November 17, 2013

Analyzing Malware? Don't forget to disable Windows Defender

Life's been pretty busy this past year.  In December 2012, I started at GWU on their security team, and in April of 2013, my father passed after a long and difficult illness.  So even though I've continued my studies in forensics, threats, and malware, I haven't written anything in quite some time.  I'm looking forward to posting again here, and at DeepEnd Research.

This post is more along the lines of "tool preparation" as it involves making some tweaks to your analysis system, especially if conducting memory forensics.

A few months ago, I was doing some malware analysis on a Windows 7 memory image.  I noticed a bunch of odd artifacts in the RAM image pertaining to some questionable domain names.  The domain names really didn't relate to the malware under analysis, so I was curious as to what was going on.   I had no AntiVirus or Microsoft's Malicious Software Removal Toolkit installed.   I had thought that I might have been using a non-sterile VM for analysis, so I tried reverting and even reinstalling Windows 7.
I noticed that an original installation of Windows 7 did not exhibit these artifacts, but after a full Windows update, they appeared.  I asked around on a few mailing lists, but most of the responses encouraged me to check for either a tainted VM, or some sort of Security software that I had neglected to consider.  That in fact, turned out to be exactly the case.  So what was it that I was seeing?

The test I did involved a very basic 'strings' dump of the full memory image, grepping for ".ru" and ".com" domains.  The results of this are seen below:

Since posting the domain list to the blog page is triggering many viewer's AntiVirus, I'll add download links for the text files.  

Note that this is a grep of the entire RAM image, not looking specifically to what process may be associated with these artifacts.  To do that, we'll use 'Volatility'

I'll first use the 'yarascan' command to search for a few of the domains in order to determine the associated process:
Volatilty 'yarascan' command used to locate strings in a process.
While many of the domains located in the full RAM image did not return any hits in Volatility, a great number of them came back to Process ID 2524, which was 'svchost.exe'.

Next, let's look at what PID 2524 shows for its loaded DLLs
Loaded DLLs for PID 2524

Note that the Command line for PID 2524 was "C:\Windows\System32\svchost.exe -k secsvcs"
which is Windows Defender.  In the loaded DLL files, you can see references to Windows Defender as well.  In 2006, Microsoft included Windows Defender as a first line defense against malware, originally as anti-spyware.  It was later superceded by "Microsoft Security Essentials" which upon installation, will disable "Windows Defender".

Dumping the VAD pages for PID 2524, and searching for our domains of interest yields the name of the VAD page where our domain can be found. A hexdump of that file shows that we're on the right track:

hexdump of the dumped VAD page where the searched domain was located

You can see by this quick analysis that Windows Defender will load a large number of domains into RAM.  It's generally good practice to minimize extraneous artifacts in a sandbox image.  Since Windows Defender is enabled by default in Windows 7, don't forget to disable it via the Services applet before snapshotting your baseline VM.

As I mentioned earlier, there were also many odd domains seen in the full RAM image, that were not associated with a process via the Volatility yarascan. I've not yet accounted for this, so if anyone has any clues or additional analysis, I'd be very happy to hear of it.