Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Are Malware Executables Really Hidden ?


  • Please log in to reply
12 replies to this topic

#1 Jimmy Question

Jimmy Question

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 20 September 2006 - 09:55 PM

I came here (registered) looking for an answer to a specific question.

A friend's computer is heavily infected with several malware's, including Spysheriff, Internet Optimizer, stonedrv.exe and about 4 or 5 more.

I know this because the computers' Ad-Aware sub-program "Ad-Watch" is giving alerts (words to the effect that) "such & such program.exe is attempting to change the registry". The executables named are very specific, and include the full pathnames (example: C:\Program Files\Internet Optimizer\Optimize.exe).

Having some experience in deleting malware, I tried manually deleting the files & directories named with a program called Unlocker Assistant, which will delete files that are protected for one reason or another.

The problem is that I am unable to navigate to any of these files in Windows, either in Normal OR Safe Mode. I can't even navigate to them in (cmd) "DOS" shell either. (Yes, I have "show hidden files" enabled.)

Yet there are registry entires that refer to them (including pathnames) and these Registry Entries reappear after an (apparantly) "successful" deletion, so SOMETHING has to be bringing them back, I can only assume that "Ad-Watch's" alerts are accurate and these executables are on the HD and doing things.

I've asked this question on another (reputable) forum and they are stumped, so I came here. Please note that I am not asking for specific help in removing this malware, I am asking a more general question about the methods that have been (apparantly) successfully employed to hide these files from me, despite my efforts at finding them. I had always thought that Safe Mode DOS was the "guaranteed" way of exposing these types of files, but apparantly the level of sophistication has escalated beyond my (current) ability.

Thanks in advance,

Jimmy

Edited by Jimmy Question, 20 September 2006 - 09:59 PM.


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 13,004 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:07:42 AM

Posted 20 September 2006 - 10:28 PM

Do yourself and especially your friend a favor and follow the steps provided in the link below.
http://www.bleepingcomputer.com/forums/t/22402/how-to-remove-spysheriff-winstallexe-spysheriffexe/

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 20 September 2006 - 11:14 PM

Please note that I am not asking for specific help in removing this malware, I am asking a more general question about the methods that have been (apparantly) successfully employed to hide these files from me, despite my efforts at finding them.



#4 DASOS

DASOS

    Malware hunter


  • Security Colleague
  • 1,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greece loutraki 6 km from korinth canal
  • Local time:02:42 PM

Posted 21 September 2006 - 06:02 AM

Hi Jimmy Question

Welcome to BC


1) http://www.bleepingcomputer.com/tutorials/understanding-spyware-browser-hijackers-and-dialers/
2) http://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
3) http://www.bleepingcomputer.com/tutorials/how-to-use-hijackthis/

Preparation Guide For Use Before Posting A Hijackthis Log

Good luck!

Stelios

#5 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 21 September 2006 - 06:23 PM

Dasos,

Thanks for the links but it does not look as if these answer my specific question (I read all of them).

These seem to be "General" methods for malware removal, rather than describing how specific files can exist on a hard drive and be "hidden" from view.

Again, thanks for the attempt, but I am still looking for an answer.

#6 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 September 2006 - 07:52 AM

Bump...

#7 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 22 September 2006 - 08:23 PM

Bump...

#8 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:08:42 AM

Posted 22 September 2006 - 08:52 PM

Since you're not getting the answers you need, and since this is the friendliest forum of this type, will you accept a totally made up, wild guess from a person who knows absolutely nothing about this?

There are two groups of people who know HOW things can hide.

The first is the scumware makers. They aren't gonna tell you, you might steal their secret and use it to get rich or something.

The second group are the people on the security side (major and minor anti-malware companies, this forum's experts and similar). They all spend substantial resources to find the details such as you desire to know. They aren't going to tell you such details (those that they know). It just might expose another hole someplace and give ideas to more criminals of the trash-writing kind. Some things are better to stay unsaid.

Just wild guesses. I wonder if all this makes sense.

#9 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 23 September 2006 - 12:44 AM

Since you're not getting the answers you need, and since this is the friendliest forum of this type, will you accept a totally made up, wild guess from a person who knows absolutely nothing about this?


Well of course I "accept" such help, and appreciate it very much. I accept and appreciate ALL sincere help.

I especially appreciate honest answers like "I don't know." (as opposed to authoritive-sounding answers that are actually made-up.

So I also appreciate the "this is made up" disclaimer.

But then, let me ask YOU a question. Given the nature of this forum and it's focus, one assumes you have at least SOME interest in subjects of this type.

Don't YOU want to know this answer ? Seems to me that it is a natural step in the learning process. First we learn how to simply remove the malware by following the directions given to us by those that know more, but don't you think at some point there is a need for more information ?

If an answer is not/cannot be forthcoming, the "next best" ideal is a group of interested and reasonably well-informed people all asking the same question and working toward an answer. At some point, this should reach "critical mass" and the answer discovered and (one would hope) then shared with everyone else.

On the specific issue of SpySheriff, I understand that there is a "stand alone" executable (SmitRem.exe) that does "something", I would assume during the boot process in the intermediary language level between BIOS and Windows. (All of this is (like your "theory" (a nicer way to put it than "made-up")) of course "made up" on my part as well)

And I guess that is really the point. We all sort of "make-up" explanations when we are doing things (malware removal, in this case) by following "rote" instructions, and I am simply becoming dissatisfied with my own "made-up" theoretical understanding of what's really going on.

If possible, I would really like to KNOW. How 'bout you ?

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 AM

Posted 23 September 2006 - 08:16 AM

To understand how malware hides, you have to understand what it is.

A Virus is a man-made program (small bits of programming code disguised as something else or buried in other codes) that causes an unexpected and usually undesirable event. A virus can replicate itself and is designed to automatically spread to other computer users.

A Trojan is a destructive stand-alone application that masquerades as a benign program and hides a "nasty surprise" within the original source code. The surprise is a process or function specifically added by the Trojan's programmer that performs an activity the user is unaware of. The malicious code is contained within the source code of an apparently harmless program in such a way that it can gain control and do its chosen form of damage. Trojans are executable programs (.exe, .vbs, .com, .bat, etc) which means that when you open the file, they will perform some action.

A Worm is a a self-supporting program (parasite) considered to be part of the viral camp because they replicate and spread from computer to computer. As with viruses, a worm's malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can't handle. Worms differ from viruses in that they are not just bits of code that exist in other files. They can be whole files. In addition, they replicate without the need for another program to be run.

Spyware is usually non-viral and is a generic term for unsolicited commercial software or parasites that is installed without the user's full knowledge, consent, and understanding and that primarily serves the interests of commercial parties associated with the software, not the end users on whose systems those unwanted applications are installed.

RATS (Remote administration Trojans) are pieces of malicious software that let intruders remotely control computers across a network or through the Internet. They are programs that masquerade as one thing when in fact they are something else. The purpose of these programs is not replication, but to penetrate and control. RATs install themselves by exploiting weaknesses in standard programs and browsers. Once they reside on a computer, RATs are hard to detect and remove. They usually operate in the background and do not appear in the Task Manager list.

Nefarious RATs are designed to install themselves in such a way that they are very difficult to remove even after discovery. A variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windows system directory, where it's active and locked and controls the registry keys. The active Kernel32.exe cannot be removed, and a reboot will not clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked. Other variants of Back Orifice include Netbus, SubSeven, Bionet and Hack'a'tack. These RATs tend to be families more than single programs. They are morphed by hackers into a vast array of Trojans with similar capabilities. The ability of RAT servers to initiate connections can also allow some of them to evade firewalls.

Alternate Data Streams (ADS) provides a method of hiding root kits or hacker tools on a breached system and allows them to be executed without being detectedr. ADS have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. Files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. Once injected, the ADS can be executed by using traditional commands like type, or start or be scripted inside typical scripting languages like VB or Perl. When launched, the ADS executable will appear to run as the original file - looking undetectable to process viewers like Windows Task Manager. Using this method, it is not only possible to hide a file, but to also hide the execution of an illegitimate process.

Thus malware can hide in any number of places on your system using a number of techniques. Some use Trojan Horses/rootkits to hide themselves while others masquerade as legit files or services. Some malware types can modify the registry and/or the OS to hide and embed itself.

For places that viruses and trojans hide, see: http://www.governmentsecurity.org/articles...deonstartup.php

Rootkits are a new generation of powerful system-monitoring programs that are almost impossible to detect using current security products. Rootkits are not an infection or a trojan in and of themselves. They are used by trojans and software vendors to conceal their presence. Thus a rootkit's purpose is to hide itself and other software from view to prevent a user from identifying and potentially removing an attacker's software. Several Windows-specific rootkits have appeared in the past couple of years. They tend to be bundled with the most dangerous kinds of malware, such as keystroke-logging tools that steal passwords. "Hacker Defender," "FU" and "Vanquish," are examples.

There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode. Explaining what they are and how they work can be complicated so I will refer you to the following links:

Windows rootkits in 2005, Part 1 of 3 [2005-11-04]
http://www.securityfocus.com/infocus/1850

Windows rootkits of 2005, Part 2 of 3 [2005-11-17]
http://www.securityfocus.com/infocus/1851

Windows rootkits of 2005, Part 3 of 3 [2006-01-05]
http://www.securityfocus.com/infocus/1854
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 23 September 2006 - 08:03 PM

Thank you very much, quietman or your extended reply.

Thus a rootkit's purpose is to hide itself and other software from view to prevent a user from identifying and potentially removing an attacker's software.


Prior to reading your post, I did a bit of research and found:

http://www.microsuck.com/content/ms-hidden-files.shtml

An excerpt:

6.0. +S MEANS [S]ECRET NOT [S]YSTEM
Executing the "dir/a/s" command from root should be the correct command to display all files in all subdirectories in DOS. However, doing so will not display the index.dat files. This is because when DOS tries to get a list of the subdirectories of any +s[ystem] directory it hits a brick wall. No files or folders will be listed within any system directory. Not only does this defeat the whole purpose of the "/s" switch in the first place, but I'd say it looks like Microsoft took extra precautions to keep people from finding the files. Remember, the only thing you need to do to obscure a file in DOS is to mark the parent directories as +s[ystem].


While ignoring the text's author's obvious Anti-Microsoft perspective, I assume the information is still valid. From this I understand that a file may be "hidden" from view (in DOS) if it's parent directory is attributed as a System File. This may explain some of my experiences, but does it explain why I was unable to view the Parent Directory and the files in contained when "show hidden files" (which I assume includes system files) was enabled ?

I occured to me that perhaps if I had found some way to show System Files, I might have been able to make the malware visible.

Given this explanation's inadequacy, the only other alternative I have left is that there was some type of "rootkit" involved. My problem with this one is that it seems rather exotic for a garden variety malware such as "Interent Optimizer".

To your knowledge, does Interent Optimizer make use of a rootkit ?

If not, how can I explain (given my present options) how I was unable to view the file and/or the parent directory ?

Can I assume that ALL files that are this difficult to view to be malware, or is it possible that this is (somehow) "by design" by Microsoft ?

Thanks again for the help, I go now to peruse the links you provided,

Jimmy

#12 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:08:42 AM

Posted 24 September 2006 - 06:55 PM

Don't you want to know this answer?"

YES. And I have gone through on several ocassions on the CA, F-Secure, Symantec sites to see what is affected by the virus. And when I see the mind-boggling list, which is a result of someone's research, about all I can say is WOW! You guys are great. Thank you. Because I have no skills and no time to do this sort of research. But yes, how things hide is a fascinating subject. However, without being skilled in machine code, without knowing what every branch of code takes, I'd never know where to even begin looking for hidden items, how they get there, and how they function.

Bottom line for me - I have to trust the router, the resident Zone Alarm Security Suite, resident Pest Patrol, plus on demand Ad-Aware, Spybot S&D, and previous Hijack This logs for comparison. Challenging enough! Considering the protection I use, I don't get a chance to practice removal - I'm yet to see on my computer spam, virus or spyware, with one exception - OEM installed spyware when I bought a new computer and my sister's computer with traces of some trash which I never found, likely for the reasons of hiding.

Your +S link is interesting.

Big thanks to quietman7 for such an eloquent description. It really does help understanding some of this stuff. It's nice to have it all defined in one place. Goes into my Bookmarks forever.

I'll be watching this thread. It's fascinating.

#13 Jimmy Question

Jimmy Question
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:07:42 AM

Posted 24 September 2006 - 07:05 PM

However, without being skilled in machine code, without knowing what every branch of code takes, I'd never know where to even begin looking for hidden items, how they get there, and how they function.


My skills are probably parallel with yours. My focus is not on the "machine code" level, as I also do not understand it. (I think this is what the root-kit tutorials are referring to as "kernal level".)

It has been my assumption that the hidden malware files are somehow taking advantage of built-in Windows capabilities, and being able to understand this area seems to be more attainable to me.

Thanks for the "boost"; hope it generates knowledgable interest and responses.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users