

I got hit with a case of drive-by malware this week. (serves me right for not keeping my AV up to date).

I’m going to recount the experience here so anyone dealing with a similar issue can learn what is happening to their system, and how they can recover it.

How it starts:
You visit a website that is knowingly or unknowingly hosting a malicious bit of code (most likely Flash), which installs the malware into your system. Once installed, this particular malware closed all of my open programs and threw out a slew of fake error messages that appear to be legitimately from the operating system.

Then comes the hook…another window opens, again appearing to come from the OS, which “scans” your hard drive for problems. This “File Recovery” process then prompts you to purchase the full version to save your data.

This is where I went into search and destroy mode. The malware does a few things to keep you from getting to it. The Task Manager and Registry Editor are immediately closed if you try to open them. The Start menu and Taskbar are completely jacked up, and almost nothing is accessible through the GUI. There are still ways to find out where the malware has hidden itself, though.

Command Line to to Rescue:
There was actually one way to get some information from the GUI. The malware’s “File Recovery” program included a desktop shortcut to itself. Right-click, select properties, and we now know the .exe that’s causing us trouble.
So, I wanted to shut down the processes this malware was using, then remove it. But how to identify the process when we can’t get into the task manager?

Malware in action (highlighted where the malware files and processes are located)

Press Windows key + r to open the “Run…” Dialog.
Type cmd and hit enter
Type “tasklist”

I found the offending processes, and knocked out one with:

taskkill /pid <process ID #>

…then my computer rebooted. Another present from the malware.

Upon loading up again, things look even worse. The Desktop is practically empty.
This is because this malware sets all of your files to be hidden, and resets the setting in folder options to view hidden files. Before the reboot I could still see my files because I normally run with the option to view all files. The settings change to my profile’s folder options could not occur until a reboot.

So first I verified everything was actually ok. Back into the command line, then “dir /a” to see that everything was still where it should be.

At the top, you can see how the “dir” command returns nothing, but adding /a shows your files.

Now let’s remove this malware once and for all.
Windows key + r, then type “msconfig”
Here we can easily disable the malware from running at system startup.

msconfig utility

Those random strings of characters don’t look sketchy at all.

Then I went back into command line to kill the processes (It did not reboot the system this time).
Then I could remove the malware files and have a clean system once more.

The Aftermath:
Even though the malware is gone, the computer is still in sad shape. All of my files are hidden, and all sorts of settings have been modified.
The hidden files are easy to fix.

Go back to the command line, and enter:

 attrib -h /s /d *.*

at the root of your C: drive.  This will unhide everything on your drive.

Now it’s just the matter of resetting Taskbar and Start menu settings, and we’re back in business.