Research: Malware Action Detection and Protection
Hi,
After 15 month of work it is MADP's showtime. The people who remember my
last
finding about windows media player vulns should remember IDT project and I
must say that they are both the same but with different names.
The following is a plain text copy of MADP v1.0 document.First read the
document and then give Neoava Guard beta v1.0 a try. I hope this new
technique
help stop (at least some) malwares.
Any company/person willing to become my partner or help me commercialize
Neoava Guard (MADP's sample) please contact me (participate neoava com).
For more info, download (Neoava Guard), new versions of document visit:
http://www.neoava.com
the MADP document is copyright me (Arman Nayyeri).
Here you are:
*************************************************************
Malware Action Detection and Protection
=-==-==-==-=
1. Design
=-==-==-==-=
The goal of the MADP project is to find a way to detect and protect against
unknown malwares. Unknown
malwares can not be detected by signature-based anti-virus programs and the
most recent successful worms
spread the most while they are unknown to anti-virus. MADP allows anti-virus
to detect actions that can be
taken by malwares. MADP is not a replacement for signature-based
anti-viruses but it is meant to be used
together with signature-based anti-virus, so MADP will only be responsible
for unknown threats and signature-
based anti-virus programs and will safely protect the system against known
threats.
MADP consists of a series of filters to detect actions commonly used in
malwares. MADP filters detect:
1. E-mail worms
2. File Infector viruses
3. Destructing programs
4. Internet Worms
5. Trojans
6. Adwares
MADP systems rely on executable-based permissions instead of user-based
permissions (provided by OS).
This will allow the user to have no restriction on her trusted processes and
very-limited permission on other
processes. When MADP filters detect a suspicious action taken by an
unprivileged executable's process it will
do one of the following actions:
* Does not allow the action to be taken, increases the "Violation Score"
* Allows the action to be taken, increases the "Violation Score"
* Gives the permission for taking this action to the process, does not
increase the "Violation Score"
* Gives deny access for taking this action to the process, increases the
"Violation Score"
The "Violation Score" is a unique number for every executable that increases
every time a violation occurred
by that executable's process. The number that adds to Violation Score
depends on how suspicious the action
is. When the Violation Score reaches a specific (configurable) number the
MADP system will alert the user
about the executable and asks the user to choose to Remove / Quarantine or
Skip the executable.
A MADP system consists of a series of filters, here is the list of Detection
filters based on type:
Note: Some filters may overlap other filter but they both listed here
because one of them is less restrictive and
the other one is more restrictive. They can be configured by the user.
A. Spread Detection
-------------------
These filters used to detect worms/viruses when they are trying to
spread or prepare for
spreading.
1. Reading Windows Address Book
2. Writing to large number of executable files
3. Scanning Network
4. Port 25 connection
5. Connecting to large number of hosts on port 25
6. Connecting to host configured as user's SMTP server (on the configured
port)
7. Reading large number of text files
Spread detection filter 1 used for detection of Email worms who try to read
Default Windows
Address Book (WAB) file in order to gain access to a large number of email
addresses used for
spreading, we will get the default WAB file for every user logged on to
monitor them.
Spread detection filter 2 used for detection of spread by a file infector
virus. For better
detection against file infector and less wrong alerts we not only check the
number of individual
executable files that have been written in a specified amount of time but we
also check the
number of directory listing (getting the list of files in a directory).
Because no virus knows the
name of executables on the system and should query the directory for the
files to find
executables. We can use this trick to differentiate between useful programs
and malwares. We
also look at one of the things that mostly happen when a useful process
writes to an executable
file, and that is when the useful process tries to create/copy an
executable. So a useful process
first creates an executable file then writes to it. So we exclude
executables that are created and
then written.
Spread detection filter 3 used for detection of internet worms that scan
networks for hosts with
open ports or ping them to find alive hosts. We check the number of
individual hosts connected
on a limited amount of time.
Spread detection filter 4 used for detection of Email worms that use an SMTP
server to send
email.
Spread detection filter 5 used for detection of Email worms that use their
own SMTP engine to
send emails through target domain's e-mail handler server. We check the
number of individual
hosts connected (on port 25) on a limited amount of time.
Spread detection filter 6 used for detection of Email worms that send email
through user's
SMTP server. (Perhaps using the users credentials if needed)
Spread detection filter 7 used for detection of Email worms that scan local
hard-drive text files
to find email addresses. For better detection against Email worms and fewer
wrong alerts we not
only check the number of individual text files that have been read in a
limited amount of time
but we also check the number of directory listing (getting the list of files
in a directory). Because
no worm knows the name of text files on the system and should query the
directory for the files
to find text files we can use this trick to differentiate between useful
programs and malwares.
B. Startup Detection
--------------------
1. Internet Browser plug-in creation/modification
2. Windows Explorer plug-in creation/modification
3. Service creation
4. Service modification
5. Startup creation (Startup Folders, Registry Keys)
6. Changing execution way of executable files
7. Browser Helper Object (BHO) creation
8. Browser Helper Object (BHO) modification
9. AppInit_DLLs registry modification
10. Shell Service Objects creation
11. Shell Service Objects modification
Startup detection filter 1, 2 used for detection of malwares (trojans,
adwares, etc.) that try to
create/modify browser/explorer plug-ins in order to not only start every
time one of these
programs started but also bypass the security softwares (firewalls,
antiviruses, .) as they can
run in the context of browser/explorer process. So these filters somehow can
be classified as both
Startup Detection and Security-Bypass Detection.
Startup detection filter 3, 4 used for detection of malwares (worm, viruses,
rootkits, etc.) that
try to create/modify NT services in order to start every time windows
starts. This filter also
perfectly fit on the Security-Bypass detection category because the malware
can create a driver
(kernel-mode) service to bypass security softwares and gain unlimited access
to all parts of file-
system, etc. and it can even damage the hardware. The malware can modify
security software's
service to disable it to bypass its restrictions.
Startup detection filter 5 used for detection of most malwares that use
common startup ways
to start every time windows starts. This filter consists of a series of
registry keys that is known for
startup and also all of the startup folders.
Startup detection filter 6 used for detection of malwares that try to change
a registry value in a
way that windows explorer runs their executable every time an executable
executed by the user.
This way used by many malwares and often causes complications when the
malware's
executable removed without resetting the registry value.
Startup detection filter 7, 8 used for detection of malwares (adwares,
trojans, etc.) that use
Browser Helper Objects (BHO) in order to not only start every time Internet
Explorer runs but
also bypass the security softwares (firewalls, antiviruses, .) as they can
run in the context of
browser process. So these filters somehow can be classified as both Startup
Detection and
Security-Bypass Detection.
Startup detection filter 9 used for detection of malwares that try to change
AppInit_DLLs
value in registry so they can load their DLL into every executable runs in
Windows. This method
can also be used to inject code and therefore bypass security-related
softwares.
Startup detection filter 10, 11 used for detection of malwares that try to
create/modify a Shell
Service Object (SSO). A SSO can be used to load a DLL in the explorer.exe
process every time
Windows Explorer starts. So it can also be used to bypass security
softwares.
C. Security-Bypass Detection
----------------------------
1. Interrupting security software processes
2. Accessing MADP's own files and settings
3. Startup folder's path modification
4. Process memory modification
5. Global windows hooks creation
6. Windows hooks creation
7. Sending keyboard/mouse input to another process
8. Remote thread creation
Security-Bypass detection filter 1 used for detection of malwares that try
to somehow interrupt
the security-related processes to bypass their settings. MADP systems will
allow the user to
choose the security-related executables in her computer and then mark them
as Secure. Then
every attempt to terminate/suspend security process or process's threads
will be filtered by this
filter.
Security-Bypass detection filter 2 used for detection of malwares that
programmed to
change/damage the MADP settings/files in order to bypass the security
provided by MADP
system.
Security-Bypass detection filter 3 used for detection of malwares that try
to change the startup
path to hide their startup files from the user/security softwares.
Security-Bypass detection filter 4 used for detection of malwares that try
to modify a process
memory in order to inject code or interrupt it. This method has been used by
programs to write
code into another process memory and then running the written code by
creating a remote
thread or by using the other ways.
Security-Bypass detection filter 5, 6 used for detection of malwares
(keyloggers, trojans, etc.)
that try to create a (global) windows hook to inject their code into other
processes. This can also
be used for logging the keys sent to other windows. So these filters can
also be listed as Damage
Detection filters too.
Security-Bypass detection filter 7 used for detection of malwares that try
to send
keyboard/mouse input to other windows to do something on behalf of the user.
Security-Bypass detection filter 8 used for detection of malwares that try
to create remote
thread on other processes in order to interrupt or inject code into them.
D. Damage Detection
-------------------
1. HOSTS file modification
2. Deleting large number of files
3. Writing to large number of files
4. Listening on a port
5. User Protected Files
Damage detection filter 1 used for detection of malwares that try to change
HOSTS file to
make the user unable to access security-related websites, and/or make the
antivirus programs
fail to update their definitions by redirecting their host names into an
invalid IP address. HOSTS
file used by windows to resolve host names to IP before a DNS query.
Damage detection filter 2 used for detection of malwares that try to delete
a large number of
files in a limited amount of time. Not so many useful programs delete many
files quickly and it
will be less if we use this filter when the process also queries different
directories a number of
times. So we add directory listing to this filter because all malwares
should get the list of files
before they can remove the files in it.
Damage detection filter 3 used for detection of malwares that try to write
to a very large
number of files in a limited amount of time. Not so many useful programs
write to that many
files quickly and it will be less if we use this filter when the process
also queried different
directories a number of times. So we add directory listing to this filter
because all malwares
should get the list of files before they can write into them.
Damage detection filter 4 used for detection of malwares (trojans) that try
to listen for
incoming connections on a port and receive instructions from author /
hacker, so he could
remove/leak personal/sensitive data. This kind of filter applied by almost
all firewalls.
Damage detection filter 5 used for protection of user's
confidential/important files from
malwares. User will add files/folders and set the protection level. The
protection levels are (1)
Open (2) Read (3) Write (4) Delete. The user can allow any executable the
permission to
open/read/write/delete her protected files. User can choose to ask him when
the MADP system
finds a request matching the file and level.
E. Execution Detection
----------------------
1. Multi-Extension Execution
2. Process creation by Internet Explorer and/or other browser
3. Script file execution
Execution detection filter 1 used for detection of the Multi-Extension
executables that trying to
trick user to execute malicious executables. This Social-Engineering trick
used by many email
viruses and used by many hackers to trick victims to execute their
executable (because victim
thinks it's a non-executable and safe file).
Execution detection filter 2 used for minimizing the risk when the browser's
exploited by
malicious websites by asking the user before allowing any process creation
by browser. The
MADP can allow the user to always allow certain executable to be executable.
Execution detection filter 3 used for detection of script file malwares by
asking the user about
their execution. The MADP system can also runs a simple check on the script
file to detect
suspected actions runs on script file.
Damage Reduction
----------------
In order to provide better protection against harmless malwares:
F. Damage Prevention
--------------------
1. Deleted files recovering ability
Damage prevention filter 1 used for recovering the files that might be
removed by malwares.
The example of such system is Fundelete from Systeinternals.
Useful Software Detection
-------------------------
In order to better identify useful applications, these filters decrease the
violation score:
1. Visible window in client's screen
2. Start-menu shortcut
Prompts
-------
A MADP system can have the option to prompt the user for a particular action
taken by an untrusting /
unprivileged process. The requesting process will be suspended during
prompt.
Script Files
------------
The Script/HTA (or other script-like) files will have separate entry in MADP's
executables database. To
accomplish this goal, MADP system will mark executable that run scripts and
get the path of the script file
from parameters.
Creating Higher Processes
-------------------------
To prevent malwares from doing malicious action by executing commands using
data input options (process
parameters) the processes that have higher permissions than the parent
process will inherit permissions from
the parent and when the user prompts for an action the parent will be shown
as the requesting process and the
settings will be applied to it.
Trusted Childs
--------------
To make it easier for useful programs that consist of many executables to be
trusted by MADP system, the
user can choose to trust the child processes and optionally trust all
process tree. This settings are inherited thus
will not be saved for child process's executable, so if the child's
executable runs without inherit, the process
will not be trusted.
Security Process Simulation
---------------------------
The MADP will create fake security processes by using security softwares
executable name to trick the
malware into interrupting it. This is actually a trap for malwares that
interrupt security softwares.
Software Installation Auto-Configuration
----------------------------------------
To make it easier for the user to configure useful programs. The MADP system
will detect when an installation
program runs and asks the user about it. If the user confirm the
installation the MADP system runs the
executable's process and its children in a special mode which not only trust
them but also trust all executable
created by any of these processes. This allows the program's executable to
be automatically configured, so
not only cause less wrong alerts but also allows better performance by newly
installed program.
=-==-==-==-==-==-==-==-=
2. Implementation
=-==-==-==-==-==-==-==-=
Here below, you will find description of Implementation of a MADP system on
Windows NT family.
In order to efficiently implement filters, we have to implement filters on
kernel-mode so the user-mode
malwares can't bypass the filters by any way (excluding a kernel-mode
malwares which will be prevented
from reaching that level). For MADP implementation we use a kernel-mode
driver to hook Windows NT
System Services, so we can monitor actions taken by all processes.
Neoava Guard (beta) is MADP-based software that implements most of MADP
parts. For more info visit
http://www.neoava.com.
Implementation details will be published, if it was decided to make it
open-source.
**********************************************************************
Please send feedback to <feedback neoava com>
sorry for my bad english.
Arman Nayyeri
Security Researcher
MCSE, MCSA, MCP
From Iran