Monday, April 11, 2011

Windows XP Startup/Logon Process and Malware

Recently I had to rescue my daughter's PC from some nasty malware. For many security professionals, troubleshooting family systems is a common weekend / after hours challenge, and a lot of us are not in the business of desktop remediation.

I find that the ISO based whole system virus scanners are not a bad starting point to get rid of the low hanging fruit. I have used F-Secure, and Kaspersky among others.

I also find that after the scanning/remediation process, XP registry entries are often still broken leading a lot of people to the point of just re-installing. Of course, re-installing is sometimes the only option for deeply embedded malware and/or rootkit.

A tool I found useful when I was poking through the HKEY_USER registry hive was 'USER2SID' since those registry entries are keyed by the SID. I also found that the malware I was dealing with had re-written the 'exefile' and '.exe' startup shell keys to be its own EXE file which was somewhat frustrating when that malware exe file was finally missing. (ie: Windows kept asking what program to open an exe with!!)

Also, age old advice is to remember those program startup registry keys which are often used to infect/re-infect things:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%systemdrive%\Documents and Settings\username\Start Menu\Programs\Startup
%windir%\Profiles\All Users\Start Menu\Programs\Startup
%windir%\Profiles\username\Start Menu\Programs\Startup


Don't forget about our old SysInternals tools, particularly 'AutoRuns' and 'Process Explorer' which I continue to find extremely useful.

The Windows utility SFC.EXE is useful for a diff scan of critical system files as long as it has not been compromised.

*** Always use READ-ONLY media when in a desktop incident response situation like this otherwise anything goes with regard to what is written to your favorite USB memory stick!

Detecting PECOFF EXE/DLL files with Snort

Some time ago, I became interested in parsing the PECOFF file format. As a result, I authored several different Snort rules to detect the transfer of either an EXE or DLL file of different varieties. Listed below are rules for both i386/32-bit and x86-64-bit. Additionally, there is a set of rules for UPX Packed EXE files.

Hopefully readers and Snort fans will find these useful.

# i386 32-bit EXE over TCP
log tcp any any -> any any (msg:"LOCAL: i386 PE32 EXE File Xfer"; flowbits:isnotset,upx.exe.packed; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; flowbits:unset,upx.exe.packed; sid:4963001; rev:1;)

# i386 32-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 DLL File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963002; rev:1;)

# x86 64-bit EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963101; rev:1;)

# x86 64-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963102; rev:1;)

# UPX Packed EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over TCP"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963201; rev:1;)

# UPX Packed EXE over UDP
alert udp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over UDP"; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963301; rev:1;)