Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MalwareMutexChecker


  • Please log in to reply
No replies to this topic

#1 PresComm

PresComm

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 PM

Posted 09 June 2015 - 09:15 AM

Hey, everybody. I assume this is an okay place for this thread to live. I had considered placing it in the "Anti-Malware/Anti-Virus/Etc." section, but that seemed a bit ambitious.

 

As noted in my introduction post (not that everybody necessarily read it), I am currently working on an application that, at this time, I have named uncreatively MalwareMutexChecker. Basically, I am building it with the following 2 functions in mind.

 

1). A Yara-like scanner. Not sure if I will be adding the "definitions" by default, or hardcoding them into each version, but basically the application will run, try to create various mutexes on a system and, if it is unable to do so because the mutex already exists, an error will be thrown stating just so and listing the malware families that are known to create said mutex. Would be helpful as a quick addition to a toolkit, though probably wouldn't find anything another scanner hasn't already found.

 

2.) A more precise tool that allows for a mutex name to be specified by the user. The application will try to create said mutex and, if it can't because it is already opened, it will let the user know. Could be used if you already suspect a certain family of malware on your system, and you want to quickly check for known mutexes created by the malware.

 

The functionality part is easy. The .NET framework makes opening mutexes in C# easy. See the demo:

 

1.) As a random example, the article here details that KRIPTOVOR checks for a mutex named gordon to see if it has already infected a machine. Let's check for that mutex, shall we?

2.) First, just running the application without any prior modification of the system; here are the results: Image

3.) Clearly, there is no mutex named gordon on this machine. But that doesn't help our test, so read on!

4.) I wrote a small application that creates a mutex and holds it until the process is forcefully terminated. After running it, let's see what MalwareMutexChecker says: Image
5.) Now we can see that the mutex gordon exists on this system. Based upon that discovery, we may safely assume that KRIPTOVOR has infected this system (assuming no other families also use that same mutex name). If you don't believe the application and want to check yourself manually, you can run Winobj or Objdir and check "Sessions">"{Session_No}">"BaseNamedObjects". You should see a listing for a mutant named gordon.

 

Right now, the actual application part works and is easy to code. I have two main concerns on my end.

1.) Would you guys, as remediators, see yourself using this? Is it something you would ask a user to run on a system and then provide you with the output? For anybody interested in forensic analysis, could you see yourself using this tool to quickly enumerate through obviously malicious mutexes on a system?

2.) How to source mutexes? I have been manually going through each family that I encounter at a time and pulling the mutexes from Malwr/VirusTotal. That is obviously inefficient. The MAEC project looks promising, but is still in development stages.

 

This is by no means something I intend to replace any tool/be heralded as the savior of malware cleaning. It is mainly a personal project of mine that I became interested in after reading some articles online, which I have linked below.

 

Note: I am aware that some malware uses system mutexes, like ShimCacheMutex and RasPbFile. I would not include these in any definitions. I am also aware that some malware, like the CryptoWall family, uses 32-bit serialized mutexes, and thus can't really be checked for, unless I code the application to be suspicious of any mutex of a certain length. Definitely a possibility.

Just getting my thoughts out there. Would love some feedback on ideas and such.

 

Links:

Contemplating Malware Immunization via Infection Markers

Looking at Mutex Objects for Malware Discovery and Indicators of Compromise

Mutexes, part one: The Canary in the Coal Mine and Discovering New Families of Malware

Mutexes, part two: Using WinDbg to Begin Reverse Engineering Unknown Malware from Memory



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users