Research: Malware Action Detection and Protection

["Arman Nayyeri" <arman-n () phreaker net>]

Hi,

After 15 month of work it is MADP's showtime. The people who remember my 
last
finding about windows media player vulns should remember IDT project and I
must say that they are both the same but with different names.

The following is a plain text copy of MADP v1.0 document.First read the
document and then give Neoava Guard beta v1.0 a try. I hope this new 
technique
help stop (at least some) malwares.

Any company/person willing to become my partner or help me commercialize
Neoava Guard (MADP's sample) please contact me (participate neoava com).

For more info, download (Neoava Guard), new versions of document visit:
http://www.neoava.com

the MADP document is copyright me (Arman Nayyeri).

Here you are:


*************************************************************
Malware Action Detection and Protection


=-==-==-==-=
1. Design
=-==-==-==-=

The goal of the MADP project is to find a way to detect and protect against 
unknown malwares.  Unknown
malwares can not be detected by signature-based anti-virus programs and the 
most recent successful worms
spread the most while they are unknown to anti-virus. MADP allows anti-virus 
to detect actions that can be
taken by malwares. MADP is not a replacement for signature-based 
anti-viruses but it is meant to be used
together with signature-based anti-virus, so MADP will only be responsible 
for unknown threats and signature-
based anti-virus programs and will safely protect the system against known 
threats.

MADP consists of a series of filters to detect actions commonly used in 
malwares. MADP filters detect:

1. E-mail worms
2. File Infector viruses
3. Destructing programs
4. Internet Worms
5. Trojans
6. Adwares


MADP systems rely on executable-based permissions instead of user-based 
permissions (provided by OS).
This will allow the user to have no restriction on her trusted processes and 
very-limited permission on other
processes. When MADP filters detect a suspicious action taken by an 
unprivileged executable's process it will
do one of the following actions:

* Does not allow the action to be taken, increases the "Violation Score"
* Allows the action to be taken, increases the "Violation Score"
* Gives the permission for taking this action to the process, does not 
increase the "Violation Score"
* Gives deny access for taking this action to the process, increases the 
"Violation Score"

The "Violation Score" is a unique number for every executable that increases 
every time a violation occurred
by that executable's process. The number that adds to Violation Score 
depends on how suspicious the action
is. When the Violation Score reaches a specific (configurable) number the 
MADP system will alert the user
about the executable and asks the user to choose to Remove / Quarantine or 
Skip the executable.

A MADP system consists of a series of filters, here is the list of Detection 
filters based on type:

Note: Some filters may overlap other filter but they both listed here 
because one of them is less restrictive and
the other one is more restrictive. They can be configured by the user.

A. Spread Detection
-------------------
    These filters used to detect worms/viruses when they are trying to 
spread or prepare for
spreading.

1. Reading Windows Address Book
2. Writing to large number of executable files
3. Scanning Network
4. Port 25 connection
5. Connecting to large number of hosts on port 25
6. Connecting to host configured as user's SMTP server (on the configured 
port)
7. Reading large number of text files

Spread detection filter 1 used for detection of Email worms who try to read 
Default Windows
Address Book (WAB) file in order to gain access to a large number of email 
addresses used for
spreading, we will get the default WAB file for every user logged on to 
monitor them.

Spread detection filter 2 used for detection of spread by a file infector 
virus. For better
detection against file infector and less wrong alerts we not only check the 
number of individual
executable files that have been written in a specified amount of time but we 
also check the
number of directory listing (getting the list of files in a directory). 
Because no virus knows the
name of executables on the system and should query the directory for the 
files to find
executables. We can use this trick to differentiate between useful programs 
and malwares. We
also look at one of the things that mostly happen when a useful process 
writes to an executable
file, and that is when the useful process tries to create/copy an 
executable. So a useful process
first creates an executable file then writes to it. So we exclude 
executables that are created and
then written.

Spread detection filter 3 used for detection of internet worms that scan 
networks for hosts with
open ports or ping them to find alive hosts. We check the number of 
individual hosts connected
on a limited amount of time.

Spread detection filter 4 used for detection of Email worms that use an SMTP 
server to send
email.

Spread detection filter 5 used for detection of Email worms that use their 
own SMTP engine to
send emails through target domain's e-mail handler server. We check the 
number of individual
hosts connected (on port 25) on a limited amount of time.

Spread detection filter 6 used for detection of Email worms that send email 
through user's
SMTP server. (Perhaps using the users credentials if needed)

Spread detection filter 7 used for detection of Email worms that scan local 
hard-drive text files
to find email addresses. For better detection against Email worms and fewer 
wrong alerts we not
only check the number of individual text files that have been read in a 
limited amount of time
but we also check the number of directory listing (getting the list of files 
in a directory). Because
no worm knows the name of text files on the system and should query the 
directory for the files
to find text files we can use this trick to differentiate between useful 
programs and malwares.


B. Startup Detection
--------------------
1. Internet Browser plug-in creation/modification
2. Windows Explorer plug-in creation/modification
3. Service creation
4. Service modification
5. Startup creation (Startup Folders, Registry Keys)
6. Changing execution way of executable files
7. Browser Helper Object (BHO) creation
8. Browser Helper Object (BHO) modification
9. AppInit_DLLs registry modification
10. Shell Service Objects creation
11. Shell Service Objects modification

Startup detection filter 1, 2 used for detection of malwares (trojans, 
adwares, etc.) that try to
create/modify browser/explorer plug-ins in order to not only start every 
time one of these
programs started but also bypass the security softwares (firewalls, 
antiviruses, .) as they can
run in the context of browser/explorer process. So these filters somehow can 
be classified as both
Startup Detection and Security-Bypass Detection.

Startup detection filter 3, 4 used for detection of malwares (worm, viruses, 
rootkits, etc.) that
try to create/modify NT services in order to start every time windows 
starts. This filter also
perfectly fit on the Security-Bypass detection category because the malware 
can create a driver
(kernel-mode) service to bypass security softwares and gain unlimited access 
to all parts of file-
system, etc. and it can even damage the hardware. The malware can modify 
security software's
service to disable it to bypass its restrictions.

Startup detection filter 5 used for detection of most malwares that use 
common startup ways
to start every time windows starts. This filter consists of a series of 
registry keys that is known for
startup and also all of the startup folders.

Startup detection filter 6 used for detection of malwares that try to change 
a registry value in a
way that windows explorer runs their executable every time an executable 
executed by the user.
This way used by many malwares and often causes complications when the 
malware's
executable removed without resetting the registry value.

Startup detection filter 7, 8 used for detection of malwares (adwares, 
trojans, etc.) that use
Browser Helper Objects (BHO)  in order to not only start every time Internet 
Explorer runs but
also bypass the security softwares (firewalls, antiviruses, .) as they can 
run in the context of
browser process. So these filters somehow can be classified as both Startup 
Detection and
Security-Bypass Detection.

Startup detection filter 9 used for detection of malwares that try to change 
AppInit_DLLs
value in registry so they can load their DLL into every executable runs in 
Windows. This method
can also be used to inject code and therefore bypass security-related 
softwares.

Startup detection filter 10, 11 used for detection of malwares that try to 
create/modify a Shell
Service Object (SSO). A SSO can be used to load a DLL in the explorer.exe 
process every time
Windows Explorer starts. So it can also be used to bypass security 
softwares.


C. Security-Bypass Detection
----------------------------
1. Interrupting security software processes
2. Accessing MADP's own files and settings
3. Startup folder's path modification
4. Process memory modification
5. Global windows hooks creation
6. Windows hooks creation
7. Sending keyboard/mouse input to another process
8. Remote thread creation

Security-Bypass detection filter 1 used for detection of malwares that try 
to somehow interrupt
the security-related processes to bypass their settings. MADP systems will 
allow the user to
choose the security-related executables in her computer and then mark them 
as Secure. Then
every attempt to terminate/suspend security process or process's threads 
will be filtered by this
filter.

Security-Bypass detection filter 2 used for detection of malwares that 
programmed to
change/damage the MADP settings/files in order to bypass the security 
provided by MADP
system.

Security-Bypass detection filter 3 used for detection of malwares that try 
to change the startup
path to hide their startup files from the user/security softwares.

Security-Bypass detection filter 4 used for detection of malwares that try 
to modify a process
memory in order to inject code or interrupt it. This method has been used by 
programs to write
code into another process memory and then running the written code by 
creating a remote
thread or by using the other ways.

Security-Bypass detection filter 5, 6 used for detection of malwares 
(keyloggers, trojans, etc.)
that try to create a (global) windows hook to inject their code into other 
processes. This can also
be used for logging the keys sent to other windows. So these filters can 
also be listed as Damage
Detection filters too.

Security-Bypass detection filter 7 used for detection of malwares that try 
to send
keyboard/mouse input to other windows to do something on behalf of the user.

Security-Bypass detection filter 8 used for detection of malwares that try 
to create remote
thread on other processes in order to interrupt or inject code into them.


D. Damage Detection
-------------------

1. HOSTS file modification
2. Deleting large number of files
3. Writing to large number of files
4. Listening on a port
5. User Protected Files

Damage detection filter 1 used for detection of malwares that try to change 
HOSTS file to
make the user unable to access security-related websites, and/or make the 
antivirus programs
fail to update their definitions by redirecting their host names into an 
invalid IP address. HOSTS
file used by windows to resolve host names to IP before a DNS query.

Damage detection filter 2 used for detection of malwares that try to delete 
a large number of
files in a limited amount of time. Not so many useful programs delete many 
files quickly and it
will be less if we use this filter when the process also queries different 
directories a number of
times. So we add directory listing to this filter because all malwares 
should get the list of files
before they can remove the files in it.

Damage detection filter 3 used for detection of malwares that try to write 
to a very large
number of files in a limited amount of time. Not so many useful programs 
write to that many
files quickly and it will be less if we use this filter when the process 
also queried different
directories a number of times. So we add directory listing to this filter 
because all malwares
should get the list of files before they can write into them.

Damage detection filter 4 used for detection of malwares (trojans) that try 
to listen for
incoming connections on a port and receive instructions from author / 
hacker, so he could
remove/leak personal/sensitive data. This kind of filter applied by almost 
all firewalls.

Damage detection filter 5 used for protection of user's 
confidential/important files from
malwares. User will add files/folders and set the protection level. The 
protection levels are (1)
Open (2) Read (3) Write (4) Delete. The user can allow any executable the 
permission to
open/read/write/delete her protected files. User can choose to ask him when 
the MADP system
finds a request matching the file and level.


E. Execution Detection
----------------------
1. Multi-Extension Execution
2. Process creation by Internet Explorer and/or other browser
3. Script file execution

Execution detection filter 1 used for detection of the Multi-Extension 
executables that trying to
trick user to execute malicious executables. This Social-Engineering trick 
used by many email
viruses and used by many hackers to trick victims to execute their 
executable (because victim
thinks it's a non-executable and safe file).

Execution detection filter 2 used for minimizing the risk when the browser's 
exploited by
malicious websites by asking the user before allowing any process creation 
by browser. The
MADP can allow the user to always allow certain executable to be executable.

Execution detection filter 3 used for detection of script file malwares by 
asking the user about
their execution. The MADP system can also runs a simple check on the script 
file to detect
suspected actions runs on script file.


Damage Reduction
----------------
In order to provide better protection against harmless malwares:

F. Damage Prevention
--------------------
1. Deleted files recovering ability

Damage prevention filter 1 used for recovering the files that might be 
removed by malwares.
The example of such system is Fundelete from Systeinternals.


Useful Software Detection
-------------------------
In order to better identify useful applications, these filters decrease the 
violation score:

1. Visible window in client's screen
2. Start-menu shortcut


Prompts
-------
A MADP system can have the option to prompt the user for a particular action 
taken by an untrusting /
unprivileged process. The requesting process will be suspended during 
prompt.


Script Files
------------
The Script/HTA (or other script-like) files will have separate entry in MADP's 
executables database. To
accomplish this goal, MADP system will mark executable that run scripts and 
get the path of the script file
from parameters.


Creating Higher Processes
-------------------------
To prevent malwares from doing malicious action by executing commands using 
data input options (process
parameters) the processes that have higher permissions than the parent 
process will inherit permissions from
the parent and when the user prompts for an action the parent will be shown 
as the requesting process and the
settings will be applied to it.


Trusted Childs
--------------
To make it easier for useful programs that consist of many executables to be 
trusted by MADP system, the
user can choose to trust the child processes and optionally trust all 
process tree. This settings are inherited thus
will not be saved for child process's executable, so if the child's 
executable runs without inherit, the process
will not be trusted.


Security Process Simulation
---------------------------
The MADP will create fake security processes by using security softwares 
executable name to trick the
malware into interrupting it. This is actually a trap for malwares that 
interrupt security softwares.


Software Installation Auto-Configuration
----------------------------------------
To make it easier for the user to configure useful programs. The MADP system 
will detect when an installation
program runs and asks the user about it. If the user confirm the 
installation the MADP system runs the
executable's process and its children in a special mode which not only trust 
them but also trust all executable
created by any of these processes. This allows the program's executable to 
be automatically configured, so
not only cause less wrong alerts but also allows better performance by newly 
installed program.


=-==-==-==-==-==-==-==-=
2.  Implementation
=-==-==-==-==-==-==-==-=

Here below, you will find description of Implementation of a MADP system on 
Windows NT family.
In order to efficiently implement filters, we have to implement filters on 
kernel-mode so the user-mode
malwares can't bypass the filters by any way (excluding a kernel-mode 
malwares which will be prevented
from reaching that level). For MADP implementation we use a kernel-mode 
driver to hook Windows NT
System Services, so we can monitor actions taken by all processes.

Neoava Guard (beta) is MADP-based software that implements most of MADP 
parts. For more info visit
http://www.neoava.com.

Implementation details will be published, if it was decided to make it 
open-source.




**********************************************************************
Please send feedback to <feedback neoava com>

sorry for my bad english.

Arman Nayyeri
Security Researcher
MCSE, MCSA, MCP
> From Iran