Simple Malware Discovery Measures

If we really want to take virus protection seriously, we’d get involved with reporting undetected viruses to anti-virus product vendors. Malware developers thrive because very few people investigate virus alerts.

A typical web-based virus attack scenario consists of multiple components. A person may willingly install software (a Trojan horse) and that software may download additional malicious components. Alternately, a user may inadvertently install software, be the victim of a drive-by download, when visiting a web site. This software also downloads additional malicious components. It is almost always the case that one or more of these components is already detected as malicious. The malicious person needs at least one of these measures to be successful. The malicious person can be detected if at least one of these measures is detected. At least one measure is often detected.

Unfortunately, it is generally thought that if anti-virus software has detected a threat, then it is sufficiently addressed. Thus enables the malicious person to try as many threats as they wish.

• Undetected threats work.
• Detected threats are ignored.

If enough people follow up on enough of these detected threats, then submit samples to anti-virus vendors and report malicious sites found, we can make malware development less profitable and less attractive.

There’s a mystique to finding malicious files, a belief that you need special skills. That’s not true. There’s a belief that it is the job of the anti-virus vendor to both find the malicious files and to develop protection. How is the vendor supposed to find the files?

Abandon those misconceptions. You can be informed about various attacks before you read about them, if you just look.

Trend Micro System Information Collector (SIC) is an easy way to find suspicious files that you can give your anti-virus vendor. Your task is to identify what may be malicious. Their task is to determine if it truly is malicious and what it does. You can detect that which they don’t detect. Use Trend Micro’s System Information Collector utility. See “Collecting malware samples and logs using the System Information Collector (SIC)” for download and usage instructions. (This particular page does not indicate that Windows Vista among the supported Operating Systems, although other references indicate that it is supported.) With this utility you will create a log file of system information and create a ZIP archive of suspicious files. Review the log file if you like, that’s optional. The important next step is to get the files that were archived to your antivirus vendor for review. The password for the ZIP file is “virus” (without the quotes).

That should be minimal follow-up for a successfully infected system. Run SIC; get suspicious files to vendor. You can do this; this can work. We can do this; we can make malware development a less attractive profession.

Seriously. This is real National Defense stuff you can be doing. Infrastructure Defense. In your spare time. Today.

The SIC tool logs the following information from the target machine:

• System Information (Operating system, Windows folder, Systems folder, etc.)
• Network connections (TCP/UDP connections and related programs)
• Shared folders (This feature is Disabled by default.)
• Disk drive(s); Master Boot Record(s) (MBR)
• Programs that automatically run when the machine starts
• Services (WinNT-based platforms only)
• Active or running processes
• Modules or libraries being used by the active processes
• Installed AV products (OfficeScan, PC-cillin, and ServerProtect)
• List of services found in the Registry
• List files found in the shared folders
• List AUTORUN.INF files found in root drives
• Retrieve ARP (Address Resolution Protocol) Table information

SIC inspects the registry locations that malware may use to ensure it gets run. That would include the usual Autoruns locations, such as:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCR\exefile\shell\open\command
HKLM\SOFTWARE\Classes\exefile\shell\open\command
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs=<command>
HKLM\SYSTEM\CurrentControlSet\Services


SIC also inspects less frequently pursued registry entries, such as:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Debugger=<command>
<command> can be a malicious payload.

SIC does not parse other User hives, only the current user.

If you are a Trend Micro customer, ask for the ARTLClean Tool ARTLClean tool combines the power of SIC, Suspicious Object Scanner (SOS), SysClean, and APAC RTL PackerTrap to collect suspicious files and instantly provides users with an option to clean the system with the latest small pattern files.

A Complementary Measure: OTL by OldTimer
OTL by OldTimer presents system information, processes, modules, services, drivers, Internet Explorer extensions, Firefox extensions, browser helper objects (BHO), run keys and recently modified files. Your task is to find the anomalous entries and files and forward them to your vendor for review.

An even simpler measure: What’s new in System32? Sort by Date Modified, and see what’s at the top (or bottom) of the list. This is will miss a lot of malware, but will discover suspicious files with very little training. The scenario is: your antivirus found something, but did it find everything? By looking for a dll (or exe) file with a recent (perhaps today’s) date, you have located a suspicious file. Similarly, find what’s new in the Hidden Files areas (user’s temporary files, C:\Windows\Downloaded Program Files).

Another Simple Measure: Madiant Red Curtain.
MRC examines executable files (not only .exe and .dll files, but many more) looking at entropy (randomness), indications of packing, compiler and packing signatures, the presence of digital signatures, and other characteristics to generate a threat “score.”  Sort the result by “Score” and review the files with a high score. Use the built-in Help feature for an explanation of what MRC found.

Another Simple Measure: Windows File Analyzer
The Windows PreFetch Folder contains information about programs that have been running. If malicious software has been installed, it is probably listed in the Windows\PreFetch folder. This narrows the number of suspected programs considerably.

Damballa Failsafe is a purpose-built, specialized threat protection solution, which hunts for these hidden threats utilizing an array of patent-pending technologies.