Keeping up with advancing malware

Defending systems against wily companion worms and viruses requires inspection discs

Vendors are finding increasingly more effective ways to battle malware such as viruses, Trojans, and bots. Unfortunately, malicious programmers continue to concoct newer, nastier code, and companies need to update their security arsenal and defense plan accordingly.

Viruses, which normally modify legitimate host code to spread, are not very popular anymore. They're harder to write than worms and Trojans because the virus coder must take great pains to ensure the newly modified file doesn't crash.

With Microsoft Windows, Windows File Protection (first introduced as System File Protection in Windows Me) protects about 99 percent of the default installed system files against unauthorized modification. If a virus modifies a covered file, Windows replaces the modified copy with a known good copy a few seconds later.

Windows Vista's forthcoming Windows Resource Protection is an even better defender, protecting more files and preventing modifications in the first place. Because of these issues and a few others, most of today's malware programs create new files to do their mischief.

Removing viruses requires cleaning the virus from the infected files, which is often harder than detecting the virus. Just ask your anti-virus vendor.

Worms, bots, spyware, and Trojans, on the other hand, simply require identifying and removing the new malicious stand-alone files. I frequently use Sysinternals' Autoruns or SilentRunner.vbs to locate and identify unauthorized programs. For the past half decade, with viruses almost gone, removing malware has been a snap unless the computer has been infected with a root kit program.

But now a new series of companion worms -- referred to as Downloader.Agent.awf by some AV products -- are complicating the identification process. Also known also known as spawners or twins, these companion worms (and viruses) modify the infected computer's environment in such a way that when the system attempts to execute a legitimate file, the malicious file is run first.

After executing, the Download.Agent.awf malware program reads the infected computer's HKLM (or HKCU) \Run registry keys to identify the previously installed auto-running programs. Then the worm copies the original executable to a new location, and replaces the original file with a copy of the worm renamed to the original file's name. When the computer executes the \Run registry keys, it runs the companion program instead, which then launches the original program.

This complicates detection and removal process, because the worm will appear as a previously known or commonly recognized installed executable. So, when looking for malicious code, you cannot simply trust file names and locations. You must verify each file's integrity hash against a known good copy or value.

With the re-appearance of companion malware and the growing threat of root kit Trojans, however, forensic investigators need to inspect suspected infected computer disks with out-of-band (e.g., external boot) methods and verify the integrity of all installed programs.

To be honest, any good computer security person really should have been taking the extra precautions all along. But when most of the malware hasn't been doing this, it's easy (and I'm guilty of this) to become lazy and take shortcuts.

I've often used Linux boot disks (i.e., Live distros) to accomplish out-of-band inspections. My favorite current Linux distros for forensic analysis are Ubuntu, Knoppix, and BackTrack.

But Linux Live distros can't run the Windows 32-bit software I want to use to forensically examine a Windows computer. Also, although they can usually read NTFS partitions, most can't write to them (e.g., to remove a malware program, to disable a service or autorun entry, etc.), and they don't understand many of Windows extended features (e.g., EFS, Compression, etc.). In many cases, I want to boot quickly to an out-of-band 32-bit Windows shell to do the dirty work.

Microsoft enterprise customers with software reassurance have had a Microsoft's Windows Preinstallation Environment (WinPE) available since XP. Initially intended for fast OS installs, WinPE and its command-line interface became an insider favorite for out-of-band inspection of maliciously infected systems. Windows Vista, with WinPE 2.0, extends the WinPE family with a relatively nice 32-bit Windows GUI environment, supporting most Windows APIs, NTFS reads and writes, network log-ons, device drivers, and is able to run most Windows programs. Unfortunately, it only comes with Windows Vista.

My friend (and tech editor of one of my most recent books) Chris Quirke has been promoting an even better product called BartPE. The BartPE Builder helps you create an entire out-of-band Windows boot image. When installed, it searches your hard drive for the Windows installation files, and once found uses them to build a new boot image. The BartPE Builder can create an ISO image or directly burn the image to a CD or DVD disc.

It's an entire "thin" version of Windows. Although it only comes pre-installed with a handful of investigative programs (called plug-ins), you can add nearly any forensic or malware investigation program you like. Chris's BartPE image has thirteen antivirus products installed, six anti-spyware programs, 20 integrity checkers, both RootkitRevealer and Blacklight rootkit inspection programs, ten data recovery programs, and nearly 100 other programs. When he needs to inspect a system forensically, he boots up his customized BartPE CD and has everything he needs available from one GUI menu. You can make your own customized BartPE image with the tools you find most useful.

However you do it, realize that simple auto-run file inspection is getting less reliable again. Consider using BartPE to make your own ultimate Windows inspection toolkit.