Malware Scanners Missing Stuff – Procmon Install Spy To The Rescue… Print E-mail
Written by Darwin Sanoy   
Monday, November 23, 2009 11:06am

I had two different scenarios in two days where some of the top malware scanners completely ignored very concerning changes to systems I was working on…

 

Senario 1: hosts file redirections not removed

In the first case I was removing malware from a friends infected machine.  A notable top-level malware scanner removed all the bad stuff and gave a clean bill of health.  However, when I visited Google from the machine it was obvious that one of the Google hijacks was still in place (Clicking a google search result takes you to an advertising or malware site).  I installed and ran several other top rated malware scanners in deep scan mode– nothing to report.

I used autoruns to investigate everything that was hooking IE – couldn’t find anything overly suspicious.  Finally Spybot’s RunAlyzer tool happened to display the hosts file – and there I could plainly see several search sites redirected.  One reason I hadn’t check here was because I figured malware scanners would flag and remove search sites from here – especially ones like Google.  Apparently not.  I reported this to one of the vendors and received an email stating “While this may appear simple to you, it is in fact not.  We may in the future add a host file fix routine but right now it is not high on the list of 'things to do'.”

OK… let’s review:

  1. Malware scanner claims godlike status for removing malware and has the industry and peer reviews to back it up.
  2. I run it and it says “you are now clean”
  3. I go do a google search and I’m still redirected to incorrect and damaging sites.
  4. Google.com should NEVER be in anyone’s host file (well maybe a few Google employees).
  5. hosts is a simple text file – easily editted by any malware scanner.

Maybe I’m missing something here, but to me it seems not only simple, but misleading to say a system is clean when host file redirects remain.  I think some people will write this product off due to not being able to solve the most obvious external evidence that they have or had a malware infection.

Scenario 2: Certificate Stores not scanned

The second scenario was on one of my own machines.  My son has a game which requires a CD to run.  We paid for the game and own it, but I know how kids treat CDs – so I want to keep the original tucked away.  The CD is, of course, copy protected.  So I load up a popular tool for emulating a protected CD.  This tool installs two things of grave concern – one is a service which protects its own service registry keys via in-memory monitoring of the key.  This part is relatively well known and some research showed most malware scanners ignore this service because this software is so widely used and does not seem to have reports of being malware.

(It also turns out that the restore point created during this install is unusable (at least on my machine).  Attempting to use it generated the error: “An unspecified error occurred during System Restore. (0x80070057)”  - a previous restore point did work properly.)

But here is the concerning part…

Procmon Install Spy Filter

I have taken to monitoring everything I install with a filter I have created for Sysinternals Process Monitor (procmon.exe).  Install monitoring on a live system is more challenging than on a clean reference workstation due to all the additional processes and activity.  One of the reasons I use process monitor for this is that I can customize it to leave out all the processes on my system that I know are doing good work – it is also easy to update the filter when I add software that has active processes.  I will eventually be posting this filter to the CSI Windows Toolkit once I’ve got it working a little more smoothly.  (If you would like to know when it goes live, be sure to subscribe to our blog here: Keeping In Touch.)

The monitoring showed a certificate being added to my certificate store.  I investigated further and found a self-signed certificate added to my Trusted Root Certification Authorities store and flagged to be enabled for “All Purposes”.  This means all future software and any websites that use this certificate will generate unalarming messages during UAC prompts and when I visit the websites.  Some Googling revealed this certificate has probably had the same name for more than three years.

I re-ran my malware scanners and (drum role please)…

…you guessed it, nothing was flagged or removed.

Within this second scenario I was obviously installing some shady software (and was taking extra precautions by monitoring the install) – however, since there are no additional controls on certificate installations (above those provided for software installs themselves) – this approach could be used by any installer.

After this experience I feel some changes in malware scanners and Windows would be very helpful in protecting against these exploits:

  • Malware scanners and antivirus should be checking and fixing the hosts file – is is never appropriate to find “google.com” be in my hosts file.
  • Malware scanners and antivirus should be checking and flagging added certificates that are not part of known and trusted certificate authorities – self-signed certificates should generate a warning and well known ones should be considered malware.
  • Since a certificate can give an unmerited level of trust to future software installs and website visits - Windows should prompt me when a new certificate is being installed – even if I have authorized the installer to run.

If anyone out there has experience with either of these scenarios and knows of scanners that catch them, I would love to hear from you – please use our contact form.