Undetectable Worms

I might be asking something too much here but here goes...

Lets say I download a program off the internet and scan it. I scan the file with A-Squared, Prevx, and MBAM, all say its clean. I even go as far as to upload the .exes and the .dll to virustotal, all report back as being clean. This doesn't mean to say it is clean, it just means if it is malicious its unknown.

How would you check to make sure its 100% clean? Would you run each app through a sandbox? Scan with a cloud-scanner and wait a few days? Run each app through a trojan analyzer like RegRun?

 

That's way too much work if it's obtained from the vendor's site, otherwise if you're that unsure about it, I'd probably go the VM route, ensuring the VM's run on the host's lua account if possible or sandbox the VM. There is the possibility if it's malicious it's one of those Ninja-stealth viruses that can detect it's in a virtual environment and it won't run at all or behave abnormally (in which case I'd safely assume it's malicious) or it might even leap out of the VM (oh yeah, this is alleged to be possible) and into the host system and lay its wrath upon it (thus my suggestion to run the host's LUA account). You may also want to run outbound firewall protecttion on the VM because some of these malicious programs attempt to call various motherships very early on in the installation process.

But honestly if you're obtaining your downloads from known, trusted sources, then all this work is unnecessary.

 

The program I am thinking of would be from a torrent so we can safely says it untrusted. If I were to use it, would cloud scanning be the best option, then give it a few hours?

 

True enough.

No idea, since I've never used it.

 

If your running stuff that the best you can do is confirm that it is not known malware then you will never get to 100% sure . Personally I would not execute anything I downloaded unless I could confirm that it is a known clean file by reputable sources .

VM will only work if the file does not have 2 parts , the original real executable and the VM aware auto abort attached malware . For quite some time game mod files were coming attached to VM aware trojans through P2P . These were easy to spot though , just unzip it and you would get the trojan and the original file . A lot of malware has anti sandbox and onlyline analyze tech as well so you often will get results you cant trust .

BTW , anything that is nasty enough to score a perfect clean on VT and multiple scanners will also likely be server side polymorphic so if google and VT have never seen the MD5 before , it is a very bad sign .

 

Before install run the below commands at C drive and note what is shown then after install rerun the commands to find any hidden .exe or .inf files that may have been created.

 

Interesting question. Sounds like a hypothetical one, but maybe not.
I have the same question, but mine is hypothetical. In general, if you download something, and you know its behaviour should be benign, then you could see what messages pop up in a HIPS and disallow if it is doing something suspicious. But if you know it should be installing something scary, i.e. device driver, antikeylogger etc. I don't know that you can be 100% secure. You might be best served, as you say, to hang on to it for a week and see if it gets picked up by a good anti-malware scanner then.

 

Even downloading from a vendors website isn't foolproof. It's only a matter of time before one of them gets hacked and malware embedded in their app gets uploaded for all the users to download. Why bother trying to install malware via exploits when you can get the user to install it themselves? Digital signatures will help a bit, but it's not hard for malware authors to get hold of certs these days.
For now downloading from a trusted source, scanning it, taking sensible precautions etc is enough. Once a trusted vendor gets hacked and is dishing out malware apps then it's a game changer and new solutions will be required.

 

I think you can never be 100% sure unless you disassemble the code yourself (or someone does that). Combining the points from our posters here, i.e. programs that need to install drivers or do low level operations + malware operations that do not manifest themselves right away but stay dormant for weeks or months + malwares embedded in files uploaded to popular reputable sites, then you will have something that is difficult to distinguish from something legit.

 

www.threatexpert.com is good at analyzing things most AV/AntiSpyware/Anto-Trojan stuff doesn't take care of.

Unfortunatelly, also this method is not waterproof, since most malware is cleverly programmed to only run once in a while, like say it only unleashes its bad things on specific moments, or the xxxx'th time it is run, so there will never be a foolproof testing of these things.

 

Hi AndyXS,

you could wait awhile for the av houses to catch up, run through an online malcode sandbox, run the malware yourself in a virtual machine or test box and use tools such as : - and :

 

What file ? If you are really suspicious about this (unsure) file just delete it !

Else try http://camas.comodo.com/ in addition to the previously mentionned scanners/tools and run it in a safe sandboxie, under VM, and of course only play with this scam on a virtual box, better from an offline linux system ;-)

 

Getting a few too many sandbox/vm aware malware lately so will probably setup an old ide drive with image backups then run the samples analysing the install with zsoft and if it can't be cleaned up then reimage.

 

Unless you have a lot of time and serious expertise in reverse engineering and analyzing malware, you can forget anywhere near 100 % certainty on whether some file acquired from a completely untrusted source like P2P is legit. As others have advised, it's really better not to execute anything from such sources, especially if it's some kind of crack or something similarly illegal.

You can use multiple AV scan services, analyzing services like Threatexpert and running it in a VM of your own to get some idea of whether it's bad or not, but this is not reliable.

If you're really dead set on running that file (which isn't a good idea), instead of cloud AV and a few hours, I'd send the file as suspicious to some AV company like Avira for analysis and then give it a couple of weeks. Assuming a human engineer looking at the file, you might get something like 95 % certainty the file is clean. And it's that low mostly because those guys are busy, and sometimes they do just run it in a VM in which case VM aware malware flies right past their radar.

That seriously needs some clarification. One needs to understand that digital signatures aren't any kind of guarantee of safety in themselves. They're only a proof of origin, instead. A valid digital signature on a file only means that the file came from the person or organization whose signature is on the file. Sure, malware authors can easily get a hold of certs for themselves. But, it's not exactly easy for them to get a hold of a cert that belongs to some trusted company, for example, Microsoft. It's one thing to have some random no-name company's signature on a file, and a completely different thing to have a known legit company's valid signature on it.

 

I don't think you're looking at this the right way. You trust the CA that signs (or co-signs) the software, not the company that issues the software. If it is digitally signed by a CA that you trust then implicitly you are meant to trust the authenticity of the software. That's been the whole downfall of DV certs - in the end it turned out that you couldn't trust the CA to validate the company that was buying the cert. Hence certificates are being issued to malware domains.

 

Hi Franklin,

How are these vm-aware malware typically behaving in the virtual environment? Are they not running at all, or behaving in some other unusual manner?

 

simple answer - you can't. you can get arbitrarily close to 100% (with lots of work) but you can never actually reach it.

if i had to run it, i definitely would run it in a sandbox - probably a full VM.

i'd do as many things as possible to eliminate the possibility that it's malicious

indeed. some torrent sites have facilities where people can give feedback about the downloads - you can use that as a rudimentary reputation system and avoid things that have a negative or absent reputation.

 

Conversely, I think you're looking at this the wrong way, but isn't that just how these things go. As I said in my previous post: "It's one thing to have some random no-name company's signature on a file, and a completely different thing to have a known legit company's valid signature on it."

Yes, trusting the certificate authority is obviously the required first step. If you do not even trust the CA, then the whole signature means nothing to you. But, even if you trust the CA, that does NOT mean the file or web site is somehow guaranteed safe. It just means that according to that CA the file or website came from whoever has their name in the signature and in that sense is "authentic" as in "it really did come from that source" - but realize that this does not mean "safe" or "can't be malicious". After you know this, you have to decide whether you trust the someone whose name is in the signature. You trust the company, in other words, or do not trust it. If some CA trusted by you claims this file is from "Microsoft Corporation", then you need to decide whether you trust Microsoft Corporation or not. If you don't trust them, then you don't trust the file either. If you do trust them, you might trust the file - hopefully after you've considered the possibility that the CA has issued a certificate with MS' name to some bad guy who isn't MS. On the other hand, if the file is signed by some company called "Randomstf Inc" that you don't know and that you can't find with Google, then perhaps you shouldn't trust that file even if your favourite certificate authority has co-signed it. Perhaps my point is clear enough by now.

"Certificates being issued to malware domains" begs the question "what certificates are they getting, their own certificates or those of some other party?" If malware domain "evilmalware.com" has been issued a cert that assures they really are "evilmalware.com", why is this a problem to anyone who understands how these things work? It's not. This is about proof of origin and identity, and in the case of files also that the file has not been modified or corrupted. It's not about proof of safety or benevolent intent. There would only be a problem if evilmalware.com got issued a certificate that assures they're in fact "Microsoft Corporation" or any other trusted party who they really are not.

Getting a cert to your own or some made up name is not that difficult. But getting a cert to someone else's name is much more difficult. Off the top of my head, for the more trusted CAs, I remember one case years ago where Verisign issued a certificate with the name "Microsoft Corporation" to some conman who wasn't MS. That stuff is rare. Which is why digital signatures do help a lot more than just "a bit", if you know how they work. If you don't, then they obviously may help nothing and can contribute to a false sense of security ("if it's got a cert, it has to be safe"). Obviously, the choice of CAs that you trust is pretty critical: if your trusted CAs are too loose with giving certs, then you can no longer get a reasonable proof of origin and identity from the signatures. So, as always, be careful with who you trust.

But to summarize, you might put it all this way: How many people here have seen malicious files that have valid digital signatures of some trusted company, like MS? How many such files have you seen? How many malicious files have you seen with valid signatures of "Microsoft Corporation" with "Microsoft Root Authority" at the bottom of the cert chain? Anyone got any numbers?

Don't know about Franklin, but the VM aware malware I've seen often just gives an error message and doesn't run - sometimes the error message complains about the VM which should be a huge warning sign right there, but sometimes it's just a generic looking "runtime error blahblah". Off the top of my head, that's about 40 % of the VM aware stuff I've seen, maybe. The other 60 % then, runs but does only nice things, like extract you a folder containing whatever pirated material you wanted to see, or just some random unrelated stuff that is harmless, usually pictures, and nothing malicious is done. That stuff is likely to fool many of the folks who would be inclined to execute files from untrusted sources after first testing them in some sandbox or VM. Sometimes it fools AV company folks as well.

 

Thank you Windchild. This is kind of what I thought. In other words, nothing to get excited or paranoid about. I see so many comments warning of the perils of testing in a vm Anyways, I'm also interested to see what Franklin has to say about it.

My basic point of view: if the file behaves even somewhat oddly, especially if it's downloaded from a questionable source, then there's no reason to trust it.

 

@ Windchild (can't quote you because your post is so long )
Your points are valid though somewhat unrepresentative of real world scenarios, but they don't address the point I was making. e.g.
Mr Hacker hacks Piriform's website and replaces clean version of CCleaner with malware invested version "BadCCleaner". Most users just install it. Wilders members look at the digital cert prior to installing and it says "Piriformus" and is co-signed by Verisign. "Hmmm...well it looks genuine...I guess it's just Piriform U.S". Malware gets installed.
The trust that user place in the CA, Verisign, combined with the similar sounding name, persuades all but the most paranoid to install it.

 

Ok, I see it now. Your point apparently was that careless users can get fooled by digital signatures that look "close enough" to the real thing. Well now, that is certainly true and an entirely valid point! That's how phishing works, too - because some people don't realize "hotmail" and "hoymail" for example aren't the same thing. But, it's most certainly not a problem with digital signatures themselves, meaning the technology. Instead, it's a problem in the careless users. It's a bit like drunk driving: it's not the fault of the car, it's the fault of the driver. I misunderstood your post earlier and thought you meant there's a problem in the whole system of digital signatures that would make it trivially easy for bad guys to sign their malware with valid digital signatures that belong to completely unrelated trusted parties - as in, you could easily get Verisign or some other big CA to give you a cert on the name Microsoft Corporation or any other such trusted company and then you could sign all your malware with that signature to make it look legit.

If the program used to be signed by "Matt" before but today it seems to be signed by "MattS" instead, that's already serious cause for further investigation before even considering trusting the file. Of course, the kind of user who thinks "MattS" or "Piriformus" sounds "close enough" to what really should be there is going to be fooled. But really, there's not much one can do against that, user education aside. As my father always used to say: "Nothing is dangerous when you know what you're doing, but if you don't, everything you do - including nothing - can get you killed." It's not paranoia to check digital signatures properly - it's simply careless to not do so. But like everything, it depends on the times and people. When I was a kid, back when dinosaurs walked the earth, "everyone" knew that you didn't need to keep your doors locked at nights. Now everyone knows that you really, really do need to keep the doors locked 24/7. Hopefully, in the future, people will also learn to use digital signatures properly.

Indeed, nothing to get excited about. Except for those among us who rely on testing untrusted files in VMs before executing them in their real system - which was frankly never very smart, since untrusted is untrusted and even without VM awareness and such it wouldn't be hard to make a malware that just waits a while before doing its thing to avoid suspicion, and most folks probably wouldn't spend a couple of days or weeks looking at some file in a VM to see if it does anything malicious before running it in their real system.

For the original poster, I'd suggest again as we all have done: do not execute files from untrusted sources, no matter how much you've checked them with various anti-malwares and such, unless you are willing to risk infecting your system. Pirated software and such is never worth that risk.

 

What a great saying!

 

WHO DO YOU TRUST?... it's a long and old letter from Kevin of PSC (Privacy Software Corporation) the so-called BOclean guy. I thought it was worth a read so here it is.

Just a last one : you entitled this thread Undetectable Worms right ? So think twice THINK why.

 

@ wat0114, I'm seeing the same as Windchild when running some samples in a vm.

Did have a sample a fair while ago that popped up a message that it couldn't be run in a sandbox or VM but can't remember it's name?

Came across this new rogue from the Winiguard Family, TrustFighter, which I thought was sandbox/vm aware but it seems to only bomb out in a Win 7 install.

Runs fine in an XP or Vista VM and sandboxed as well.

Goes through the complete install then throws up a memory error in Win 7 sandboxed or unsandboxed.