BleepingComputer.com: How Are Malware Executables Really Hidden ?

I came here (registered) looking for an answer to a specific question.

A friend's computer is heavily infected with several malware's, including Spysheriff, Internet Optimizer, stonedrv.exe and about 4 or 5 more.

I know this because the computers' Ad-Aware sub-program "Ad-Watch" is giving alerts (words to the effect that) "such & such program.exe is attempting to change the registry". The executables named are very specific, and include the full pathnames (example: C:\Program Files\Internet Optimizer\Optimize.exe).

Having some experience in deleting malware, I tried manually deleting the files & directories named with a program called Unlocker Assistant, which will delete files that are protected for one reason or another.

The problem is that I am unable to navigate to any of these files in Windows, either in Normal OR Safe Mode. I can't even navigate to them in (cmd) "DOS" shell either. (Yes, I have "show hidden files" enabled.)

Yet there are registry entires that refer to them (including pathnames) and these Registry Entries reappear after an (apparantly) "successful" deletion, so SOMETHING has to be bringing them back, I can only assume that "Ad-Watch's" alerts are accurate and these executables are on the HD and doing things.

I've asked this question on another (reputable) forum and they are stumped, so I came here. Please note that I am not asking for specific help in removing this malware, I am asking a more general question about the methods that have been (apparantly) successfully employed to hide these files from me, despite my efforts at finding them. I had always thought that Safe Mode DOS was the "guaranteed" way of exposing these types of files, but apparantly the level of sophistication has escalated beyond my (current) ability.

Thanks in advance,

Jimmy

Do yourself and especially your friend a favor and follow the steps provided in the link below.
http://www.bleepingcomputer.com/forums/topic22402.html

Quote

Hi Jimmy Question

Welcome to BC


1) http://www.bleepingcomputer.com/tutorials/understanding-spyware-browser-hijackers-and-dialers/
2) http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
3) http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/

Preparation Guide For Use Before Posting A Hijackthis Log

Good luck!

Stelios

Dasos,

Thanks for the links but it does not look as if these answer my specific question (I read all of them).

These seem to be "General" methods for malware removal, rather than describing how specific files can exist on a hard drive and be "hidden" from view.

Again, thanks for the attempt, but I am still looking for an answer.

Bump...

Bump...

Since you're not getting the answers you need, and since this is the friendliest forum of this type, will you accept a totally made up, wild guess from a person who knows absolutely nothing about this?

There are two groups of people who know HOW things can hide.

The first is the scumware makers. They aren't gonna tell you, you might steal their secret and use it to get rich or something.

The second group are the people on the security side (major and minor anti-malware companies, this forum's experts and similar). They all spend substantial resources to find the details such as you desire to know. They aren't going to tell you such details (those that they know). It just might expose another hole someplace and give ideas to more criminals of the trash-writing kind. Some things are better to stay unsaid.

Just wild guesses. I wonder if all this makes sense.

Quote

Well of course I "accept" such help, and appreciate it very much. I accept and appreciate ALL sincere help.

I especially appreciate honest answers like "I don't know." (as opposed to authoritive-sounding answers that are actually made-up.

So I also appreciate the "this is made up" disclaimer.

But then, let me ask YOU a question. Given the nature of this forum and it's focus, one assumes you have at least SOME interest in subjects of this type.

Don't YOU want to know this answer ? Seems to me that it is a natural step in the learning process. First we learn how to simply remove the malware by following the directions given to us by those that know more, but don't you think at some point there is a need for more information ?

If an answer is not/cannot be forthcoming, the "next best" ideal is a group of interested and reasonably well-informed people all asking the same question and working toward an answer. At some point, this should reach "critical mass" and the answer discovered and (one would hope) then shared with everyone else.

On the specific issue of SpySheriff, I understand that there is a "stand alone" executable (SmitRem.exe) that does "something", I would assume during the boot process in the intermediary language level between BIOS and Windows. (All of this is (like your "theory" (a nicer way to put it than "made-up")) of course "made up" on my part as well)

And I guess that is really the point. We all sort of "make-up" explanations when we are doing things (malware removal, in this case) by following "rote" instructions, and I am simply becoming dissatisfied with my own "made-up" theoretical understanding of what's really going on.

If possible, I would really like to KNOW. How 'bout you ?

To understand how malware hides, you have to understand what it is.

A Virus is a man-made program (small bits of programming code disguised as something else or buried in other codes) that causes an unexpected and usually undesirable event. A virus can replicate itself and is designed to automatically spread to other computer users.

A Trojan is a destructive stand-alone application that masquerades as a benign program and hides a "nasty surprise" within the original source code. The surprise is a process or function specifically added by the Trojan's programmer that performs an activity the user is unaware of. The malicious code is contained within the source code of an apparently harmless program in such a way that it can gain control and do its chosen form of damage. Trojans are executable programs (.exe, .vbs, .com, .bat, etc) which means that when you open the file, they will perform some action.

A Worm is a a self-supporting program (parasite) considered to be part of the viral camp because they replicate and spread from computer to computer. As with viruses, a worm's malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can't handle. Worms differ from viruses in that they are not just bits of code that exist in other files. They can be whole files. In addition, they replicate without the need for another program to be run.

Spyware is usually non-viral and is a generic term for unsolicited commercial software or parasites that is installed without the user's full knowledge, consent, and understanding and that primarily serves the interests of commercial parties associated with the software, not the end users on whose systems those unwanted applications are installed.

RATS (Remote administration Trojans) are pieces of malicious software that let intruders remotely control computers across a network or through the Internet. They are programs that masquerade as one thing when in fact they are something else. The purpose of these programs is not replication, but to penetrate and control. RATs install themselves by exploiting weaknesses in standard programs and browsers. Once they reside on a computer, RATs are hard to detect and remove. They usually operate in the background and do not appear in the Task Manager list.

Nefarious RATs are designed to install themselves in such a way that they are very difficult to remove even after discovery. A variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it's active and locked and controls the registry keys. The active Kernel32.exe cannot be removed, and a reboot will not clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked. Other variants of Back Orifice include Netbus, SubSeven, Bionet and Hack'a'tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities. The ability of RAT servers to initiate connections can also allow some of them to evade firewalls.

Alternate Data Streams (ADS) provides a method of hiding root kits or hacker tools on a breached system and allows them to be executed without being detectedr. ADS have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. Files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.

Thus malware can hide in any number of places on your system using a number of techniques. Some use Trojan Horses/rootkits to hide themselves while others masquerade as legit files or services. Some malware types can modify the registry and/or the OS to hide and embed itself.

For places that viruses and trojans hide, see: http://www.governmentsecurity.org/articles...deonstartup.php

Rootkits are a new generation of powerful system-monitoring programs that are almost impossible to detect using current security products. Rootkits are not an infection or a trojan in and of themselves. They are used by trojans and software vendors to conceal their presence. Thus a rootkit's purpose is to hide itself and other software from view to prevent a user from identifying and potentially removing an attacker's software. Several Windows-specific rootkits have appeared in the past couple of years. They tend to be bundled with the most dangerous kinds of malware, such as keystroke-logging tools that steal passwords. "Hacker Defender," "FU" and "Vanquish," are examples.

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Explaining what they are and how they work can be complicated so I will refer you to the following links:

Windows rootkits in 2005, Part 1 of 3 [2005-11-04]
http://www.securityfocus.com/infocus/1850

Windows rootkits of 2005, Part 2 of 3 [2005-11-17]
http://www.securityfocus.com/infocus/1851

Windows rootkits of 2005, Part 3 of 3 [2006-01-05]
http://www.securityfocus.com/infocus/1854

Thank you very much, quietman or your extended reply.

Quote

Prior to reading your post, I did a bit of research and found:

http://www.microsuck.com/content/ms-hidden-files.shtml

An excerpt:

Quote

While ignoring the text's author's obvious Anti-Microsoft perspective, I assume the information is still valid. From this I understand that a file may be "hidden" from view (in DOS) if it's parent directory is attributed as a System File. This may explain some of my experiences, but does it explain why I was unable to view the Parent Directory and the files in contained when "show hidden files" (which I assume includes system files) was enabled ?

I occured to me that perhaps if I had found some way to show System Files, I might have been able to make the malware visible.

Given this explanation's inadequacy, the only other alternative I have left is that there was some type of "rootkit" involved. My problem with this one is that it seems rather exotic for a garden variety malware such as "Interent Optimizer".

To your knowledge, does Interent Optimizer make use of a rootkit ?

If not, how can I explain (given my present options) how I was unable to view the file and/or the parent directory ?

Can I assume that ALL files that are this difficult to view to be malware, or is it possible that this is (somehow) "by design" by Microsoft ?

Thanks again for the help, I go now to peruse the links you provided,

Jimmy

"Jimmy Question" said:

YES. And I have gone through on several ocassions on the CA, F-Secure, Symantec sites to see what is affected by the virus. And when I see the mind-boggling list, which is a result of someone's research, about all I can say is WOW! You guys are great. Thank you. Because I have no skills and no time to do this sort of research. But yes, how things hide is a fascinating subject. However, without being skilled in machine code, without knowing what every branch of code takes, I'd never know where to even begin looking for hidden items, how they get there, and how they function.

Bottom line for me - I have to trust the router, the resident Zone Alarm Security Suite, resident Pest Patrol, plus on demand Ad-Aware, Spybot S&D, and previous Hijack This logs for comparison. Challenging enough! Considering the protection I use, I don't get a chance to practice removal - I'm yet to see on my computer spam, virus or spyware, with one exception - OEM installed spyware when I bought a new computer and my sister's computer with traces of some trash which I never found, likely for the reasons of hiding.

Your +S link is interesting.

Big thanks to quietman7 for such an eloquent description. It really does help understanding some of this stuff. It's nice to have it all defined in one place. Goes into my Bookmarks forever.

I'll be watching this thread. It's fascinating.

Quote

My skills are probably parallel with yours. My focus is not on the "machine code" level, as I also do not understand it. (I think this is what the root-kit tutorials are referring to as "kernal level".)

It has been my assumption that the hidden malware files are somehow taking advantage of built-in Windows capabilities, and being able to understand this area seems to be more attainable to me.

Thanks for the "boost"; hope it generates knowledgable interest and responses.