<<< Date Index >>>     <<< Thread Index >>>

Research: Malware Action Detection and Protection



Hi,

After 15 month of work it is MADP's showtime. The people who remember my last
finding about windows media player vulns should remember IDT project and I
must say that they are both the same but with different names.

The following is a plain text copy of MADP v1.0 document.First read the
document and then give Neoava Guard beta v1.0 a try. I hope this new technique
help stop (at least some) malwares.

Any company/person willing to become my partner or help me commercialize
Neoava Guard (MADP's sample) please contact me (participate neoava com).

For more info, download (Neoava Guard), new versions of document visit:
http://www.neoava.com

the MADP document is copyright me (Arman Nayyeri).

Here you are:


*************************************************************
Malware Action Detection and Protection


=-==-==-==-=
1. Design
=-==-==-==-=

The goal of the MADP project is to find a way to detect and protect against unknown malwares. Unknown malwares can not be detected by signature-based anti-virus programs and the most recent successful worms spread the most while they are unknown to anti-virus. MADP allows anti-virus to detect actions that can be taken by malwares. MADP is not a replacement for signature-based anti-viruses but it is meant to be used together with signature-based anti-virus, so MADP will only be responsible for unknown threats and signature- based anti-virus programs and will safely protect the system against known threats.

MADP consists of a series of filters to detect actions commonly used in malwares. MADP filters detect:

1. E-mail worms
2. File Infector viruses
3. Destructing programs
4. Internet Worms
5. Trojans
6. Adwares


MADP systems rely on executable-based permissions instead of user-based permissions (provided by OS). This will allow the user to have no restriction on her trusted processes and very-limited permission on other processes. When MADP filters detect a suspicious action taken by an unprivileged executable's process it will
do one of the following actions:

* Does not allow the action to be taken, increases the "Violation Score"
* Allows the action to be taken, increases the "Violation Score"
* Gives the permission for taking this action to the process, does not increase the "Violation Score" * Gives deny access for taking this action to the process, increases the "Violation Score"

The "Violation Score" is a unique number for every executable that increases every time a violation occurred by that executable's process. The number that adds to Violation Score depends on how suspicious the action is. When the Violation Score reaches a specific (configurable) number the MADP system will alert the user about the executable and asks the user to choose to Remove / Quarantine or Skip the executable.

A MADP system consists of a series of filters, here is the list of Detection filters based on type:

Note: Some filters may overlap other filter but they both listed here because one of them is less restrictive and
the other one is more restrictive. They can be configured by the user.

A. Spread Detection
-------------------
These filters used to detect worms/viruses when they are trying to spread or prepare for
spreading.

1. Reading Windows Address Book
2. Writing to large number of executable files
3. Scanning Network
4. Port 25 connection
5. Connecting to large number of hosts on port 25
6. Connecting to host configured as user's SMTP server (on the configured port)
7. Reading large number of text files

Spread detection filter 1 used for detection of Email worms who try to read Default Windows Address Book (WAB) file in order to gain access to a large number of email addresses used for spreading, we will get the default WAB file for every user logged on to monitor them.

Spread detection filter 2 used for detection of spread by a file infector virus. For better detection against file infector and less wrong alerts we not only check the number of individual executable files that have been written in a specified amount of time but we also check the number of directory listing (getting the list of files in a directory). Because no virus knows the name of executables on the system and should query the directory for the files to find executables. We can use this trick to differentiate between useful programs and malwares. We also look at one of the things that mostly happen when a useful process writes to an executable file, and that is when the useful process tries to create/copy an executable. So a useful process first creates an executable file then writes to it. So we exclude executables that are created and
then written.

Spread detection filter 3 used for detection of internet worms that scan networks for hosts with open ports or ping them to find alive hosts. We check the number of individual hosts connected
on a limited amount of time.

Spread detection filter 4 used for detection of Email worms that use an SMTP server to send
email.

Spread detection filter 5 used for detection of Email worms that use their own SMTP engine to send emails through target domain's e-mail handler server. We check the number of individual
hosts connected (on port 25) on a limited amount of time.

Spread detection filter 6 used for detection of Email worms that send email through user's
SMTP server. (Perhaps using the users credentials if needed)

Spread detection filter 7 used for detection of Email worms that scan local hard-drive text files to find email addresses. For better detection against Email worms and fewer wrong alerts we not only check the number of individual text files that have been read in a limited amount of time but we also check the number of directory listing (getting the list of files in a directory). Because no worm knows the name of text files on the system and should query the directory for the files to find text files we can use this trick to differentiate between useful programs and malwares.


B. Startup Detection
--------------------
1. Internet Browser plug-in creation/modification
2. Windows Explorer plug-in creation/modification
3. Service creation
4. Service modification
5. Startup creation (Startup Folders, Registry Keys)
6. Changing execution way of executable files
7. Browser Helper Object (BHO) creation
8. Browser Helper Object (BHO) modification
9. AppInit_DLLs registry modification
10. Shell Service Objects creation
11. Shell Service Objects modification

Startup detection filter 1, 2 used for detection of malwares (trojans, adwares, etc.) that try to create/modify browser/explorer plug-ins in order to not only start every time one of these programs started but also bypass the security softwares (firewalls, antiviruses, .) as they can run in the context of browser/explorer process. So these filters somehow can be classified as both
Startup Detection and Security-Bypass Detection.

Startup detection filter 3, 4 used for detection of malwares (worm, viruses, rootkits, etc.) that try to create/modify NT services in order to start every time windows starts. This filter also perfectly fit on the Security-Bypass detection category because the malware can create a driver (kernel-mode) service to bypass security softwares and gain unlimited access to all parts of file- system, etc. and it can even damage the hardware. The malware can modify security software's
service to disable it to bypass its restrictions.

Startup detection filter 5 used for detection of most malwares that use common startup ways to start every time windows starts. This filter consists of a series of registry keys that is known for
startup and also all of the startup folders.

Startup detection filter 6 used for detection of malwares that try to change a registry value in a way that windows explorer runs their executable every time an executable executed by the user. This way used by many malwares and often causes complications when the malware's
executable removed without resetting the registry value.

Startup detection filter 7, 8 used for detection of malwares (adwares, trojans, etc.) that use Browser Helper Objects (BHO) in order to not only start every time Internet Explorer runs but also bypass the security softwares (firewalls, antiviruses, .) as they can run in the context of browser process. So these filters somehow can be classified as both Startup Detection and
Security-Bypass Detection.

Startup detection filter 9 used for detection of malwares that try to change AppInit_DLLs value in registry so they can load their DLL into every executable runs in Windows. This method can also be used to inject code and therefore bypass security-related softwares.

Startup detection filter 10, 11 used for detection of malwares that try to create/modify a Shell Service Object (SSO). A SSO can be used to load a DLL in the explorer.exe process every time Windows Explorer starts. So it can also be used to bypass security softwares.


C. Security-Bypass Detection
----------------------------
1. Interrupting security software processes
2. Accessing MADP's own files and settings
3. Startup folder's path modification
4. Process memory modification
5. Global windows hooks creation
6. Windows hooks creation
7. Sending keyboard/mouse input to another process
8. Remote thread creation

Security-Bypass detection filter 1 used for detection of malwares that try to somehow interrupt the security-related processes to bypass their settings. MADP systems will allow the user to choose the security-related executables in her computer and then mark them as Secure. Then every attempt to terminate/suspend security process or process's threads will be filtered by this
filter.

Security-Bypass detection filter 2 used for detection of malwares that programmed to change/damage the MADP settings/files in order to bypass the security provided by MADP
system.

Security-Bypass detection filter 3 used for detection of malwares that try to change the startup
path to hide their startup files from the user/security softwares.

Security-Bypass detection filter 4 used for detection of malwares that try to modify a process memory in order to inject code or interrupt it. This method has been used by programs to write code into another process memory and then running the written code by creating a remote
thread or by using the other ways.

Security-Bypass detection filter 5, 6 used for detection of malwares (keyloggers, trojans, etc.) that try to create a (global) windows hook to inject their code into other processes. This can also be used for logging the keys sent to other windows. So these filters can also be listed as Damage
Detection filters too.

Security-Bypass detection filter 7 used for detection of malwares that try to send
keyboard/mouse input to other windows to do something on behalf of the user.

Security-Bypass detection filter 8 used for detection of malwares that try to create remote
thread on other processes in order to interrupt or inject code into them.


D. Damage Detection
-------------------

1. HOSTS file modification
2. Deleting large number of files
3. Writing to large number of files
4. Listening on a port
5. User Protected Files

Damage detection filter 1 used for detection of malwares that try to change HOSTS file to make the user unable to access security-related websites, and/or make the antivirus programs fail to update their definitions by redirecting their host names into an invalid IP address. HOSTS
file used by windows to resolve host names to IP before a DNS query.

Damage detection filter 2 used for detection of malwares that try to delete a large number of files in a limited amount of time. Not so many useful programs delete many files quickly and it will be less if we use this filter when the process also queries different directories a number of times. So we add directory listing to this filter because all malwares should get the list of files
before they can remove the files in it.

Damage detection filter 3 used for detection of malwares that try to write to a very large number of files in a limited amount of time. Not so many useful programs write to that many files quickly and it will be less if we use this filter when the process also queried different directories a number of times. So we add directory listing to this filter because all malwares
should get the list of files before they can write into them.

Damage detection filter 4 used for detection of malwares (trojans) that try to listen for incoming connections on a port and receive instructions from author / hacker, so he could remove/leak personal/sensitive data. This kind of filter applied by almost all firewalls.

Damage detection filter 5 used for protection of user's confidential/important files from malwares. User will add files/folders and set the protection level. The protection levels are (1) Open (2) Read (3) Write (4) Delete. The user can allow any executable the permission to open/read/write/delete her protected files. User can choose to ask him when the MADP system
finds a request matching the file and level.


E. Execution Detection
----------------------
1. Multi-Extension Execution
2. Process creation by Internet Explorer and/or other browser
3. Script file execution

Execution detection filter 1 used for detection of the Multi-Extension executables that trying to trick user to execute malicious executables. This Social-Engineering trick used by many email viruses and used by many hackers to trick victims to execute their executable (because victim
thinks it's a non-executable and safe file).

Execution detection filter 2 used for minimizing the risk when the browser's exploited by malicious websites by asking the user before allowing any process creation by browser. The
MADP can allow the user to always allow certain executable to be executable.

Execution detection filter 3 used for detection of script file malwares by asking the user about their execution. The MADP system can also runs a simple check on the script file to detect
suspected actions runs on script file.


Damage Reduction
----------------
In order to provide better protection against harmless malwares:

F. Damage Prevention
--------------------
1. Deleted files recovering ability

Damage prevention filter 1 used for recovering the files that might be removed by malwares.
The example of such system is Fundelete from Systeinternals.


Useful Software Detection
-------------------------
In order to better identify useful applications, these filters decrease the violation score:

1. Visible window in client's screen
2. Start-menu shortcut


Prompts
-------
A MADP system can have the option to prompt the user for a particular action taken by an untrusting / unprivileged process. The requesting process will be suspended during prompt.


Script Files
------------
The Script/HTA (or other script-like) files will have separate entry in MADP's executables database. To accomplish this goal, MADP system will mark executable that run scripts and get the path of the script file
from parameters.


Creating Higher Processes
-------------------------
To prevent malwares from doing malicious action by executing commands using data input options (process parameters) the processes that have higher permissions than the parent process will inherit permissions from the parent and when the user prompts for an action the parent will be shown as the requesting process and the
settings will be applied to it.


Trusted Childs
--------------
To make it easier for useful programs that consist of many executables to be trusted by MADP system, the user can choose to trust the child processes and optionally trust all process tree. This settings are inherited thus will not be saved for child process's executable, so if the child's executable runs without inherit, the process
will not be trusted.


Security Process Simulation
---------------------------
The MADP will create fake security processes by using security softwares executable name to trick the malware into interrupting it. This is actually a trap for malwares that interrupt security softwares.


Software Installation Auto-Configuration
----------------------------------------
To make it easier for the user to configure useful programs. The MADP system will detect when an installation program runs and asks the user about it. If the user confirm the installation the MADP system runs the executable's process and its children in a special mode which not only trust them but also trust all executable created by any of these processes. This allows the program's executable to be automatically configured, so not only cause less wrong alerts but also allows better performance by newly installed program.


=-==-==-==-==-==-==-==-=
2.  Implementation
=-==-==-==-==-==-==-==-=

Here below, you will find description of Implementation of a MADP system on Windows NT family. In order to efficiently implement filters, we have to implement filters on kernel-mode so the user-mode malwares can't bypass the filters by any way (excluding a kernel-mode malwares which will be prevented from reaching that level). For MADP implementation we use a kernel-mode driver to hook Windows NT
System Services, so we can monitor actions taken by all processes.

Neoava Guard (beta) is MADP-based software that implements most of MADP parts. For more info visit
http://www.neoava.com.

Implementation details will be published, if it was decided to make it open-source.




**********************************************************************
Please send feedback to <feedback neoava com>

sorry for my bad english.

Arman Nayyeri
Security Researcher
MCSE, MCSA, MCP
From Iran