How to detect a truely stealth virus or worm.

[Harvey Colwell]

I ran into an infected PC the other day that I was not able to clean.
Because of time/costs, I was forced to wipe and reinstall the OS and
applications.



Always in the past, I've been able to find some indications of what
services/apps that were causing the problem and have been able to remove
them manually, even if all AntiVirus and AntiSpyWare programs found nothing.



On this particular PC: from the PC itself, I ran fully up-to-date versions
of AdAware, SpyBot, HijackThis, and McAfee Enterprise. None of them found
anything. I removed the H.D.D. and scanned it as a slave (non-booting) from
our test bench PC with AdAware, SpyBot, McAfee Enterprise, and Symantec
Corporate. Again, everything came up clean. Finally I ran ViseConsole to
look for rootkits, but there were no Kernel level hooks detected. I know
that some rootkits don't use hooks, but I was at a lost as to what I could
check next.



A packet capture showed that this PC was constantly trying to make a
connection to remote hosts on port 80. If a connection was established, it
would try to download the robots.txt file (reminiscent of Code Red 2). The
customer's ISP used a WebSense filtering server, so most attempts were
blocked. While I was capturing, I found no malicious activity (only the
robots.txt download).



Using TCPView, all this web activity originated from explorer.exe. Checking
the file's size, date & time stamp made me believe that it was good.
Although, I did replace it with a copy from a clean PC with no change to the
problem above.



This one PC was swamping the customer's bandwidth. And after spending two
days working on the problem, I had to get the it back into service, thus the
wipe and reinstall.



What I was wondering, is there any programs that can detect truly stealthy
programs?



TIA

 

[Bill Sargent]

I have run into a few systems like this each varying to a degree as to how
to manually remove. They seem to attach to or insert themselves into system
files like Iexplore, explorer or rundll32. Then add reg entries to reference
files in the system folder with random character file names, this why I
believe that they are not being detected by any scanners. Have only had 2 ME
systems that couldn't be fixed manually and had to be F-Disked. manual
removal in some cases can be more time consuming than F-Disking. Sorry not
much help but just to let you know you are not alone. Email me directly if
you would like more info.



Thank you, -S --- Bill Sargent CQ Services, Inc. 101 Desmond Street Sayre,
PA 18840-2001 Tel: 1-800-366-2414 Fax: 1-570-882-9679 www.CQServices.com

 

[Ioannis]

Harvey Colwell wrote:
[snip]

What I was wondering, is there any programs that can detect truly stealthy
programs?

There can be no "completely stealth" viruses. The stealth mechanism
needs to have an engine, which encodes and decodes the body of the
virus, either on the fly, or while on disk.

If you assume theoretically that the stealth engine encodes itself as
well as part of the stealth mechanism, then it must necessarily leave a
hook/entry point, from where to start executing, otherwise it has no way
to execute itself (assuming "stealth" means "garbage" bytes. See [*])

Therefore, necessarily, a stealth virus must have part of its body
"uncovered".

Upon closer examination of this hook, CPU emulation can be used to trap
the engine and/or the rest of the code, depending on various analysis
factors.

Note that this applies to whether the stealth mechanism is the same or
different everytime.

For the mathematically inclined, the above can be proved easily as follows:

Let f(s):S->S be the stealth/encryption function from the set of finite
(binary) strings S, to itself. Then f(s)=w \in S is the stealth string,
but note that f must have a fixed point p \in S (a substring of s), such
that f(p)=p (i.e. f acts like the identity on p), otherwise the image w
will have no legal entry point. The string p can then be used as a virus
signature or as an entry hook to recover the rest of the string via
f^(-1) (The inverse of f). If f is non-invertible, then trivially the
virus will fail to decode itself, so we can exclude this case.

[*] If f is smart enough to act on selected S, in such a way as to
produce images which are themselves executable, then you are dealing
with a different question altogether (mutation). In these cases, it can
also be shown that f has to have a fixed point.

 

[David H. Lipman]

Place the drive of the affected computer on another computer and perform the scan.

--
Dave




| I ran into an infected PC the other day that I was not able to clean.
| Because of time/costs, I was forced to wipe and reinstall the OS and
| applications.
|
|
|
| Always in the past, I've been able to find some indications of what
| services/apps that were causing the problem and have been able to remove
| them manually, even if all AntiVirus and AntiSpyWare programs found nothing.
|
|
|
| On this particular PC: from the PC itself, I ran fully up-to-date versions
| of AdAware, SpyBot, HijackThis, and McAfee Enterprise. None of them found
| anything. I removed the H.D.D. and scanned it as a slave (non-booting) from
| our test bench PC with AdAware, SpyBot, McAfee Enterprise, and Symantec
| Corporate. Again, everything came up clean. Finally I ran ViseConsole to
| look for rootkits, but there were no Kernel level hooks detected. I know
| that some rootkits don't use hooks, but I was at a lost as to what I could
| check next.
|
|
|
| A packet capture showed that this PC was constantly trying to make a
| connection to remote hosts on port 80. If a connection was established, it
| would try to download the robots.txt file (reminiscent of Code Red 2). The
| customer's ISP used a WebSense filtering server, so most attempts were
| blocked. While I was capturing, I found no malicious activity (only the
| robots.txt download).
|
|
|
| Using TCPView, all this web activity originated from explorer.exe. Checking
| the file's size, date & time stamp made me believe that it was good.
| Although, I did replace it with a copy from a clean PC with no change to the
| problem above.
|
|
|
| This one PC was swamping the customer's bandwidth. And after spending two
| days working on the problem, I had to get the it back into service, thus the
| wipe and reinstall.
|
|
|
| What I was wondering, is there any programs that can detect truly stealthy
| programs?
|
|
|
| TIA
|
|

 

[Roger Wilco]

Harvey Colwell wrote:
[snip]

What I was wondering, is there any programs that can detect truly stealthy
programs?

There can be no "completely stealth" viruses. The stealth mechanism
needs to have an engine, which encodes and decodes the body of the
virus, either on the fly, or while on disk.

This is encryption, not stealth. Stealth requires an executing program
that interrupts attempts to detect its presence as a process, program,
structure, or program file on disk.

If you assume theoretically that the stealth engine encodes itself as
well as part of the stealth mechanism, then it must necessarily leave a
hook/entry point, from where to start executing, otherwise it has no way
to execute itself (assuming "stealth" means "garbage" bytes. See [*])

This is where encryption with polymorphic decryptors (or mutation
engines) comes into play. If I'm not mistaken, garbage bytes and the
rearranging of instructions (and substituting of instructions and
registers) is all part of oligomorphism, and polymorphism refers to that
sort of action taken on the decryptor part of an encrypted virus.

Therefore, necessarily, a stealth virus must have part of its body
"uncovered".

A (self-decrypting) encrypted virus must have part of its encryptor
"uncovered" in order to execute.

I suppose hiding from scan string based AV counts as stealth to some
extent, but the usual term for this is "metamorphic" or even
oligomorphic, polymorphic, or as above encryption w/ morphing decryptor.
Stealth refers to actions taken to hide from prying eyes (or programs)
while the program is executing such as when a boot virus causes the
original boot sector to be displayed when the user requests the contents
of the actual infected sector be displayed.

The OP asks about programs other than viruses as well, rootkits are a
form of stealth programs in that they present false information to the
user upon request (no-one here but us chickens...says the fox from
inside the henhouse).

Upon closer examination of this hook, CPU emulation can be used to trap
the engine and/or the rest of the code, depending on various analysis
factors.

Yes, some AV engines use emulation to allow the decryption to take place
so that the virus body will be revealed. Some viruses detect emulation
and avoid decrypting under those circumstances - while others just
randomly avoid decryption
some percentage of the time so that some can sneak through without being
detected.

Note that this applies to whether the stealth mechanism is the same or
different everytime.

All you say makes sense for AV avoidance which is not the same as
stealth when talking about viruses. Stealth refers to hiding from other
than AV scanners - stealth hides from utilities too.

 

[w4tch3r]

What I was wondering, is there any programs that can detect truly stealthy
programs?

--

I've had a 98 box like this. Would have been faster to rebuild but I
got stubborn and persisted.

a couple of q's

- what flavor of windows is your suspect box running?
- how often does the pc try to connect out to port 80. only once on
boot up? continuously?

have you tried playing with any process explorers (eg the sysinternals
one or the others)? you could try:
- disable or end as many programs as you can, (well behaved apps that
let you shut them down) and see if it stops.
- kill processes 1 at a time and see if it stops
- kill processes 1 at a time and see which ones stop you from
terminating it. treat those as suspicious or low level processes
- for any suspect processes, google them, and if they are not well
documented system processes, try renaming them or their paths or delete
them (temporarily or course)
- if its a win98 box, you can remove almost all processes before
crashing the system.

have a look also at the very useful utility DebugView from the
sysintenals site. no install, just run it. tells you which process is
generating tcp/ip packets.

If you had alot of spare time... clone the machine using vmware's p2v
assistant tool and continue the investigation in a virtual environment
(eg make a virtual network, replicate the server it is looking for etc

 

[Duane Arnold]

What I was wondering, is there any programs that can detect truly
stealthy programs?

There is no such thing as a truly stealthy program. But can the programmer
of a malware program make the program piggy back of another running
process; you bet they can do that.

If you knew that it was IE that the malware was using, then you could look
inside IE and see what's using the process. You should be able to see and
locate it with something like Process Explorer or some of the other process
examiner programs.

http://tinyurl.com/klw1

Duane

 

[Zvi Netiv]

I ran into an infected PC the other day that I was not able to clean.
Because of time/costs, I was forced to wipe and reinstall the OS and
applications.

Always in the past, I've been able to find some indications of what
services/apps that were causing the problem and have been able to remove
them manually, even if all AntiVirus and AntiSpyWare programs found nothing.

On this particular PC: from the PC itself, I ran fully up-to-date versions
of AdAware, SpyBot, HijackThis, and McAfee Enterprise. None of them found
anything. I removed the H.D.D. and scanned it as a slave (non-booting) from
our test bench PC with AdAware, SpyBot,

Ineffective, as most of what these applications are looking for is in the
affected registry and the Windows configuration files, which aren't searched
unless booted from.

McAfee Enterprise, and Symantec
Corporate. Again, everything came up clean. Finally I ran ViseConsole to
look for rootkits, but there were no Kernel level hooks detected. I know
that some rootkits don't use hooks, but I was at a lost as to what I could
check next.

The most effective and reliable way to work around root-kits is to inspect the
affected PC from remote PC, and through remote registry administration.

A packet capture showed that this PC was constantly trying to make a
connection to remote hosts on port 80. If a connection was established, it
would try to download the robots.txt file (reminiscent of Code Red 2). The
customer's ISP used a WebSense filtering server, so most attempts were
blocked. While I was capturing, I found no malicious activity (only the
robots.txt download).

Using TCPView, all this web activity originated from explorer.exe. Checking
the file's size, date & time stamp made me believe that it was good.
Although, I did replace it with a copy from a clean PC with no change to the
problem above.

This one PC was swamping the customer's bandwidth. And after spending two
days working on the problem, I had to get the it back into service, thus the
wipe and reinstall.

What I was wondering, is there any programs that can detect truly stealthy
programs?

There is always the doubt that you may have overlooked something when done from
local machine. If there is no option to clean from remote, then run your
applications (Spybot, Ad-Aware, Stinger, Sysclean, ... etc.) from safe mode WITH
COMMAND PROMPT. The ToggleMode utility can put any Windows 32 version in that
mode, and can found on www.invircible.com/item/80

Regards, Zvi

 

[Harvey Colwell]

- what flavor of windows is your suspect box running?



Windows XP, SP2

- how often does the pc try to connect out to port 80. only once on
boot up? continuously?

Continuously, several times a second.

have you tried playing with any process explorers (eg the sysinternals one
or the others)? you could try:

Yes, I didn't see anything unusual

- disable or end as many programs as you can, (well behaved apps that let
you shut them down) and see if it stops.
- kill processes 1 at a time and see if it stops
- kill processes 1 at a time and see which ones stop you from
terminating it. treat those as suspicious or low level processes

I've done this before, but never thought of it this time.

for any suspect processes, google them, and if they are not well
documented system processes, try renaming them or their paths or delete
them (temporarily or course)

I searched through HKLM\System\CurrentControlSet\Services and googled any
that I didn't recognize. I found nothing.

have a look also at the very useful utility DebugView from the
sysintenals site. no install, just run it. tells you which process

is generating tcp/ip packets.

I think you mean TCPView, which I did use.