If you would like to read the other parts in this article series please go to:
- Hunt Down and Kill Malware with Sysinternals Tools (Part 2) – Autoruns
- Hunt Down and Kill Malware with Sysinternals Tools (Part 3)
For the past few years, each time I’ve attended the annual MVP Summit in Redmond, a highlight of the conference has been Mark Russinovich’s presentation. This past March, his talk dealt with a particularly fascinating topic: how to use some of the popular Sysinternals tools that he created to hunt down malware on your system. The Sysinternals tools are free to download from the Windows Sysinternals page on the TechNet web site. In this two-part article, I’ll recap what I learned in that session and show you how to utilize some of the popular Sysinternals utilities to assist in your malware hunt.
Automated vs. Manual Malware Clean-up
There are many different malware detection and cleaning applications, including Microsoft’s own Malicious Software Removal Tool (MSRT), which is a free download here. The problem with most anti-malware tools is that they rely on signatures to detect the malicious code. Whenever a new virus, spyware program or other piece of malware is discovered, the vendor has to update the database that the anti-malware tool uses to recognize the new malware. Malware authors are prolific, though, and new malware is discovered on a daily basis, so the anti-malware vendors are always one step behind.
That means users are left unprotected against the new threats for some amount of time, depending on how rapidly the vendor can create, test and deploy updates. This is the reason many computer users have the perception that anti-malware tools don’t work very well. Often one tool will find malware that another misses, and when a threat is brand new, none of the tools may find it. That’s the basis of the “Zero Day” concept – a threat that’s so new there are no protections against it yet in place.
Thus the need for manual malware cleaning methods. Although it’s much more convenient to just run an anti-malware application and hope for the best, if you notice suspicious behavior occurring on your system and those programs can’t find anything wrong, you can delve deeper to find it yourself instead of waiting for the vendors to get the tools updated. You can do that with Sysinternals utilities such as Process Monitor and Autoruns.
Manually Identifying and Cleaning Malware
In his talk, Mark first outlined the steps involved in the manual malware detection and cleaning process, as follows:
- Disconnect the machine from the network.
- Identify the malicious processes and drivers.
- Suspend and terminate the identified processes.
- Identify and delete any malware autostarts.
- Delete the malware files.
- Reboot and repeat.
This can be a multi-step process because malware writers often create very robust software. It’s designed to withstand your efforts to kill it, thus the “reboot and repeat” caveat, which continues until you’ve dealt with all of it.
Step one is a precautionary one. Disconnecting from the network prevents your infected machine from infecting others on the network, and also keeps the machine from being immediately reinfected, from “calling home” when triggered by your detection and cleaning actions, etc. However, being disconnected from the network will also prevent you from fully observing the malware’s normal actions and from completely understanding how it works and all that it does.
How do you identify processes that are suspicious? Mark told us to look for those processes that have no icon, have no descriptive or company name, or that are unsigned Microsoft images. Also focus on those processes that live in the Windows directory, that include strange URLs in their strings, that have open TCP/IP endpoints or that host suspicious DLLs or services (hiding as a DLL instead of a process). Many are packed – compressed or encrypted – and many malware authors write their own packers so you don’t find the common packer signatures. Most malicious software will have some or all of these characteristics.
So how do you go about examining the processes in the first place? Many IT pros would start with the obvious: Task Manager’s Processes tab. Task Manager has been improved in Vista and Windows 7, in comparison to Windows XP. The Description column, which gives you information about what application is using each process, is a welcome feature that’s shown in Figure 1.
You can get additional information in Task Manager by going to the View menu and clicking Select Columns, then checking the boxes you want, as shown in Figure 2.
For example, you can display the image path name to show the full path to the file that’s connected to the process. Or you can check the Command Line box to show the command, with any parameters or switches, that was used to launch the process (malware often has strange looking command lines). You can see this additional information in Figure 3.
Another way to get more info about a process in Task Manager is to right click it and select Properties, which will open its Properties dialog box. Here you can see information regarding its file type, location and size, digital signature, copyright information, versioning (most malware doesn’t have version information), permissions, etc. All of this is a good start, but Task Manager still doesn’t give you quite the in-depth look at a process that you can get with a tool such as the Sysinternals Process Explorer.
Using Process Explorer to Identify Malware
Process Explorer is a free 1.47 MB download from the Windows Sysinternals web page on the TechNet site. It runs on Windows XP and above. Current version is 14.1 and you can get it here. You can also run it from this link
As you can see in Figure 4, it gives you a different view of your processes than what you get with Task Manager.
You’ll notice that in Process Explorer, the process tree in the left column shows parent-child relationships. If one process looks suspicious, related processes may also be. An extremely handy feature is the ability to right click a process and select “Search online” to do a web search for information about the process, as shown in Figure 5.
One thing to keep in mind, though, is that some malware will use pseudo random generated process names, in order to prevent you from finding any information in a search.
We noted earlier that malware is often packed, and the color purple in Process Explorer is an indication that the files may be packed; Process Explorer looks for packer signatures and also uses heuristics (e.g., small code plus big data) to flag these processes. Note that processes created in Visual Studio debugged versions also look like packed processes.
Some of the processes you see will be very familiar so that you might not even give them a thought – processes such as svchost.exe, rundll32, taskhost.exe and so forth. However, malware writers know this too, and so malware often hides behind these processes, creating their own service host to hide in and run as system processes.
Process Explorer’s lower pane is opened from the View menu (“Show lower pane). Then you can specify whether it displays handles or DLLs. In DLL view, you can see what’s inside the processes, whether data or an image. This view shows loaded drivers and can check strings and signatures.
If you find processes claiming to be from Microsoft that are not digitally signed, this is suspicious because virtually all Microsoft code is signed. You can selectively check for signatures with the Verify button on the process image tab in the Properties box for a process, which you access by double clicking the process name. You can see the Properties dialog box with the Verify button in Figure 6.
When you verify a process, the tool will connect to the Internet to check the Certificate Revocation List (CRL). You can add a “Verified Signers” column to the Process Explorer display, by selecting View | Select Columns and checking the “Verified Signer” box as shown in Figure 7.
In Figure 8, you can see the new column and the signatures that have been individually verified.
If you want all signatures verified, you can click the Options menu and select “Verify image signatures” as shown in Figure 9.
Another Sysinternals tool that you can use for verifying digital signatures is Sigcheck, which runs on Windows XP and above. Current version is 1.71 and it’s available for download here .
Sigcheck is an executable command line tool that can be used to scan the system for suspicious executable images. It includes a number of parameters. By using the -u switch, you can get a list of all unsigned files. You can also find out hash values (which can be used to check for malicious files), and check on whether the listed file name matches the internal file name.
Remember, though, that malware authors can also get digital certificates for their software, so the existence of a valid certificate does not guarantee that the process isn’t malicious.
This article is part one of a two-part series on using Sysinternals tools to manually detect and clean malware from a Windows system. We showed you how to use Process Explorer to find suspicious processes that may indicate malware. In part two, we’ll discuss how to use Autoruns to find malware that boots at startup, how to use Process Monitor to trace malware activity, and ways to remove malware from the system.
If you would like to read the other parts in this article series please go to: