Vendors are finding increasingly more effective ways to battle malware such as viruses, Trojans, and bots. Unfortunately,
malicious programmers continue to concoct newer, nastier code, and companies need to update their security arsenal and defense
plan accordingly.
Viruses, which normally modify legitimate host code to spread, are not very popular anymore. They're harder to write than
worms and Trojans because the virus coder must take great pains to ensure the newly modified file doesn't crash.
With Microsoft Windows, Windows File Protection (first introduced as System File Protection in Windows Me) protects about
99 percent of the default installed system files against unauthorized modification. If a virus modifies a covered file, Windows
replaces the modified copy with a known good copy a few seconds later.
Windows Vista's forthcoming Windows Resource Protection is an even better defender, protecting more files and preventing modifications
in the first place. Because of these issues and a few others, most of today's malware programs create new files to do their
mischief.
Removing viruses requires cleaning the virus from the infected files, which is often harder than detecting the virus. Just
ask your anti-virus vendor.
Worms, bots, spyware, and Trojans, on the other hand, simply require identifying and removing the new malicious stand-alone
files. I frequently use Sysinternals' Autoruns or SilentRunner.vbs to locate and identify unauthorized programs. For the past half decade, with viruses almost gone, removing malware has been
a snap unless the computer has been infected with a root kit program.
But now a new series of companion worms -- referred to as Downloader.Agent.awf by some AV products -- are complicating the
identification process. Also known also known as spawners or twins, these companion worms (and viruses) modify the infected
computer's environment in such a way that when the system attempts to execute a legitimate file, the malicious file is run
first.
After executing, the Download.Agent.awf malware program reads the infected computer's HKLM (or HKCU) \Run registry keys to
identify the previously installed auto-running programs. Then the worm copies the original executable to a new location, and
replaces the original file with a copy of the worm renamed to the original file's name. When the computer executes the \Run
registry keys, it runs the companion program instead, which then launches the original program.
This complicates detection and removal process, because the worm will appear as a previously known or commonly recognized
installed executable. So, when looking for malicious code, you cannot simply trust file names and locations. You must verify
each file's integrity hash against a known good copy or value.
With the re-appearance of companion malware and the growing threat of root kit Trojans, however, forensic investigators need
to inspect suspected infected computer disks with out-of-band (e.g., external boot) methods and verify the integrity of all
installed programs.
To be honest, any good computer security person really should have been taking the extra precautions all along. But when most
of the malware hasn't been doing this, it's easy (and I'm guilty of this) to become lazy and take shortcuts.
I've often used Linux boot disks (i.e., Live distros) to accomplish out-of-band inspections. My favorite current Linux distros
for forensic analysis are Ubuntu, Knoppix, and BackTrack.
But Linux Live distros can't run the Windows 32-bit software I want to use to forensically examine a Windows computer. Also,
although they can usually read NTFS partitions, most can't write to them (e.g., to remove a malware program, to disable a
service or autorun entry, etc.), and they don't understand many of Windows extended features (e.g., EFS, Compression, etc.).
In many cases, I want to boot quickly to an out-of-band 32-bit Windows shell to do the dirty work.
Microsoft enterprise customers with software reassurance have had a Microsoft's Windows Preinstallation Environment (WinPE) available since XP. Initially intended for fast OS installs, WinPE and its command-line interface became an insider favorite
for out-of-band inspection of maliciously infected systems. Windows Vista, with WinPE 2.0, extends the WinPE family with a
relatively nice 32-bit Windows GUI environment, supporting most Windows APIs, NTFS reads and writes, network log-ons, device
drivers, and is able to run most Windows programs. Unfortunately, it only comes with Windows Vista.
My friend (and tech editor of one of my most recent books) Chris Quirke has been promoting an even better product called BartPE. The BartPE Builder helps you create an entire out-of-band Windows boot image. When installed, it searches your hard drive
for the Windows installation files, and once found uses them to build a new boot image. The BartPE Builder can create an ISO
image or directly burn the image to a CD or DVD disc.
It's an entire "thin" version of Windows. Although it only comes pre-installed with a handful of investigative programs (called
plug-ins), you can add nearly any forensic or malware investigation program you like. Chris's BartPE image has thirteen antivirus
products installed, six anti-spyware programs, 20 integrity checkers, both RootkitRevealer and Blacklight rootkit inspection
programs, ten data recovery programs, and nearly 100 other programs. When he needs to inspect a system forensically, he boots
up his customized BartPE CD and has everything he needs available from one GUI menu. You can make your own customized BartPE
image with the tools you find most useful.
However you do it, realize that simple auto-run file inspection is getting less reliable again. Consider using BartPE to make
your own ultimate Windows inspection toolkit.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
