Fellow Malware Travelers

As argued in What’s different about this approach?, you should plan to look for undetected malware when a detected malware incident occurs. Malware rarely travels alone.

See, for example, the Brian Krebs post entitled A Peek Inside the ‘Elenore’ Browser Exploit Kit.

These are pre-packaged kits designed to probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to silently install malicious software.

“Virus found in file in Internet cache” is a typical example of a detected malware incident. In order to present a web page, a web browser must download components and use the components to assemble a web page. When a malware component is downloaded, anti-virus software that is configured to perform on-access file scanning has the opportunity to scan the file. If malware is detected, the anti-virus software can then raise an alert and attempt to quarantine or delete the file. Quarantining or deleting the file will probably fail, since the web browser has the file open. The web browser is not allowed to interpret the file, however, since the anti-virus software blocks access.

You may be tempted to ignore the “virus found in file in Internet cache” incident. The rationale is: you have configured your anti-virus software to use real-time or on-access file scanning to block malware from executing. Since you received an alert, you know your anti-virus software is working.

You are missing an opportunity to find the successful malware installs. Browser exploit kits try many attacks, recognizing that some will fail but only one will need to be successful. Browser exploit kits are successful because they can expect failed attacks to be ignored.

Instead, use one of the many browser history and browser cache utilities to learn what else arrived from the same network location or at the same time. For example, Pasco will interpret the index.dat files from Internet Explorer. Windows Explorer makes finding these files difficult. A command shell will reveal them.

In Internet Explorer: Tools, Internet Options tab (Browsing history section), Settings button, Current location: will reveal where to look (such as “C:\Users\<userid>\AppData\Local\Microsoft\Windows\Temporary Internet Files\”). “Temporary Internet Files” is a hidden folder. In a command window, change directories to “C:\Users\<userid>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5”. “Content.IE5” is also a hidden folder.  The index.dat file in this folder is the index.dat file for the Internet Explorer cache for this user. It indexes the files in the four or more hidden folders at its location. That is, files must be copied from the web server to the local drive before it can be presented to the user; the index.dat file is used to locate the local copy of the web server’s file.

The index.dat file for Internet Explorer history is in “C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5”.

If you are looking for your Cookies, see “C:\Users\<userid>\AppData\Roaming\Microsoft\Windows\Cookies”. The “C:\Users\<userid>\Cookies” folder is a junction (alias) to here.

As an administrator, where I had access to remote file systems, if an alert for detected malware appeared I would quickly grab the index.dat files:

copy "\\<machine>\C$\Users\<userid>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" "<machine>_<userid>_cache_index.dat"
copy "\\<machine>\C$\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" "<machine>_<userid>_history_index.dat"

The index.dat file for Internet Explorer history has System and Hidden file attributes which make it less easy to copy.

With Pasco I could convert these dat files to more easily interpreted tab-separated text files.

pasco index.dat > index.txt

The tab-separated text files can be opened in Excel and sorted by URL or by access time. Find the reported malware file and see if any other suspicious files arrived from the same source or at about the same time. Submit these suspicious files to VirusTotal and your antivirus vendor. Alternately, learn to reverse engineer the suspicious files before submitting them to VirusTotal and your antivirus vendor.

A batch file to make this file collection and interpretation easier would be:

@echo off
if (%2)==() goto ERR_SYNTAX
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat"
attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" "%1_%2_history_index.dat"
attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat"
copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" "%1_%2_history_index.dat"
pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt"
pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt"
Error - requires two parameters, machine name (or IP address) and userid

A sufficiently large environment (at least 500 machines) with sufficiently liberal Internet access permissions, and large population of laptops will find a steady stream of undetected malware with this method.

A similar approach for Google Chrome would look in:

(pre-Vista) Documents and Settings\[user]\Local Settings\Application Data\Google\Chrome\User Data\Default

(Vista) Users\App Data\Local\Google\Chrome\

For the following files:

Archived History
Web Data

And parse the files with a tool that interprets SQLite Format 3.

3 Responses to Fellow Malware Travelers

  1. […] Antivirus Vendors Could Improve Detection As argued in Fellow Malware Travelers, a person who reacts to malware detected in a web browser cache by inspecting related files in the […]

  2. […] function, as well as many more useful features. As part of your malware follow-up (as described in Fellow Malware Travelers), use the source information to enhance your […]

  3. […] at this stage. Anti-virus vendors often have patterns which auxiliary malicious routines (“Fellow Malware Travelers“). For example, F-Secure may have detected Exploit:W32/XcelDrop.F (see related analysis from […]