Malware - Spreading and Mitigation

By balaji

October 17, 2009

The number of incidents involving malware are on the rise. The more the number of "networked" or "online" systems - the more the malware gets a chance to spread, steal data and even in certain cases take complete control of end user systems. Over the course of this article we'll take a look at what malware is and how it spreads. We'll understand how to mitigate the spread of malware in an organization. Lastly we'll give you a few guidelines on how to go about analyzing malware on an infected system.

The number of incidents involving malware are on the rise. The more the number of "networked" or "online" systems - the more the malware gets a chance to spread, steal data and even in certain cases take complete control of end user systems. Over the course of this article we'll take a look at what malware is and how it spreads. We'll understand how to mitigate the spread of malware in an organization. Lastly we'll give you a few guidelines on how to go about analyzing malware on an infected system.

Well.. what is malware anyway?

The simplest and most apt definition I could find was this - Malware is software developed for the purpose of causing harm to a computer system. And that's all it is. You'll find many different definitions; some which talk about the kinds of malware and some which talk about the destruction that malware can cause. All in all though.. they all have the same goal - Cause harm to a computer system.

How does Malware spread?

Many ways really..and they're increasing all the while. Here are some of the most common though:

  • Hosted on evil site. Attacker sends you a link with a heading "Free movies" You click. You get your free movie. You also get free malware.
  • Good old attachment, packaged in with a JPEG image of a new born baby. You click to open. The baby is cute. The malware which comes along is definitely not.
  • SQL Injection. Its the rage these days, I tell you. There's tons of automated programs searching for poorly protected websites. The moment they find a site vulnerable to SQL Injection, they leverage it to gain further access into the system. Eventually they either upload malware which automatically communicates outward or they change code so that anyone who visits the site gets infected.
  • Phishing Sites. A site which looks just like your friendly banking site. Except that it isn't one. While a lot of phishing sites steal data without uploading malware, there will be a few who wouldn't mind infecting you as well.
  • Banking Trojans. While this isn't strictly malware I thought I'd put this out as well just so you know. The trojan somehow makes its way on to your disk. When you launch your browser to go to it somehow replaces the bank page with its own page which has a little field asking you for your debit card pin as well. "Hmm ... I typed this myself, this can't be phishing. Maybe they started asking for debit card pins too for security purposes?". Er..not exactly.

Initial steps towards combating malware

So someone did something silly and you're now hit by malware. And its spreading fast. The best thing is to find the malware and crush it so it stops spreading. However that's easier said than done, unless you know how exactly it got in. If you are sure that you've identified the root cause, by all means go and fix the problem. Many a time it isn't that straightforward and requires plenty of log analysis to get to the root of the problem. So in such a case here are a few things that you can do to reduce the impact that malware will have. Note here that we're discussing just a corporate environment, we'll take up a standalone system in a future issue or we'll blog about it sometime.

  • First understand the problem. Imperative that you at least understand what has changed in your environment. Is the malware spreading fast? Is it on a central server which is being heavily accessed? Is it affecting just that one system? Lets assume this time, that the malware has succeeded in setting up an entire phishing site on your web server.
  • Once you understand what the problem is, which in most cases will be something which isn't limited to a standalone system isolate all systems infected by the malware. So here we have to isolate the web server quickly.
    • Identify all possible entry points to your web server and their respective network paths. A network diagram helps a lot here.
    • Put rules on your firewall and other filtering devices to ensure your web server does not talk with any other system it does not need to.
    • Identify which countries your bank is not being accessed from and block all those IP ranges, you won't need them anyway.
  • Honestly estimate whether you have in house capability to handle this. If not don't hesitate to call in a specialist.
  • Start looking for the last clean backup of the content on your web server. You're going to have to clean your web server up eventually.
  • If you haven't already, back up all your logs from the Webserver as well as all critical devices along all relevant network paths. Store all relevant logs for the last 30 days at least if you have them. They'll be very useful during analysis.
  • Take a complete bit by bit backup of the content on the infected server if you can, so we know what exactly the malware was doing if we need to.
  • Contact relevant authorities to take down the phishing sites which are hosting the malware.
  • If its a phishing site that is set up on the server, there might be a problem with your code on the site. Do a security code review. Its the fastest way to identify insecure code.
  • Once you've backed everything up, its best to clean your system up and restore from a clean backup.
  • Start doing a log analysis in parallel to identify what went wrong - and how the malware got in. Pay a lot of attention to the Web Logs, there is a big chance that this was the channel.

Analysis of malware infected systems

So going over what we have already done -

  1. Understand problem and what is infected
  2. Isolate infected server
  3. Incident Handling
  4. Start Log Analysis to identify root cause
  5. Fix root cause once its uncovered

Well.. most organizations are going to be pretty happy if all the above 5 steps are done successfully. There'll be a few though who'd even want to go that extra step and find out how exactly malware works. We wont delve too deep into malware analysis, there are entire books on the subject. What we will do however is look at an outline of how expert researchers analyze malware. There's 2 types of malware analysis:

  1. Static Analysis - Every malware is a file in some executable format. The code of the malware of course is not available. The EXE will have to be analyzed by disassembling it. This is the rawest form of the malware.
  2. Behavioral Analysis - Run the malware and see what all disk and network components it interacts with.

Most of us who aren't well versed in the nuances of the assembly language will prefer to perform a behavioral analysis. Its much easier to observe what the malware does rather than trying to understand say 90,000 lines of assembly language. A quick analogy to take is - You understand what calc.exe (Windows calculator) is doing when you launch and interact with it rt? It'd be harder if Microsoft gave you the code used to write calc.exe and asked you to figure out how it worked.

So coming back to behavioral analysis, here is one approach:

  1. Create a virtual machine instance using VMware or VirtualBox. Copy the malware into a folder in the Virtual machine.
  2. Use a tool called RegShot to take a snapshot before the system was infected and one afterwards. Understand the changes the malware made.
  3. Identify and understand the files/registry keys that the malware has created.
  4. Run a tool called Process Monitor which will monitor all disk and registry activity. This will help you understand what all locations the malware is reading from and writing to. Its a slightly more detailed tool than RegShot and will give you every path accessed after the malware was launched. Make sure you use a few filters to remove all the stuff that you do not need.
  5. Start a network sniffer like Wireshark and check if the malware is interacting with systems on the network or the Internet. Note down all hosts as well as services it attempts to communicate with.
  6. If its a service you can simulate, try and create a server with the exact same names so that the malware uses those hosts instead and continues to execute. For example, if you find that the malware is looking for an SMTP server called on port 25 try setting up a local host with that same name and re-run the malware. Hopefully the malware will use this and continue its execution. If you hadn't done this, you wouldn't be able to find out what else the malware does as it'd stop executing.
  7. Continue adding and simulating as much as you can till you completely understand how the malware works.
  8. Run a tool called strings.exe to get all clear text strings embedded in the executable, you might get a few passwords.

Once you're done understanding everything the malware does its time to turn to static (code) analysis to uncover any other hidden backdoors. For eg., you won't be able to reconfigure the servers that the malware talks to unless a secret command is entered or a specific key is hit at some time. This is possible to uncover only if you are skilled at static analysis. That is a topic for another place, once I have understood enough to write about it :)

Preventing malware from infecting you...

That's about it really as far as understanding malware and responding to it goes. Is there any foolproof way to prevent getting infected by malware at all? Not really.. although you won't hear that from anyone who is trying to sell you a product which does it all. Here are a few things that you can do though to try and keep malware at bay:

  • User Education. Don't click just cause someone sent you something. Think a little before clicking and verify if in doubt.
  • Ensure that your code, especially web facing systems is secure.
  • Have stringent rules on your filtering devices, allowing restricted access from your DMZ servers.
  • Filter Outgoing access as well, most malware will communicate outward to a central server.
  • Have a centrally managed antivirus server running and pushing updates to all your desktops.
  • Follow RBAC, religiously. Don't allow "local admin" to all of your users just because they are high profile. You'll be surprised how much malware will get quashed because of this, specially those which try and install themselves for good on the victim's system.
  • If you have the staff and resources to do this, configure Snort or ModSecurity and understand malware patterns so you can configure rules accordingly. This isn't a silver bullet by the way, all your ails will not be fixed by just "installing a WAF".

We just touched upon malware this time around. In future articles, we will look at analyzing web logs or may be even a sample analysis of some malware. As of now, I hope this helps anyone who has been hit by malware and is unsure of a path forward

Tags: Features